前提条件
使用Kubeadm安装好k8s集群,使用的是v1.28.0版本
创建令牌文件
令牌文件是一个 CSV 文件,包含至少 3 个列:令牌、用户名和用户的 UID。 其余列被视为可选的组名。
说明:
如果要设置的组名不止一个,则对应的列必须用双引号括起来,例如:
token,user,uid,"group1,group2,group3"
以下是本次设置的例子
zhang-token,zhang,1001,"group1,group2,group3"
修改ApiServer配置文件
ApiServer是运行在容器内的,所以要让ApiServer正确加载到令牌文件,需要创建数据卷,并将这个卷挂载到容器里。 vi /etc/kubernetes/manifests/kube-apiserver.yam
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.0.110:6443
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=192.168.0.110
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
- --token-auth-file=/etc/kubernetes/auth/token.csv
image: registry.aliyuncs.com/google_containers/kube-apiserver:v1.28.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 8
httpGet:
host: 192.168.0.110
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
name: kube-apiserver
readinessProbe:
failureThreshold: 3
httpGet:
host: 192.168.0.110
path: /readyz
port: 6443
scheme: HTTPS
periodSeconds: 1
timeoutSeconds: 15
resources:
requests:
cpu: 250m
startupProbe:
failureThreshold: 24
httpGet:
host: 192.168.0.110
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
volumeMounts:
- mountPath: /etc/ssl/certs
name: ca-certs
readOnly: true
- mountPath: /etc/pki
name: etc-pki
readOnly: true
- mountPath: /etc/kubernetes/pki
name: k8s-certs
readOnly: true
- mountPath: /etc/kubernetes/auth
name: auth-files
readOnly: true
hostNetwork: true
priority: 2000001000
priorityClassName: system-node-critical
securityContext:
seccompProfile:
type: RuntimeDefault
volumes:
- hostPath:
path: /etc/ssl/certs
type: DirectoryOrCreate
name: ca-certs
- hostPath:
path: /etc/pki
type: DirectoryOrCreate
name: etc-pki
- hostPath:
path: /etc/kubernetes/pki
type: DirectoryOrCreate
name: k8s-certs
- hostPath:
path: /etc/kubernetes/auth
type: DirectoryOrCreate
name: auth-files
status: {}
具体配置如下: 1)创建一个auth-files的volume 2) 将auth-files volume挂载到挂载点/etc/kubernetes/auth 3) 增加token-auth-file配置项 完成配置后,ApiServer会自动重启
修改kubectl配置文件
vi ~/.kube/config
1)增加一个user
- name: zhang user: token: zhang-token
2)增加一个context
- context: cluster: kubernetes user: zhang name: zhang@kubernetes
3)修改当前context为刚创建的context #current-context: kubernetes-admin@kubernetes current-context: zhang@kubernetes
验证
1、通过kubectl验证。执行kubectl get namespace操作,可以看到,用户"zhang"已经被ApiServer正确识别,因为只配置了认证,没有配置授权,所以无法获取具体的地址 [root@master110 auth]# kubectl get namespace Error from server (Forbidden): namespaces is forbidden: User "zhang" cannot list resource "namespaces" in API group "" at the cluster scope
2、直接执行curl验证。如果不想修改kubectl配置文件,可以直接通过curl进行验证,本质上面的kubectl命令执行的是curl操作(通过-v 9获取到具体执行命令): curl -v -XGET -H "Authorization: Bearer zhang-token" 'https://192.168.0.110:6443/api/v1/namespaces/default/pods?limit=500' -k
返回结果:
- About to connect() to 192.168.0.110 port 6443 (#0) * Trying 192.168.0.110... * Connected to 192.168.0.110 (192.168.0.110) port 6443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=kube-apiserver * start date: 3月 31 07:08:50 2024 GMT * expire date: 3月 31 07:13:50 2025 GMT * common name: kube-apiserver * issuer: CN=kubernetes > GET /api/v1/namespaces/default/pods?limit=500 HTTP/1.1 > User-Agent: curl/7.29.0 > Host: 192.168.0.110:6443 > Accept: / > Authorization: Bearer zhang-token > < HTTP/1.1 403 Forbidden < Audit-Id: 67bee0b2-1e22-4df0-949b-4a403fd36f23 < Cache-Control: no-cache, private < Content-Type: application/json < X-Content-Type-Options: nosniff < X-Kubernetes-Pf-Flowschema-Uid: a21c8f75-f2a2-4a75-ba99-654a40c45297 < X-Kubernetes-Pf-Prioritylevel-Uid: fea1ba33-17a4-4906-a01a-6ef3c102ebc4 < Date: Sat, 04 May 2024 14:17:22 GMT < Content-Length: 291 < { "kind": "Status", "apiVersion": "v1", "metadata": {}, "status": "Failure", "message": "pods is forbidden: User "zhang" cannot list resource "pods" in API group "" in the namespace "default"", "reason": "Forbidden", "details": { "kind": "pods" }, "code": 403 * Connection #0 to host 192.168.0.110 left intact
