kubernetes的安全机制,不仅仅再客户端和apisever之间的交互,各pod之间后者跨namespace之间也要以此为基准配合 RBAC来进行。提到另一个账户关系serviceaccount简称sa。
- User accounts are for humans. Service accounts are for processes, which run in pods.
创建一个属于自己的sa
[root@master song]# kubectl create sa lele
serviceaccount/lele created
[root@master song]# kubectl describe sa lele Name: lele Namespace: default Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: lele-token-7mpr5 Tokens: lele-token-7mpr5 Events: <none> [root@master song]# kubectl get secrets NAME TYPE DATA AGE default-token-tlx48 kubernetes.io/service-account-token 3 30d lele-token-7mpr5 kubernetes.io/service-account-token 3 39d
创建一个pod使用这个sa
[root@master song]# cat pod-sa.yml apiVersion: v1 kind: Pod metadata: name: pod-sa namespace: default labels: app: myapp tier: frontend 2sdlfj: dashazi spec: containers: - name: myapp-1 image: hub.c.163.com/library/nginx:1.13 volumeMounts: - name: song serviceAccountName: lele [root@master song]# kubectl create -f pod-sa.yml [root@master song]# kubectl describe pods pod-sa Name: pod-sa Namespace: default Priority: 0 PriorityClassName: <none> Node: k8s-node1/172.20.0.76 Start Time: Thu, 21 Mar 2019 14:56:32 +0800 Labels: 2sdlfj=dashazi app=myapp tier=frontend Annotations: <none> Status: Running IP: 10.244.2.218 Containers: myapp-1: Container ID: docker://17df9be1c9e987f2c44ec9aed90e8c499a414da82142c8494a4d8ce640883326 Image: hub.c.163.com/library/nginx:1.13 Image ID: docker-pullable://hub.c.163.com/library/nginx@sha256:ff094de32a0d3b5efc29cec60daa709c5378cf4e53e4c9fd1d3433b87ac8ec8b Port: <none> Host Port: <none> State: Running Started: Thu, 21 Mar 2019 14:56:33 +0800 Ready: True Restart Count: 0 Environment: <none> Mounts: /var/run/secrets/kubernetes.io/serviceaccount from lele-token-7mpr5 (ro) Conditions: Type Status Initialized True Ready True ContainersReady True PodScheduled True Volumes: lele-token-7mpr5: Type: Secret (a volume populated by a Secret) SecretName: lele-token-7mpr5 Optional: false QoS Class: BestEffort Node-Selectors: <none> Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s node.kubernetes.io/unreachable:NoExecute for 300s Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Pulled 7h24m kubelet, k8s-node1 Container image "hub.c.163.com/library/nginx:1.13" already present on machine Normal Created 7h24m kubelet, k8s-node1 Created container Normal Started 7h24m kubelet, k8s-node1 Started container Normal Scheduled 15m default-scheduler Successfully assigned default/pod-sa to k8s-node
kubectl config 是客户端连接的配置命令
kubectl 可以定义诸多集群和与之对应的账号密码信息
[root@master song]# kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://172.20.0.91:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes 当前使用的用户和集群信息 kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED
按照这个思路,我们创建有个自己的证书 和私钥来连接我们的集群
root@master song]# cd /etc/kubernetes/pki/ [root@master pki]# ls apiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt etcd front-proxy-ca.key front-proxy-client.key sa.pub apiserver-etcd-client.crt apiserver.key apiserver-kubelet-client.key ca.key front-proxy-ca.crt front-proxy-client.crt sa.key
[root@master pki]# (umask 077;openssl genrsa -out song.key 2048) Generating RSA private key, 2048 bit long modulus ........................+++ .........+++ e is 65537 (0x10001) [root@master pki]# openssl req -new -key song.key -out song.csr -subj "/CN=song" [root@master pki]# ls apiserver.crt apiserver-kubelet-client.key front-proxy-ca.key song.csr apiserver-etcd-client.crt ca.crt front-proxy-client.crt song.key apiserver-etcd-client.key ca.key front-proxy-client.key apiserver.key etcd sa.key apiserver-kubelet-client.crt front-proxy-ca.crt sa.pub
[root@master pki]# openssl x509 -req -in song.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out song.crt -days 3650
Signature ok
subject=/CN=song
Getting CA Private Key
[root@master pki]# kubectl config set-credentials song --client-certificate=./song.crt --client-key=./song.key User "song" set. [root@master pki]# kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://172.20.0.91:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED - name: song user: client-certificate: /etc/kubernetes/pki/song.crt client-key: /etc/kubernetes/pki/song.key [root@master pki]# kubectl config set-context song@kubernetes --cluster=kubernetes --user=song Context "song@kubernetes" created. [root@master pki]# kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://172.20.0.91:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes - context: cluster: kubernetes user: song name: song@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED - name: song user: client-certificate: /etc/kubernetes/pki/song.crt client-key: /etc/kubernetes/pki/song.key
由于此用户没有经过rbac 授权
[root@master pki]# kubectl config use-context song@kubernetes Switched to context "song@kubernetes". [root@master pki]# kubectl get pods Error from server (Forbidden): pods is forbidden: User "song" cannot list resource "pods" in API group "" in the namespace "default" [root@master pki]#
总结 user 和 serviceaccountname 是两种不同的认证suject