一:k8s安全机制

  • 安全框架、

  • 传输安全、认证,授权,准入控制

  • 使用rbac授权

1.1:kubernetes安全框架

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-RggZYfh2-1603117340333)(C:\Users\kevin\AppData\Roaming\Typora\typora-user-images\image-20201019214742803.png)]

  • 安全框架的流程

    • 流程:kubectl先请求api资源,然后是过三关,第一关是认证(Authentication),第二关是授权(Authorization),第三关是准入控制(Admission Control),只有通过这三关才可能会被k8s创建资源。
    • K8S安全控制框架主要由下面3个阶段进行控制,每一个阶段都支持插件方式,通过API Server配置来启用插件。
    • 普通用户若要安全访问集群API Server,往往需要证书、Token或者用户名+密码;Pod访问,需要ServiceAccount
  • apiserver使用的是token认证

[root@master ~]# ps aux | grep apiserver
...
--token-auth-file=/opt/kubernetes/cfg/token.csv 
...
'其中能够查询到token认证等信息'
  • 查看ServiceAccount,可以通过ServiceAccount在pod中去访问apiserver
[root@master ~]# kubectl get sa
NAME      SECRETS   AGE
default   1         8d
'Service Account它并不是给kubernetes集群的用户使用的,而是给pod里面的进程使用的,它为pod提供必要的身份认证。'
  • 传输安全方面:8080用于内部通讯(是通过master及其他组件连接使用),6443是提供给外部访问的端口
[root@master ~]# netstat -ntap |grep 8080|grep LISTEN
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      29837/kube-apiserve 
[root@master ~]# netstat -ntap |grep 6443|grep LISTEN
tcp        0      0 20.0.0.51:6443          0.0.0.0:*               LISTEN      29837/kube-apiserve 

1.2:第一关:Authentication认证

  • 三种客户端身份认证:

    • 1、HTTPS 证书认证:基于CA证书签名的数字证书认证
    • 2、HTTP Token认证:通过一个Token来识别用户(生产环境中使用广泛)
    • 3、HTTP Base认证:用户名+密码的方式认证
  • 1、HTTPS证书认证

[root@localhost text]# cat /root/k8s/k8s-cert/k8s-cert.sh 
cat > server-csr.json <<EOF
{
    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1",
      "127.0.0.1",
      "20.0.0.51",		'此处直接指定了负载均衡和master的节点'
      "20.0.0.52",
      "20.0.0.100",
      "20.0.0.55",
      "20.0.0.57",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
  • httpd的token认证
[root@master ~]# cat /opt/kubernetes/cfg/token.csv 
127b0779cbe906fd1e76fcfba0b2ceee,kubelet-bootstrap,10001,"system:kubelet-bootstrap"

1.3:第二关:Authorization授权

  • RBAC(Role-Based Access Control,基于角色的访问控制):负责完成授权(Authorization)工作,允许通过Kubernetes API动态配置策略。
  • 使用RBAC授权

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-owPtQ2fE-1603117340335)(C:\Users\kevin\AppData\Roaming\Typora\typora-user-images\image-20201019215628232.png)]

  • 角色:

    1、Role:授权特定命名空间的访问权限

    2、ClusterRole:授权所有命名空间的访问权限

    角色绑定

    1、RoleBinding:将角色绑定到主体(即subject)

    2、ClusterRoleBinding:将集群角色绑定到主体

    主体(subject)

    1、User:用户

    2、Group:用户组

    3、ServiceAccount:服务账号

1.3.1:RBAC使用测试

  • 1、创建名称空间kevin
[root@master ~]# kubectl create ns kevin
namespace/kevin created
[root@master ~]# kubectl get ns
NAME          STATUS   AGE
default       Active   8d
kevin         Active   8s
kube-public   Active   8d
kube-system   Active   8d
  • 2、创建测试pod
[root@master ~]# kubectl run nginx --image=nginx -n kevin
kubectl run --generator=deployment/apps.v1beta1 is DEPRECATED and will be removed in a future version. Use kubectl create instead.
deployment.apps/nginx created
  • 3、扩容成3个副本,使用scale命令
[root@master ~]# kubectl scale deploy/nginx --replicas=3 -n kevin
deployment.extensions/nginx scaled

