Kube-apiserver 认证鉴权插件Authenticator和Authorizer
原文链接:https://note.youdao.com/ynoteshare1/index.html?id=9d0b804336ce5f4009d35848bc3acded&type=note
一、初始化入口
cmd/kube-apiserver/app/server.go中的BuildAuthenticator函数初始化kube-apiserver的认证插件,这个函数又调用了pkg/kubeapiserver/authenticator/Config.New()添加了很多authenticator。
cmd/kube-apiserver/app/server.go中的BuildAuthorizer函数初始化kube-apiserver的鉴权插件,这个函数又调用了pkg/kubeapiserver/authorizer/Config.New()初始化各种authorizers
二、Authenticator列表
1.requestHeaderAuthenticator:
请求头authenticator,实际是上是x509.Verifier(staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go),用CA证书进行认证。用户信息是从请求头指定的Key中获取的,如X-Remote-User,X-Remote-Group
2.basicAuth:
basicAuthFile里保存的用户名密码,请求头中 Authorization:Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== 获取用户名密码进行对比
3.CertAuth(ClientCA ) :
staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go.Authenticator, 使用ClientCAFile校验证书,用户信息是x509.CommonNameUserConversion函数从客户端证书中获取的(User:CommonName,Groups:Organization)
4.tokenAuthenticators:
包含多种token authenticator的数组:
a. TokenAuthFile:本地token file保存的token
b. LegacyServiceAccountAuthenticator: jwt格式token,JWT payload中的private claim是 pkg/serviceaccount/legacy.go.legacyPrivateClaims 结构。jwt token格式为 header.payload.signature,header和 payload都是base64编码,signature是把前两部分用privateKey加密的,服务端解析时用publicKey解密
c. ServiceAccountAuthenticator:也是jwt token, JWT payload中的private claim是pkg/serviceaccount/claims.go.validator字段
d. BootstrapTokenAuthenticator:格式为(token-id).(token-secret),用token-secret和bootstrap-token-<token-id> secret中保存的token对比
e. oidcAuth: 也是一种jwt格式token,可以从issuerUrl获取token_endpoint、jwks_uri,keyfile可以从jwks_uri获取
f. 调用webhook插件解析token
二、Authorizer列表
1. AlwaysAllow 全部通过
2.AlwaysDeny 全部拒绝
3.Node
对来自kubelet的请求鉴权
// NodeAuthorizer authorizes requests from kubelets, with the following logic:
// 1. If a request is not from a node (NodeIdentity() returns isNode=false), reject
// 2. If a specific node cannot be identified (NodeIdentity() returns nodeName=""), reject
// 3. If a request is for a secret, configmap, persistent volume or persistent volume claim, reject unless the verb is get, and the requested object is related to the requesting node: