kubernetes认证授权

最新推荐文章于 2024-05-17 20:46:09 发布
最新推荐文章于 2024-05-17 20:46:09 发布
阅读量1.9k 收藏 5
点赞数
分类专栏: kubernetes 文章标签: kubernetes
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_30641567/article/details/124056431
版权

访问控制

  • Kubernetes API的每个请求都会经过多阶段的访问控制之后才会被接受,这包括认证、授权以及准入控制(Admission Control)等。
  • 认证->授权->准入控制(adminationcontroller)

image.png

认证

  • 在kubernetes中,在集群开启TLS后,客户端发往Kubernetes的所有API请求都需要进行认证, 以验证用户的合法性

  • Kubernetes支持多种认证机制,并支持同时开启多个认证插件(只要有一个认证通过即可)。如果认证成功,则用户的username会被传入授权模块做进一步授权验证;而对于认证失败的 请求则返回HTTP 401。

  • 管理节点:

  • kubectl

  • ~/.kube/config: kubernetes 的认证文件
    cat ~/.kube/config

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1ETXhOekExTkRVeE5Wb1hEVE15TURNeE5EQTFORFV4TlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBUFpZCjU4aldxaVp5MFZ2Q1NiRnJtZEhSUnF2UFA5T1BNZkpYT3FPOUN0K0hZZDlMYkN0cTF1R2EvbjFuVTV0WUE5b24KWFFkTmt6bHIwQWR0L0lucnNUOWxKbXRRK3hqcXRReDFIeVFVTDBnNTlRNXNSWXNydXd0MEU4cG05d2ZWR2dBNQovQnFMQk85WTBWWTF5WUY2cXJ6TlVQRlVheVpLNVZuNDAySTQveFp3cll0U01tMGpUQ044c0dHdW9zL0tGWGtECmZUZ2U0MGx2TWF1UWNiNnk2U3krQlM3aDBwMDR6dHFNdDRBNDJENmxSWUZjM3NZYVdaanZSWUh0WWdLMDRUWlcKSEd4TldRT3krVGthbnRzQmFyTUhUUHNTMG91RGpCK2l0ZTVjZnBFTTI4WHJ5K2M4eEhpRXc1RWZKNk8rb3BQMgorOGVuL281dFlJMEliK2pUdk1rQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZGV3RJK3h6eXpmMTlub2NnVTYxMkZUMzAxRjBNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSjhtVnQvYzBzNHgvT21lWW8vKwpjVHRqN3lTdGtDNkRELzZib3MwbjZvbjZPMGZWVC9weGE5NTVnZUh1YkV3SzVsZG5MRTM0U1BvTG42VEtMeGpVCk16d1J3Q1NWTE5XZmZwTDQwaml6NzU4bHJIbHhrRTQ0Z2MzQ1VMTzF0a29PS1pKa1JiQkUvRkFkWjFLYjNGdjEKSXBTMWo5b3dUSThhSnd6VzhCaHBGQWU4ckZGaXUvRUxab29TdjJ2Vmswd1VxcmFSNXEvTGZZaTl1YUxZSjlPWgp5WGYxMS9kQnRuVDJiSUxjdVNFVEltdDUrbXJlZlhHc0FEdW42VVRMOWx6MmFmS014QSt2eS95VXE4S1hMb2RRClJFdVJtVXY4ZTBXN3BTb1d1aVNFYnJkT1lFNnZSYmZzaWZISE85S0lWZUJSSkdqVWtqeG42bFpyZ0gwRldWRFoKU1VBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://172.16.16.3:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJT01xWjM1NTJGbU13RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBek1UY3dOVFExTVRWYUZ3MHlNekF6TVRjd05UUTFNVGhhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXluQ29aOTQ2bndMeHJ1K0UKcyt0TGFuUkRTMWRuR3N3RWM0T25PYTBGYTdndk1NK2tZdUo3UFZ3U1VXWEYxS3lRVnhOWUxDUG1JSXl5WjlOWAo4b1F2d0VmSGhWZkF6VENieGpqcXJKL1lXN2NBa0YvbXNqNDRRVGFBRnQyemN3eWdxTGtYZDRkOXV3OTliQ01VCkh3aW9pOGpoT1RaRUJxL0N1c3ZEUjlEajJCWXJFRGZCTVMxSjBORHd3dExTbExkS0d0SktjRnpEVkJlTVhDSWIKQkRFZno5Q0FzQjVWTEplRHVma2tIZ3cyaW83Mmw0Sy9Uay9WWGZnajZnc2Z2aGhNRVoyYXZwQ1RHYzhON0lzRgpxUlpJUEo4ZUlHR3BKRmpvQkxsNTdNTE00Umk5aW0rY3BpMGlMV2VoSlVwM2xEMnJKMGpMZGppNmgwa3JoakJzCjdZV0hId0lEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JSVnJTUHNjOHMzOWZaNkhJRk90ZGhVOTlOUgpkREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBVjJtVXRNWmpZLzFqUUoraFg4cVhJVVBPSURvWDM0QmN5QUk1CkZucUxLYnpaZGI3V0Vra0NodWxjcDlhcnM5aHZ6WjlMaTd0cmR5NmlJZlJjWmxPdFlQTDcrUVZPYUVxVTZ0U2oKYnhmb0Y4U0QxNitRSTJiZ3FDelFtVkluTnhaV1VtQkZXendJdElzbHFvUHhyQWRZZDdTR2cydEZHNEl6bVpsdwpLem55V2JwYldKV3NwaEtITlk0c244UlVXWVl5UDFvd2k2ZXcyMXdzYmZIM2xpTVUzTkE4QjcyNkhlR3FaRWRsCkgwbDBEZTJtZzZsZXlMaktjM0JzZDRVam9OOWh0UEFSK2ZxaDJLYlVJdHE2TWpGbGtNMjZXaDBaa0psekdLVkgKQTRLb0FxbER1bHNCMlRuRVBtYmZMN3ltTlR0bURNL3pvZVpRRk82WDlseWh3VDEyYWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBeW5Db1o5NDZud0x4cnUrRXMrdExhblJEUzFkbkdzd0VjNE9uT2EwRmE3Z3ZNTStrCll1SjdQVndTVVdYRjFLeVFWeE5ZTENQbUlJeXlaOU5YOG9RdndFZkhoVmZBelRDYnhqanFySi9ZVzdjQWtGL20Kc2o0NFFUYUFGdDJ6Y3d5Z3FMa1hkNGQ5dXc5OWJDTVVId2lvaThqaE9UWkVCcS9DdXN2RFI5RGoyQllyRURmQgpNUzFKME5Ed3d0TFNsTGRLR3RKS2NGekRWQmVNWENJYkJERWZ6OUNBc0I1VkxKZUR1ZmtrSGd3MmlvNzJsNEsvClRrL1ZYZmdqNmdzZnZoaE1FWjJhdnBDVEdjOE43SXNGcVJaSVBKOGVJR0dwSkZqb0JMbDU3TUxNNFJpOWltK2MKcGkwaUxXZWhKVXAzbEQyckowakxkamk2aDBrcmhqQnM3WVdISHdJREFRQUJBb0lCQUhOUU51MXJqZkxUeDMyQgpYQkxzZmJuMjNmcEZvQ3FJZWlTZW9wdmM3ZENOU3Z3LzJ3Q2t4OVNNNUxaUEJhQitaMzNpUEFCd3RuNW1CcDNUCnFpNHZrOCt3VTN1bUgrSUJ4VW5sVSsvZTRXeGswc0pxamt1TDI1bHlCUWFCWk4ydEhMcmZLL25mU1FSTDc0S3cKZko2czNPMDdFT2Y0L0VqZXgwcUdGUWVNZXF5eitGaHJKaVcrU21MUi9yNzBpd0dTM1dBZjBYaENQbGlnaytuTgpzUWo3YUR2akxTYytqUmtSSGhWNlNQSHRlcmdZOFdGbmRKN2phZnI5RTVFaUJ0OWdJbkIrTG5OZjZ2a1hEc1ZrCm1MY1BudEZFWXJDbGE0alh1bVJGeTVaancyYXlSL2Fmd2ZaYnFhOUFhYytXYlNrc1NlQjZVajNKNWM4N1AxaFEKL0JReVY5RUNnWUVBN2lVSUJwRjNteUppWWwvYm9oMm1UK0JNL1VMSExPWWFLVFNZRDMwT3JrVHdZNnhwSVI5NgpJRmRiZ3pkdzk2YW1ncWNjbXk1TDh3RFc0d2JEaW1qQm5lcm1pQXZ1M3FrbXRNRWVZVHQ2UHpnd2tEdHlCYnd6CjdrK2xqeDRYaWdjbHZKMFBuS3gzQWhCRmRqc3ZoYVdELzArYzE3VnVaOTk3dXpkZXJ5Tzd5d2NDZ1lFQTJaNVAKUnR5b0kwUWt6SlFIandDMlhtUHVxRG03SmpUVkcrM1paU1VVK3dxb0YvTmh5UlVrdnRBcHRJb1lTZjdlRVRjUApmdHJ3U1VRSDRpMHNPTG5YMWtqSGYwK2dXZjBYOW8zK0dyZDluYW10WjNwYTNuRWN3aWszWXJKcmxVbzVPLzMrCktLNWlNZ0Y3cWxYQ3VWKy9xaGhyWlp2TXRJaGZ0TzJBVVphV0pTa0NnWUJaazA1SWdqRDJCbUh4Vk5NZFVIKzkKTGNabndOV0FXdkRlTE8xQmJpMjJlVEhlbS94VFBDN0l1WE12a1F3SjZ3Sll4SmpxK2VnUmVIQmJwckNvZ0N6TAp4STUvLzlVU3BaZHNoL053YVZuYks3eUFsQXVZZ3FrWjY1Vi9scmNOOFJCTnVOb2xlVzJ1TmdhYXFUcC96N2t0CnNIbHpYY2d3aEF4YmFFRlNLV082d3dLQmdRREhNSHVaL2hFOHJud01jWloxazQ1WjJaaXlqSjA3L0hId0xZYW0KYVFuS08xZmZERncrSlVkTUROZVB0RE5GVDY5T0RKcjNYMGsvbHJDc212SjJQYzFOQzdMbldpZ0pGbnZmcHRxbQo4N3RjRzlwbjgvdkd6YndvRUhmc3RDbDdMY1F6b0dvS0xJd2UvM0tGV0JoemV5dkJjcmFpKzdla3E0c0czYmx0CmRLdWIrUUtCZ0JySSt6bXd5UW91MGVpMS9BQVRZMDVJK1dsNEJxYytjQnc2dUZxOTMwZ0NtZVFHZFlkNm1hUjkKenZybHIwRk45ejZWUmlmSy84ZGRzaExZL2w5Y05wVnd1VlE2MmZqcG5pOHdla0lhcWh4WTRJQWphZUNiQVpqLwo5aG95alA1R2gzc3M4cUg2VTV6OUtuTnI5bEtjcW16d3luaHNIUGZPSjNUcklmTmhOOTZMCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

