静态令牌认证配置案例
静态令牌认证的基础配置
- 令牌信息保存于文本文件中
- 文件格式为CSV,每行定义一个用户,由“令牌、用户名、用户ID和所属的用户组”四个字段组成,用户组为可选字段
- 格式:token,user,uid,"group1,group2,group3"
- 由kube-apiserver在启动时通过--token-auth-file选项加载
- 加载完成后的文件变动,仅能通过重启程序进行重载,因此,相关的令牌会长期有效
- 客户端在HTTP请求中,通过“Authorization Bearer TOKEN”标头附带令牌令牌以完成认证
配置操作
step1 生成token,命令:
root@k8s-node01:~# echo "$(openssl rand -hex 3).$(openssl rand -hex 8)"
8a6fb6.630f42379543bcb1
root@k8s-node01:~# echo "$(openssl rand -hex 3).$(openssl rand -hex 8)"
e9854c.32327c5e30b5a2dc
root@k8s-node01:~# echo "$(openssl rand -hex 3).$(openssl rand -hex 8)"
8eab44.4625713808f677d8
step2 生成static token文件 /etc/kubernetes/authfiles/tokens.csv
8a6fb6.630f42379543bcb1,tom,1001,"kubeusers,kubeadmin"
e9854c.32327c5e30b5a2dc,tom,1002,"kubeusers"
8eab44.4625713808f677d8,tom,1003,"kubeadmin"
step3 配置kube-apiserver加载该静态令牌文件以启用相应的认证功能 备份原始文件
cp /etc/kubernetes/manifests/kube-apiserver.yaml /root/
将宿主机的/etc/kubernetes/authfiles/tokens.csv 挂载到容器中去
cp /etc/kubernetes/manifests/kube-apiserver.yam /tmp/
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.0.44:6443
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=192.168.0.44
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --token-auth-file=/etc/kubernetes/authfiles/tokens.csv
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
image: registry.aliyuncs.com/google_containers/kube-apiserver:v1.28.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 8
httpGet:
host: 192.168.0.44
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
name: kube-apiserver
readinessProbe:
failureThreshold: 3
httpGet:
host: 192.168.0.44
path: /readyz
port: 6443
scheme: HTTPS
periodSeconds: 1
timeoutSeconds: 15
resources:
requests:
cpu: 250m
startupProbe:
failureThreshold: 24
httpGet:
host: 192.168.0.44
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
volumeMounts:
- mountPath: /etc/ssl/certs
name: ca-certs
readOnly: true
- mountPath: /etc/ca-certificates
name: etc-ca-certificates
readOnly: true
- mountPath: /etc/kubernetes/pki
name: k8s-certs
readOnly: true
- mountPath: /usr/local/share/ca-certificates
name: usr-local-share-ca-certificates
readOnly: true
- mountPath: /usr/share/ca-certificates
name: usr-share-ca-certificates
readOnly: true
- mountPath: /etc/kubernetes/authfiles
name: authfiles
readOnly: true
hostNetwork: true
priority: 2000001000
priorityClassName: system-node-critical
securityContext:
seccompProfile:
type: RuntimeDefault
volumes:
- hostPath:
path: /etc/ssl/certs
type: DirectoryOrCreate
name: ca-certs
- hostPath:
path: /etc/ca-certificates
type: DirectoryOrCreate
name: etc-ca-certificates
- hostPath:
path: /etc/kubernetes/pki
type: DirectoryOrCreate
name: k8s-certs
- hostPath:
path: /usr/local/share/ca-certificates
type: DirectoryOrCreate
name: usr-local-share-ca-certificates
- hostPath:
path: /usr/share/ca-certificates
type: DirectoryOrCreate
name: usr-share-ca-certificates
- hostPath:
path: /etc/kubernetes/authfiles
type: DirectoryOrCreate
name: authfiles
status: {}
kube-apiserver 重新创建了
step4 测试,命令:
curl https://kubeapi.magedu.com:6443 -k -H "Authorization: Bearer 8a6fb6.630f42379543bcb1" -k
https://API_SERVER:6443/api/v1/namespaces/default/pods/
工作节点无法 访问apiserver
apiserver的端口是6443 域名是kubeapi.magedu.com
kubectl get pods -s "https://kubeapi.magedu.com:6443" --token="8a6fb6.630f42379543bcb1" --certificate-authority=/etc/kubernetes/pki/ca.crt
tls通信的证书签发 --certificate-authority=/etc/kubernetes/pki/ca.crt apiserver地址 -s "kubeapi.magedu.com:6443" 生成的token --token="8a6fb6.630f42379543bcb1"
请求方法二
curl https://kubeapi.magedu.com:6443 -k -H "Authorization: Bearer 8a6fb6.630f42379543bcb1" -k
