1.概述
用kubectl向apiserver发起的命令,采用的是http方式,K8s支持多版本并存.
kubectl的认证信息存储在~/.kube/config,所以用curl无法直接获取apis中的信息,可以采用代理方式
kubectl proxy --port=8080 # HTTP request action,如get,post,put,delete, # 这些action映射到k8s中,有:get,list,create,udate,patch,watch,proxy,redirect,delete curl http://127.0.0.1:8080/apis/apps/v1/namespaces/kube-system/deployments kubectl describe svc kubernetes Name: kubernetes Namespace: default Labels: component=apiserver provider=kubernetes Annotations: <none> Selector: <none> Type: ClusterIP IP: 10.96.0.1 Port: https 443/TCP TargetPort: 6443/TCP Endpoints: 10.0.0.10:6443 Session Affinity: None Events: <none> 10.96.0.1是kubernetes apiserver的地址,实现了通过10.96.0.1访问10.0.0.10:6443 # serviceAccount已经被替换成serviceAccountName # apiServer验证用户和pod,它俩分别使用userAccount和serviceAccount kubectl create serviceaccount mysa -o yaml --dry-run apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: null name: mysa # 创建其它资源时,可以参考系统标准的模板 kubectl get pods myapp-1 -o yaml --export
2.创建serviceAccount
kubectl create serviceaccount admin kubectl get sa NAME SECRETS AGE admin 1 10s default 1 15d # 这个sa目前只存在于default名称空间 kubectl describe sa admin kubectl get secret NAME TYPE DATA AGE admin-token-bqcpl kubernetes.io/service-account-token 3 53s default-token-g7t2x kubernetes.io/service-account-token 3 15d # 用配置清单把serviceaccount和pod绑定起来,这表示该pod使用自定义的验证信息admin cat pod-sa-demo.yaml apiVersion: v1 kind: Pod metadata: name: pod-sa-demo namespace: default labels: app: myapp spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 serviceAccountName: admin # kubeconfig是客户端连接apiserver时使用的认证格式的配置文件 # context定义哪个集群被哪个用户访问,current-context当前是用的是哪个context kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://10.0.0.10:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED
3.创建useraccount
# 证书存放位置 cd /etc/kubernetes/pki/ # 做一个私钥,生成lixiang.key (umask 077; openssl genrsa -out lixiang.key 2048) # 基于私钥生成一个证书,生成lixiang.csr,CN就是用户账号名 openssl req -new -key lixiang.key -out lixiang.csr -subj "/CN=lixiang" # 签发证书,生成lixiang.crt,-days:表示证书的过期时间,x509:生成x509格式证书 openssl x509 -req -in lixiang.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out lixiang.crt -days 365 # 查看证书内容 openssl x509 -in lixiang.crt -text -noout # 把用户账户信息添加到当前集群中,embed-certs=true隐藏证书信息 kubectl config set-credentials lixiang --client-certificate=lixiang.crt --client-key=lixiang.key --embed-certs=true # 设置该用户可以访问kubernetes集群 kubectl config set-context lixiang@kubernetes --cluster=kubernetes --user=lixiang # 切换到lixiang用户,登录k8s,可以看到lixiang用户没有管理器权限 kubectl config use-context lixiang@kubernetes # 切回k8s管理员 kubectl config use-context kubernetes-admin@kubernetes # 创建一个新的k8s集群,--kubeconfig:指定集群配置文件存放位置 kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://127.0.0.1:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true kubectl config view --kubeconfig=/tmp/test.conf
参考博客:http://blog.itpub.net/28916011/viewspace-2215100/