上述精简后如下

# gvk
apiVersion: v1
kind: Config
#集群连接地址
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CR
    server: https://192.168.0.180:6443
  name: sdfdfdf
- cluster:
    certificate-authority-data: sdfasdfasdfsd
    server: https://10.100.100.100:6443
  name: mycluster
# 用户
# 证书认证
users:
- name: xxxx
  user:
    client-certificate-data: LS0tLS1
    client-key-data: LS0tLS1CRUdJTiB
- name: mycluster-admin
  user:
    client-certificate-data: LS0tLS1
    client-key-data: LS0tLS1CRUdJTiB  
- name: kubernetes-user1
  user:
    client-certificate-data: LS0tLS1
    client-key-data: LS0tLS1CRUdJTiB   
# 上下文,将用户与集群绑定
contexts:
- context:
    cluster: sdfdfdf
    user: xxxx
  name: kubernetes-admin@kubernetes
- context:
    cluster: mycluster
    user: mycluster-admin
  name: mycluster-admin@mycluster
- context:
    cluster: mycluster
    user: kubernetes-user1
  name: kubernetes-user1@mycluster
# 当前上下文
current-context: kubernetes-admin@kubernetes

k8s常用认证类型

证书(自签名)认证

  • 使用X509客户端证书只需要API Server启动时配置–client-ca-file=SOMEFILE。在证书认证时,其CN 域用作用户名,而组织机构域则用作group名。
  • 超级管理员是证书认证,认证文件存在文件/etc/kubernetes/admin.conf 中
集群连接地址
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CR
    server: https://192.168.0.180:6443
  name: sdfdfdf
- cluster:
    certificate-authority-data: sdfasdfasdfsd
    server: https://10.100.100.100:6443
  name: mycluster
# 用户
# 证书认证
users:
- name: xxxx
  user:
    client-certificate-data: LS0tLS1
    client-key-data: LS0tLS1CRUdJTiB
- name: mycluster-admin
  user:
    client-certificate-data: LS0tLS1
    client-key-data: LS0tLS1CRUdJTiB  
- name: kubernetes-user1
  user:
    client-certificate: /tmp/train.crt
    client-key: /tmp/train.key   
# 上下文
contexts:
- context:
    cluster: sdfdfdf
    user: xxxx
  name: kubernetes-admin@kubernetes
- context:
    cluster: mycluster
    user: mycluster-admin
  name: mycluster-admin@mycluster
- context:
    cluster: mycluster
    user: kubernetes-user1
  name: kubernetes-user1@mycluster
  • 生成证书-既创建用户的过程
openssl genrsa -out train.key 2048
openssl req -new -key train.key -out train.csr -subj "/CN=train/O=dfrt"
openssl x509 -req -in train.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out train.crt -days 500

image.png

  • 上下文相关命令
# 获取上下文: 
# kubectl config get-contexts
获取当前上下文: 
kubectl config current-context
# 切换上下文: 
kubectl config use-context kubernetes-train@kubernetes

sa(Service Account)认证-比较常用

  • 引导Token是动态生成的,存储在kube-system namespace的Secret中,用来部署新的Kubernetes集群。
  • 使用引导Token需要API Server启动时配置–experimental-bootstrap-token-auth,并且ControllerManager开启TokenCleaner --controllers=*,tokencleaner,bootstrapsigner。
  • 在使用kubeadm部署Kubernetes时,kubeadm会自动创建默认token,可通过kubeadm token list命令查询。
  • 被kubernetes所管理的用户,基于token做认证,是namespaced级别的资源对象
sa 相关命令
kubectl create sa user1 -n cka
kubectl delete sa user1 -n cka
kubectl edit sa user1 -n cka
kubectl describe sa user1 -n cka
kubectl get sa -n cka

image.png
image.png
生成的token没有有效期,可以一直使用

示例代码
apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1ETXhOekExTkRVeE5Wb1hEVE15TURNeE5EQTFORFV4TlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBUFpZCjU4aldxaVp5MFZ2Q1NiRnJtZEhSUnF2UFA5T1BNZkpYT3FPOUN0K0hZZDlMYkN0cTF1R2EvbjFuVTV0WUE5b24KWFFkTmt6bHIwQWR0L0lucnNUOWxKbXRRK3hqcXRReDFIeVFVTDBnNTlRNXNSWXNydXd0MEU4cG05d2ZWR2dBNQovQnFMQk85WTBWWTF5WUY2cXJ6TlVQRlVheVpLNVZuNDAySTQveFp3cll0U01tMGpUQ044c0dHdW9zL0tGWGtECmZUZ2U0MGx2TWF1UWNiNnk2U3krQlM3aDBwMDR6dHFNdDRBNDJENmxSWUZjM3NZYVdaanZSWUh0WWdLMDRUWlcKSEd4TldRT3krVGthbnRzQmFyTUhUUHNTMG91RGpCK2l0ZTVjZnBFTTI4WHJ5K2M4eEhpRXc1RWZKNk8rb3BQMgorOGVuL281dFlJMEliK2pUdk1rQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZGV3RJK3h6eXpmMTlub2NnVTYxMkZUMzAxRjBNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSjhtVnQvYzBzNHgvT21lWW8vKwpjVHRqN3lTdGtDNkRELzZib3MwbjZvbjZPMGZWVC9weGE5NTVnZUh1YkV3SzVsZG5MRTM0U1BvTG42VEtMeGpVCk16d1J3Q1NWTE5XZmZwTDQwaml6NzU4bHJIbHhrRTQ0Z2MzQ1VMTzF0a29PS1pKa1JiQkUvRkFkWjFLYjNGdjEKSXBTMWo5b3dUSThhSnd6VzhCaHBGQWU4ckZGaXUvRUxab29TdjJ2Vmswd1VxcmFSNXEvTGZZaTl1YUxZSjlPWgp5WGYxMS9kQnRuVDJiSUxjdVNFVEltdDUrbXJlZlhHc0FEdW42VVRMOWx6MmFmS014QSt2eS95VXE4S1hMb2RRClJFdVJtVXY4ZTBXN3BTb1d1aVNFYnJkT1lFNnZSYmZzaWZISE85S0lWZUJSSkdqVWtqeG42bFpyZ0gwRldWRFoKU1VBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://172.16.16.3:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
- context:
    cluster: kubernetes
    user: kubernetes-hengine
  name: kubernetes-hengine@kubernetes
- context:
    cluster: kubernetes
    user: kubernetes-sa
  name: kubernetes-sa@kubernetes
current-context: kubernetes-admin@kubernetes
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJT01xWjM1NTJGbU13RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBek1UY3dOVFExTVRWYUZ3MHlNekF6TVRjd05UUTFNVGhhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXluQ29aOTQ2bndMeHJ1K0UKcyt0TGFuUkRTMWRuR3N3RWM0T25PYTBGYTdndk1NK2tZdUo3UFZ3U1VXWEYxS3lRVnhOWUxDUG1JSXl5WjlOWAo4b1F2d0VmSGhWZkF6VENieGpqcXJKL1lXN2NBa0YvbXNqNDRRVGFBRnQyemN3eWdxTGtYZDRkOXV3OTliQ01VCkh3aW9pOGpoT1RaRUJxL0N1c3ZEUjlEajJCWXJFRGZCTVMxSjBORHd3dExTbExkS0d0SktjRnpEVkJlTVhDSWIKQkRFZno5Q0FzQjVWTEplRHVma2tIZ3cyaW83Mmw0Sy9Uay9WWGZnajZnc2Z2aGhNRVoyYXZwQ1RHYzhON0lzRgpxUlpJUEo4ZUlHR3BKRmpvQkxsNTdNTE00Umk5aW0rY3BpMGlMV2VoSlVwM2xEMnJKMGpMZGppNmgwa3JoakJzCjdZV0hId0lEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JSVnJTUHNjOHMzOWZaNkhJRk90ZGhVOTlOUgpkREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBVjJtVXRNWmpZLzFqUUoraFg4cVhJVVBPSURvWDM0QmN5QUk1CkZucUxLYnpaZGI3V0Vra0NodWxjcDlhcnM5aHZ6WjlMaTd0cmR5NmlJZlJjWmxPdFlQTDcrUVZPYUVxVTZ0U2oKYnhmb0Y4U0QxNitRSTJiZ3FDelFtVkluTnhaV1VtQkZXendJdElzbHFvUHhyQWRZZDdTR2cydEZHNEl6bVpsdwpLem55V2JwYldKV3NwaEtITlk0c244UlVXWVl5UDFvd2k2ZXcyMXdzYmZIM2xpTVUzTkE4QjcyNkhlR3FaRWRsCkgwbDBEZTJtZzZsZXlMaktjM0JzZDRVam9OOWh0UEFSK2ZxaDJLYlVJdHE2TWpGbGtNMjZXaDBaa0psekdLVkgKQTRLb0FxbER1bHNCMlRuRVBtYmZMN3ltTlR0bURNL3pvZVpRRk82WDlseWh3VDEyYWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBeW5Db1o5NDZud0x4cnUrRXMrdExhblJEUzFkbkdzd0VjNE9uT2EwRmE3Z3ZNTStrCll1SjdQVndTVVdYRjFLeVFWeE5ZTENQbUlJeXlaOU5YOG9RdndFZkhoVmZBelRDYnhqanFySi9ZVzdjQWtGL20Kc2o0NFFUYUFGdDJ6Y3d5Z3FMa1hkNGQ5dXc5OWJDTVVId2lvaThqaE9UWkVCcS9DdXN2RFI5RGoyQllyRURmQgpNUzFKME5Ed3d0TFNsTGRLR3RKS2NGekRWQmVNWENJYkJERWZ6OUNBc0I1VkxKZUR1ZmtrSGd3MmlvNzJsNEsvClRrL1ZYZmdqNmdzZnZoaE1FWjJhdnBDVEdjOE43SXNGcVJaSVBKOGVJR0dwSkZqb0JMbDU3TUxNNFJpOWltK2MKcGkwaUxXZWhKVXAzbEQyckowakxkamk2aDBrcmhqQnM3WVdISHdJREFRQUJBb0lCQUhOUU51MXJqZkxUeDMyQgpYQkxzZmJuMjNmcEZvQ3FJZWlTZW9wdmM3ZENOU3Z3LzJ3Q2t4OVNNNUxaUEJhQitaMzNpUEFCd3RuNW1CcDNUCnFpNHZrOCt3VTN1bUgrSUJ4VW5sVSsvZTRXeGswc0pxamt1TDI1bHlCUWFCWk4ydEhMcmZLL25mU1FSTDc0S3cKZko2czNPMDdFT2Y0L0VqZXgwcUdGUWVNZXF5eitGaHJKaVcrU21MUi9yNzBpd0dTM1dBZjBYaENQbGlnaytuTgpzUWo3YUR2akxTYytqUmtSSGhWNlNQSHRlcmdZOFdGbmRKN2phZnI5RTVFaUJ0OWdJbkIrTG5OZjZ2a1hEc1ZrCm1MY1BudEZFWXJDbGE0alh1bVJGeTVaancyYXlSL2Fmd2ZaYnFhOUFhYytXYlNrc1NlQjZVajNKNWM4N1AxaFEKL0JReVY5RUNnWUVBN2lVSUJwRjNteUppWWwvYm9oMm1UK0JNL1VMSExPWWFLVFNZRDMwT3JrVHdZNnhwSVI5NgpJRmRiZ3pkdzk2YW1ncWNjbXk1TDh3RFc0d2JEaW1qQm5lcm1pQXZ1M3FrbXRNRWVZVHQ2UHpnd2tEdHlCYnd6CjdrK2xqeDRYaWdjbHZKMFBuS3gzQWhCRmRqc3ZoYVdELzArYzE3VnVaOTk3dXpkZXJ5Tzd5d2NDZ1lFQTJaNVAKUnR5b0kwUWt6SlFIandDMlhtUHVxRG03SmpUVkcrM1paU1VVK3dxb0YvTmh5UlVrdnRBcHRJb1lTZjdlRVRjUApmdHJ3U1VRSDRpMHNPTG5YMWtqSGYwK2dXZjBYOW8zK0dyZDluYW10WjNwYTNuRWN3aWszWXJKcmxVbzVPLzMrCktLNWlNZ0Y3cWxYQ3VWKy9xaGhyWlp2TXRJaGZ0TzJBVVphV0pTa0NnWUJaazA1SWdqRDJCbUh4Vk5NZFVIKzkKTGNabndOV0FXdkRlTE8xQmJpMjJlVEhlbS94VFBDN0l1WE12a1F3SjZ3Sll4SmpxK2VnUmVIQmJwckNvZ0N6TAp4STUvLzlVU3BaZHNoL053YVZuYks3eUFsQXVZZ3FrWjY1Vi9scmNOOFJCTnVOb2xlVzJ1TmdhYXFUcC96N2t0CnNIbHpYY2d3aEF4YmFFRlNLV082d3dLQmdRREhNSHVaL2hFOHJud01jWloxazQ1WjJaaXlqSjA3L0hId0xZYW0KYVFuS08xZmZERncrSlVkTUROZVB0RE5GVDY5T0RKcjNYMGsvbHJDc212SjJQYzFOQzdMbldpZ0pGbnZmcHRxbQo4N3RjRzlwbjgvdkd6YndvRUhmc3RDbDdMY1F6b0dvS0xJd2UvM0tGV0JoemV5dkJjcmFpKzdla3E0c0czYmx0CmRLdWIrUUtCZ0JySSt6bXd5UW91MGVpMS9BQVRZMDVJK1dsNEJxYytjQnc2dUZxOTMwZ0NtZVFHZFlkNm1hUjkKenZybHIwRk45ejZWUmlmSy84ZGRzaExZL2w5Y05wVnd1VlE2MmZqcG5pOHdla0lhcWh4WTRJQWphZUNiQVpqLwo5aG95alA1R2gzc3M4cUg2VTV6OUtuTnI5bEtjcW16d3luaHNIUGZPSjNUcklmTmhOOTZMCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
- name: kubernetes-hengine
  user:
    client-certificate: /tmp/train.crt
    client-key: /tmp/train.key
# token 认证
- name: kubernetes-sa
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlNHOEstdmJBVEZNb2xIY1d3VzBKa3ZKRFZYWmNOZEhfcFFQXzV5YzFocWcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InVzZXIxLXRva2VuLXFxNTU5Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InVzZXIxIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZjYxMjFlZDUtYjFmZi00M2Q5LWIzYTEtMjBmZDY0NjRhODM1Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6dXNlcjEifQ.pFZXfGFgOMlVzauOkGv8YZA-rpphMYBGDh5mk9zrb3JB9SXvpEKkmDn2tW10IAnekvLy3BNiMfH0WhkpzrUJlOPlMMztWkK3PWkAIWsGwyP-frO0ckTx8V7hv3Dn6Z0MvoHbbvjQt57T_MRHLN7r_mXFcmjzG4Z9xooczA4VWhxJSiq1UeSQhqROYdkr0vJ__kYE02bw9YjVWXsEB6jZ4PJy3BIDrlQAAfNDOqZCRWmn_iZKofGaoAovHq1KzIh5qzHblm2-5qwlewcVk7ovk5XsDlVL1cF7G61pJXUizhVvWDzayl5fsU4wVXghYB8VAQSfjh-qHkja6Xqxni6CFw