[root@master ~]# kubectl get pods -n kevin
NAME                    READY   STATUS    RESTARTS   AGE
nginx-dbddb74b8-9nkvl   1/1     Running   0          116s
nginx-dbddb74b8-c52ph   1/1     Running   0          2m26s
nginx-dbddb74b8-ngl4v   1/1     Running   0          116s
  • 4、创建role
[root@master ~]# vim rbac-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: kevin
  name: pod-reader
rules:
- apiGroups: [""] 
  resources: ["pods"]		'创建角色只有pod资源的操作权限'
  verbs: ["get", "watch", "list"]	'只有这些操作可以使用'

[root@master ~]# kubectl apply -f rbac-role.yaml 
role.rbac.authorization.k8s.io/pod-reader created

[root@master ~]# kubectl get role -n kevin
NAME         AGE
pod-reader   34s
  • 5、角色绑定
[root@master ~]# vim rbac-rolebangbing.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: kevin
subjects:
- kind: User
  name: zhangsan
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role   
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

[root@master ~]# kubectl apply -f rbac-rolebangbing.yaml 
rolebinding.rbac.authorization.k8s.io/read-pods created

[root@master ~]# kubectl get role,rolebinding -n kevin
NAME                                        AGE
role.rbac.authorization.k8s.io/pod-reader   8m4s

NAME                                              AGE
rolebinding.rbac.authorization.k8s.io/read-pods   51s
  • 6、拷贝rbac.yaml和rbac-user.sh文件到/root/test中
[root@master ~]# cd test/
[root@master test]# mkdir zhangsan
[root@master test]# rz -E
rz waiting to receive.
[root@master test]# mv rbac-user.sh zhangsan/	

[root@master zhangsan]# cp /root/k8s/k8s-cert/ca* ./
'证书拷贝到zhangsan目录'

[root@master zhangsan]# vim rbac-user.sh '修改地址为apiserver访问地址(负载均衡VIP)'
kubectl config set-cluster kubernetes \
  --certificate-authority=ca.pem \
  --embed-certs=true \
  --server=https://20.0.0.100:6443 \
  --kubeconfig=zhangsan-kubeconfig
  • 7、安装格式化工具
[root@master zhangsan]# yum install -y dos2unix

