合肥有什么好的网站建设公司好,徐州百度搜索优化,国内优秀网页网站设计,网站规划步骤使用TOKEN授权访问api-server在k8s运维场景中比较常见#xff0c;
apiserver有三种级别的客户端认证方式
1#xff0c;HTTPS证书认证#xff1a;基于CA根证书签名的双向数字证书认证方式
2#xff0c;HTTP Token认证#xff1a;通过一个Token来识别合法用户
3#xf…使用TOKEN授权访问api-server在k8s运维场景中比较常见
apiserver有三种级别的客户端认证方式
1HTTPS证书认证基于CA根证书签名的双向数字证书认证方式
2HTTP Token认证通过一个Token来识别合法用户
3HTTP Base认证通过用户名密码的认证方式
通常的运维场景使用第二种Token较为方便Token的权限是关联service account,
# kubectl describe secrets admin-token-2q28f -n kube-systemName: admin-token-2q28f
Namespace: kube-system
Labels: none
Annotations: kubernetes.io/service-account.name: adminkubernetes.io/service-account.uid: 93316ffa-7545-11e9-b617-00163e06992d
Type: kubernetes.io/service-account-token
Dataca.crt: 1419 bytes
namespace: 11 bytes
token: eyJhbGciOiJ******
Service Account 的权限来自Clusterrolebinding--ClusterRole
# kubectl describe serviceaccount admin -n kube-systemName: admin
Namespace: kube-system
Labels: none
Annotations: kubectl.kubernetes.io/last-applied-configuration:{apiVersion:v1,kind:ServiceAccount,metadata:{annotations:{},name:admin,namespace:kube-system}}
Image pull secrets: none
Mountable secrets: admin-token-2q28f
Tokens: admin-token-2q28f
Events: none
通过clusterrolebinding 可以拿到ClusterRole对应的rolename
# kubectl get clusterrolebinding admin -o yamlapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:annotations:kubectl.kubernetes.io/last-applied-configuration: |{apiVersion:rbac.authorization.k8s.io/v1beta1,kind:ClusterRoleBinding,metadata:{annotations:{},name:admin},roleRef:{apiGroup:rbac.authorization.k8s.io,kind:ClusterRole,name:cluster-admin},subjects:[{kind:ServiceAccount,name:admin,namespace:kube-system}]}creationTimestamp: 2019-05-13T06:08:49Zname: adminresourceVersion: 1523selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/adminuid: 93356439-7545-11e9-b617-00163e06992d
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: cluster-admin
subjects:
- kind: ServiceAccountname: adminnamespace: kube-system
这个role是什么权限?
# kubectl get clusterrole cluster-admin -o yamlapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:annotations:rbac.authorization.kubernetes.io/autoupdate: truecreationTimestamp: 2019-05-13T06:01:10Zlabels:kubernetes.io/bootstrapping: rbac-defaultsname: cluster-adminresourceVersion: 55selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-adminuid: 817e2b9e-7544-11e9-9766-00163e0e34c8
rules:
- apiGroups:- *resources:- *verbs:- *
- nonResourceURLs:- *verbs:- *
从clusterrole权限来看admin关联的权限还是比较大的正常的集群运维中建议根据自身的真实需要去定制权限
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
了解完这些分享一个小技巧这样后面客户再有curl访问apiserver的需求我相信你没问题了
# kubectl describe secrets $(kubectl get secrets -n kube-system |grep admin |cut -f1 -d ) -n kube-system |grep -E ^token |cut -f2 -d:|tr -d \t|tr -d eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi0ycTI4ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjkzMzE2ZmZhLTc1NDUtMTFlOS1iNjE3LTAwMTYzZTA2OTkyZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.EQzj2LsWn2k31m-ksn9GmB1bZTi1Xjw1fnmWFgRKlwhS2QAaVnDXfV_TgUovpq5oWKh7h0gTVaNaK4KKK76yAv6GfMehpOdIO5xHCfQAWVRhla1cwUDC64tz7vJ1zGcx_lz4hKfhdXN1T8FYS0B0hf3h2OloAMfCZTzDjRWz24GVwH-WRTEwY_5tav65GiZzBTsnz1vV7NOcx-Kl8AK2HbowtBYqK05x7oOmp84FiQMwpYU-7g0c03h61zev4lvf0e-HFtqKiByPi8gD-uiVRvE-xayOz5oIESWw2GfhzfNf_uyR7eLplCKUBecVMtwVsBauNaeqU-IIJW5VIHAOxw
# TOKEN$(kubectl describe secrets $(kubectl get secrets -n kube-system |grep admin |cut -f1 -d ) -n kube-system |grep -E ^token |cut -f2 -d:|tr -d \t|tr -d )# kubectl config view |grep server|cut -f 2- -d : | tr -d https://192.168.0.130:6443
# APISERVER$(kubectl config view |grep server|cut -f 2- -d : | tr -d )使用curl访问apiserver
# curl -H Authorization: Bearer $TOKEN $APISERVER/api --insecure{kind: APIVersions,versions: [v1],serverAddressByClientCIDRs: [{clientCIDR: 0.0.0.0/0,serverAddress: 192.168.0.130:6443}]
}
原文链接 本文为云栖社区原创内容未经允许不得转载。