[root@master zhangsan]# dos2unix rbac-user.sh   '格式化'
dos2unix: converting file rbac-user.sh to Unix format ...
[root@master zhangsan]# bash rbac-user.sh 
2020/10/17 11:14:22 [INFO] generate received request
2020/10/17 11:14:22 [INFO] received CSR
2020/10/17 11:14:22 [INFO] generating key: rsa-2048
2020/10/17 11:14:22 [INFO] encoded CSR
2020/10/17 11:14:22 [INFO] signed certificate with serial number 491990070582944526021040226890964605695127823966
2020/10/17 11:14:22 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
Cluster "kubernetes" set.
User "zhangsan" set.
Context "default" created.
Switched to context "default".
  • 8、查看证书
[root@master zhangsan]# cat zhangsan-kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVSnpMNXdkZFd3L1RkL0IrY0tyQ3RIQnA1NUFzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TVRBd09UQXhNemN3TUZvWERUSTFNVEF3T0RBeE16Y3dNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbGFXcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBcERSdGcwQ29WVnZZWmdOSEcwVk8KWjRGeEJRZE83bGFDdW92dlExNGZqM1hkUGxGWGllV0JuVnNWSUQwK21xZ2hlbnRKaTJmRTl4azlaV0QxSzFrUgpGZ2lzZS9lb3lrN3dKeU5wREVuclJBeVc0MlkyTlBrK0JHdDJBRkJHaFF2dEVoSjRLL3hERTVzaVdpN0VIZTJiCkJ6MUYyQUxiYWoybFNhR09Xa2RRYmpJUnVhdThERVowMmlCUFB0cTh6QlRuZFFyYWl6V0xGcG8vTkpsSmt3YTMKRklPTFh5MktTQVp0Ym94VW15VWVWTGtxMmFxaHJGMm9sOFhEN28waTN1SnlyWEtpQ1JjaXREaS92b0laazdsOQovVWJGdldyZGRnUVEwbzBlUU1TNVo3alFueTFtY29QN1owbzVhVVk5ZUpQT1VURU1neEJGUnUyMlArdDVPdkF6CnNRSURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVMitMSGlHeWxLcHo2cy9HanNRWU9FOGt4UTVBd0h3WURWUjBqQkJnd0ZvQVUyK0xIaUd5bApLcHo2cy9HanNRWU9FOGt4UTVBd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFEcENrM1ovcWtuSU1TT0orOHJ1ClBxUTdMSUJEalM3YVdaRGlabEN4Kzl6Q0RuRkVvKzdDbktXVzdNMnhIcWpnNE5ZQTVJSkVrYm0vaHp0OWpQckgKdTd4Sm82Z25RcENBdlR0TUxpQzN5Njc5WS9KZnNnc0loMFg5bHVMbmMyL2FOblFRckJkbEN5T2JGdTdSMVpBaQpqV3AyRVVIeHQzVXorVDFaMytPanVIZUwrNHhnTVNmWmRDUjB3cWVYQUcvSTJ1WXpLaVZCemJqZktOcHdWcUZ5Cm0vWlRnTmtKdUEwaGVaUE0xSXdsczZWcTZRb0kyWW03SDc0WWZaeFQzeEVMWnVxL1c1SXhpOVZCUy91YlMrWTAKWmNlV29iMG4ycGlaU24xaUxpUDZqTzZRTGE5cUlUYm5Ha1lYVFdhdUZQZ0lzNUx3ZGc1UTlwb2U3SUQxakdjYQo0VFk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    server: https://20.0.0.100:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: zhangsan
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: zhangsan
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR0akNDQXA2Z0F3SUJBZ0lVVmkyWkI1UElRbUd4NkFuNS9mNkF0d2xScGw0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TVRBeE56QXpNRGt3TUZvWERUTXdNVEF4TlRBek1Ea3dNRm93UkRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RVRBUApCZ05WQkFNVENIcG9ZVzVuYzJGdU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCnAzWkNCZEhtYVplSUxMZEphTHRXVGVPR1lYdThXS2ZUWm1zdWsvQnovSzFUb3lXNXAzQ1FaT2x5TWtFNXN1L3UKQkF2Qml0RkMvRStKNXBLR2N1cUR3eEVPZGVoU2VwYkwrZHhkKzBSaFNFbVYrNWNxRHR5RHFhaDhYS0l5dGNETApjN0dWNDZFZVBHVlZYelJweWZlb3lod2ZOQzBwZEgzMkV2SGVYRTNtclNvU0h1aGxkbGE2aW1MbWxCQUZDT1RUCnlpZGoxQ1lQWXJZNGxaakQvc1A3a0FxRzNDZjRkaG9FMlVKOEZ4MDh2SE83VmxXeWl0ZzdwOURzdm14QjBRREwKOHpNd1h6VnRBNWMrc2xPTE5JU0hEeUQ4U0djVEFZZHBpdGRQcVVJQVNmVG1XQkRaUWg3OERBbGNoNjRha3FmUgpiSWZ3WFV5VWtmMzliVVluN3FCV21RSURBUUFCbzM4d2ZUQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsCkJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdIUVlEVlIwT0JCWUUKRlBFUE1nU1B2cVNTZWhBWC9tazJDYUs5bXhOY01COEdBMVVkSXdRWU1CYUFGTnZpeDRoc3BTcWMrclB4bzdFRwpEaFBKTVVPUU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQXc2SFNMc0ZTT0V5MDkwV3F4VmtDSWR6SWFOODFBCnNVaDk1eTZZQXczK1BPb29XZVg3Y09RUW5HYVhrVXJLVEFuZzNjUlZTSW5IbzFlYmdHQjQ2WHJIYTRtQ0pZMGgKWjlqaFk1NFhvc21FRWN4MVhlQ3g3Ui8wZitQM0RQOFFxQ3loVEl2VThKZWNtcDFPNUJJek5WWTVkREtiQlc2VwpVV0lqbDFvT2F5ZmFYeHBuWE9ONExKQ1ZpUkovRGNTWlpWbE1RcEpIeTVFcVdDUERobDZJakFOTkdGdHNKU3BUCmRjWklRTEMya2dYUkFoV2pPbHM1MnZRYk1qbVowRUxqZ1hrdWFJVWxOcEpxUzRuakF4RkNlL2ZGS2FDdGxmMngKa0dHOEdwb29WekVKUnMyc2JJaDVETkp2V1g0S0trd1ZYWStkYis0SktzRHdIVlhLQmRxaHN4am0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcDNaQ0JkSG1hWmVJTExkSmFMdFdUZU9HWVh1OFdLZlRabXN1ay9Cei9LMVRveVc1CnAzQ1FaT2x5TWtFNXN1L3VCQXZCaXRGQy9FK0o1cEtHY3VxRHd4RU9kZWhTZXBiTCtkeGQrMFJoU0VtVis1Y3EKRHR5RHFhaDhYS0l5dGNETGM3R1Y0NkVlUEdWVlh6UnB5ZmVveWh3Zk5DMHBkSDMyRXZIZVhFM21yU29TSHVobApkbGE2aW1MbWxCQUZDT1RUeWlkajFDWVBZclk0bFpqRC9zUDdrQXFHM0NmNGRob0UyVUo4RngwOHZITzdWbFd5Cml0ZzdwOURzdm14QjBRREw4ek13WHpWdEE1YytzbE9MTklTSER5RDhTR2NUQVlkcGl0ZFBxVUlBU2ZUbVdCRFoKUWg3OERBbGNoNjRha3FmUmJJZndYVXlVa2YzOWJVWW43cUJXbVFJREFRQUJBb0lCQVFDTU9TVHR0S1lvVXQrTworZWI1VUt6aXlac3pzNld4NHMzTW5BRkRsWHU1My9VQnpzd1huZFQ2K3ROSnEzNUNERkFVaVRlR0l0WGhha1RCCmtuNE1hYnp0TVRJWG52SzVmZDNOR2k2RUFPMG8xNTFFTDM3ak5OajJ6b05jR2VFMmVmcWlwTmdxNURYcVFydnEKM1h1Yng4cEplcVRTVHVMQWpkem9YaWxneDBaYVJsNU1IZG5rdE5GT25RM1FGS01JdlM0azBvTEJlQ1Q2ZytuTQpVZXZZV3VReWM5R3dPRTR1VmRhNlBkaElBT1IrKzBkK3BkaUcrNlFiRTBxRTkySmRHc3l5RVh1L1lYQTJtWVY2CndJcFZqRXE1ZHR2LzZHaDlWZFNzTExnaUM4UmZwVHY0TXAzMnprVHNaL1dNVkhBVnBscFBNeTV2aExxZnNlQTgKcitVU2E4SUJBb0dCQU1uMWZna29LaWYyb2NLRFZyMklyQ2dMVUlPV3VPZzI3Tks3SjhGNnlGUnl3WllwWFp3TApiczd0TXhmRzhsMlVzeVE5RVZMalpMSmRqdkc3NjJkUGNpaVFvdUQraHlvUW94RFFsS2ZMZTF6dEVFTGxjbTNQCkVicmM1OVloeVNzMENLdHl6dno3ZjUrdm52eTZvSjhpYktrSWRHSHJoMzR3bHRJVlFVMmI1YmpaQW9HQkFOUkYKcW5kMlYwYVZLVjVWdnFKWVN2WjZlSmJnNjVxL1dZeUQralh5RmttSWlGNkkvZ2RISUZDMmM4TFY3UEpLcHUwTAo3YWFndk5UK29jWG5DQjlUZzFtVGk0NnNOeFVpVlNQeTVON0RlUW52d0RXS2xsK2lWOUV1ZklZSVRPMmxFdmw0CnpHZW1RaFRHRlI0SE1tK3JFclU3dlo2eHBZck1OY05KOHVKcml2UEJBb0dBVTB4OU1wdXRYNVJiUGRaY05ZcWsKcjFPVFh1TVEyejZrU1hyR09BaERqb2xTalhQOFZ6dGo5ZGRpQm9HWlA3M3djWmI2aVR5Zk1PNWo0aExIVW5JegpQTVlEV0ZmRE9qZG9lcXY5VklRYUdzYnd1UmJZTHJDRXVKVWF6bmhhK0FYYk9aUCtDZHhWMUhCa1hBdEI2c0VSCkhsc05YY0grdmE2ZTFvSEwwSTNubjJrQ2dZQlBRc0FYSVVvUFllenplNExXTGErMy94eitBWGdYN1RFcnhhL3MKNnJzbHMrUnZvQ2x5WUQyUnhiN04xb0ZHSzFmUEZYQWtrc3BQb2RDWUM5ODlpenAxZlNGVUlidmptVkUvUGhmMQprZm1sR3krakRsOTkwQ21JUXhwZUZjVmJ5eEtkc2x4b3EyenJRdGRwd2ZnME9DV2hKSEIyVEJEckZidFJjMUJNCitTa0dRUUtCZ0YwMFhHaGF2Q1ZpQ252NG5lSzQvSm9uZWtVd0VzR3VuU0tiTUZqR3VuM1ZvVE04aXZvdk9yUGwKWjFLTFNjdE90OUZvaURlYXU0eXg0SjJPSXp0YzRVenhib2htakZBN05OMnNocjc1aWZMaXpSRDIwNThrWW0ycwoxQURxcmFHMmFtemgwVzNsUFJ3RDdUVlFLWEZCenJRQUEvUzFJdlRvZlkwMFJIT1EyMVFPCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
  • 9、使用zhangsan-kubeconfig访问pod资源
[root@master zhangsan]# kubectl --kubeconfig=zhangsan-kubeconfig get pods -n kevin	'使用zhangsan-kubeconfig访问pod资源'
NAME                    READY   STATUS    RESTARTS   AGE
nginx-dbddb74b8-9nkvl   1/1     Running   0          26m
nginx-dbddb74b8-c52ph   1/1     Running   0          26m
nginx-dbddb74b8-ngl4v   1/1     Running   0          26m

[root@master zhangsan]# kubectl --kubeconfig=zhangsan-kubeconfig get svc -n kevin	'使用zhangsan-kubeconfig访问 svc资源就会被拒绝'
Error from server (Forbidden): services is forbidden: User "zhangsan" cannot list resource "services" in API group "" in the namespace "kevin"

[root@master zhangsan]# kubectl --kubeconfig=zhangsan-kubeconfig get svc		
Error from server (Forbidden): services is forbidden: User "zhangsan" cannot list resource "services" in API group "" in the namespace "default"
'也无法访问默认的命名空间'
  • UI访问控制
[root@master zhangsan]# kubectl get svc -n kube-system
NAME                   TYPE       CLUSTER-IP   EXTERNAL-IP   PORT(S)         AGE
kubernetes-dashboard   NodePort   10.0.0.221   <none>        443:30001/TCP   8d
  • 访问地址https://20.0.0.54:30001

在这里插入图片描述

  • 查看令牌
[root@master zhangsan]# kubectl get secret -n kube-system
NAME                               TYPE                                  DATA   AGE
dashboard-admin-token-ps2xz        kubernetes.io/service-account-token   3      8d
default-token-4fhj6                kubernetes.io/service-account-token   3      8d
kubernetes-dashboard-certs         Opaque                                11     8d
kubernetes-dashboard-key-holder    Opaque                                2      8d
kubernetes-dashboard-token-2ftmr   kubernetes.io/service-account-token   3      8d

[root@master zhangsan]# kubectl describe secret kubernetes-dashboard-token-2ftmr  -n kube-system
Name:         kubernetes-dashboard-token-2ftmr
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: kubernetes-dashboard
              kubernetes.io/service-account.uid: 590bdea5-09de-11eb-8631-000c29115408

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1359 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi0yZnRtciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjU5MGJkZWE1LTA5ZGUtMTFlYi04NjMxLTAwMGMyOTExNTQwOCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.mTKnGAudQ4rdpXUIth1odGn-GEPjX9X2Fb4kDJ3QE-WKuHNaOVO_zknTRSxOwQPKf22guz0JGFVNnX8tOvfw7v0gz4biEuiTh8EJOzCyiigT13_KY1JJf-D3X8oW3rBfBNIDkrbbZWxQcFKToFLnv4cKGkt-JSedajlnjDDueLhKZR3ZN6LVfOtNhDv9ftT6g_FnyMuMwYBsEwJMCyEsCOLFGPvtlwtppSHpHkD3JEkaBcE2ohviQFgkBH2IKNyKsY01BtME2sFNRC4lwF5FKiGGeY0VP9qRDrp6tCdNUGPCtkzgJCktpPjDdLbZEsK5ksvS9-IKIjS5Mbq3s5NcBg
  • 10、编辑认证yaml文件
[root@master zhangsan]# vim sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: pod-reader
  namespace: kevin

---

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: sa-read-pods
  namespace: kevin
subjects:
- kind: ServiceAccount
  name: pod-reader
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
  [root@master zhangsan]# kubectl apply -f sa.yaml 
serviceaccount/pod-reader created
rolebinding.rbac.authorization.k8s.io/sa-read-pods created
[root@master zhangsan]# kubectl get sa -n kevin
NAME         SECRETS   AGE
default      1         46m
pod-reader   1         14s

[root@master zhangsan]# kubectl describe secret pod-reader -n kevin
Name:         pod-reader-token-rhfgp
Namespace:    kevin
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: pod-reader
              kubernetes.io/service-account.uid: b6560884-1029-11eb-ba66-000c29115408

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1359 bytes
namespace:  5 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrZXZpbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJwb2QtcmVhZGVyLXRva2VuLXJoZmdwIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InBvZC1yZWFkZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiNjU2MDg4NC0xMDI5LTExZWItYmE2Ni0wMDBjMjkxMTU0MDgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a2V2aW46cG9kLXJlYWRlciJ9.Zbqbo0TRSC2aXW_eJeTuGXOzmBAu0YZsDvhGvO47fal6b_h0L_D3rgqqxbhGHffvYUAQHHZYFmrXM66B4n9lG50sw6mmOZUWY-w8P86nw2Y1Eurw2JbFTjbF_n0BA1lOizJqjD10CobrtDLFaZB_AUZhLTq1S6B-YTD85Q6ra1PQwcVYTPhJMRzbLcRkvNL1iIPfL3sA_SMBEd6EP8pwOTY7JKiqYyrpoVVJmNiZaeHk9DnJcfrTgAs61F7GsgB6-0-zOrY9pjv6DVi_XdbLqZIR3xjtVhkoPYIf-I-n8fnk_8GUiInXLGWfJ0AhuxQDv8vqVeomTor1f4vbx0e4DA
  • 11、使用令牌登陆UI界面
    在这里插入图片描述

1.4:第三关:准入控制Admission Control

  • Adminssion Control实际上是一个准入控制器插件列表,发送到API Server的请求都需要经过这个列表中的每个准入控制器 插件的检查,检查不通过,则拒绝请求。

  • 查看进程信息

[root@master ~]# ps aux |grep apiserver
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction 	'此行是准入控制的插件信息'
  • 解释

    • NamespaceLifecycle: 命令空间回收

      LimitRanger:配额管理

      ServiceAccount: 每个pod中导入方便访问apiserver

      ResourceQuota: 基于命名空间的高级配额管理

      NodeRestriction: Node加入到k8s群集中以最小权限运行

      官网推荐的插件:

      1.11版本以上推荐使用的插件:

      –enable-admission-plugins= \ NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds, ResourceQuota

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