image.png

授权

  • 当用户通过认证之后,还必须获得相应用的授权,才能集群执行相应的操作
  • 授权主要是用于对集群资源的访问控制,通过检查请求包含的相关属性值,与相对应的访问策略相比较,API请求必须满足某些策略才能被处理。
  • 跟认证类似,Kubernetes也支持多种授权机制,并支持同时开启多个授权插件(只要有一个 验证通过即可)。如果授权成功,则用户的请求会发送到准入控制模块做进一步的请求验证; 对于授权失败的请求则返回HTTP 403。
# 权限操作
get --> describe pod
create --> create pod
delete --> delete pod
update --> edit pod
list  --> get pod

授权插件

  • 目前,Kubernetes支持以下授权插件:
    • ABAC: 基于属性的访问控制
    • RBAC
      • RBAC全称为role-base access controll,即基于角色的授权
      • 将一个个小的权限创建为一个集合,称之为role
      • 将一个或一组role与用户或用户组进行绑定,完成授权
    • Webhook: 基于http回调机制的访问控制
    • Node:节点认证

RBAC

  • 使用”rbac.authorization.k8s.io” API Group实现授权决策,允许管理员通过Kubernetes API动态配置策略。
  • 在k8s的授权机制当中,采用RBAC的方式进行授权,其工作逻辑是 把对对象的操作权限定义到一个角色当中,再将用户绑定到该角色,从而使用户得到对应角色的权限。此种方式仅作用于名称空间当中,这是什么意思呢?当User1绑定到Role角色当中,User1就获取了对该NamespaceA的操作权限,但是对NamespaceB是没有权限进行操作的,如get,list等操作。
  • k8s为此还有一种集群级别的授权机制,就是定义一个集群角色(ClusterRole),对集群内的所有资源都有可操作的权限,从而将User2,User3通过ClusterRoleBinding到ClusterRole,从而使User2、User3拥有集群的操作权限

Role与ClusterRole

  • Role :namespaced级别
    • kubectl get role -n kube-system
NAME                                             CREATED AT
extension-apiserver-authentication-reader        2022-03-17T05:45:32Z
kube-proxy                                       2022-03-17T05:45:33Z
kubeadm:kubelet-config-1.22                      2022-03-17T05:45:32Z
kubeadm:nodes-kubeadm-config                     2022-03-17T05:45:32Z
system::leader-locking-kube-controller-manager   2022-03-17T05:45:32Z
system::leader-locking-kube-scheduler            2022-03-17T05:45:32Z
system:controller:bootstrap-signer               2022-03-17T05:45:32Z
system:controller:cloud-provider                 2022-03-17T05:45:32Z
system:controller:token-cleaner                  2022-03-17T05:45:32Z

image.png

  • ClusterRole: 非namespaced级别
    • kubectl get clusterroles
      • admin 管理员权限
      • cluster-admin: 超级管理员权限
      • edit 编辑权限
        辑权限
      • view 只读权限
NAME                                                                   CREATED AT
admin                                                                  2022-03-17T05:45:31Z
calico-kube-controllers                                                2022-03-17T06:01:10Z
calico-node                                                            2022-03-17T06:01:10Z
cluster-admin                                                          2022-03-17T05:45:31Z
edit                                                                   2022-03-17T05:45:31Z
ks-installer                                                           2022-03-22T03:06:38Z
kubeadm:get-nodes                                                      2022-03-17T05:45:33Z
nfs-external-provisioner-role                                          2022-03-22T08:36:54Z
system:aggregate-to-admin                                              2022-03-17T05:45:31Z
system:aggregate-to-edit                                               2022-03-17T05:45:31Z
system:aggregate-to-view                                               2022-03-17T05:45:31Z
system:aggregated-metrics-reader                                       2022-03-23T05:52:41Z
system:auth-delegator                                                  2022-03-17T05:45:31Z
system:basic-user                                                      2022-03-17T05:45:31Z
system:certificates.k8s.io:certificatesigningrequests:nodeclient       2022-03-17T05:45:31Z
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient   2022-03-17T05:45:31Z
system:certificates.k8s.io:kube-apiserver-client-approver              2022-03-17T05:45:31Z
system:certificates.k8s.io:kube-apiserver-client-kubelet-approver      2022-03-17T05:45:31Z
system:certificates.k8s.io:kubelet-serving-approver                    2022-03-17T05:45:31Z
system:certificates.k8s.io:legacy-unknown-approver                     2022-03-17T05:45:31Z
system:controller:attachdetach-controller                              2022-03-17T05:45:31Z
system:controller:certificate-controller                               2022-03-17T05:45:31Z
system:controller:clusterrole-aggregation-controller                   2022-03-17T05:45:31Z
system:controller:cronjob-controller                                   2022-03-17T05:45:31Z
system:controller:daemon-set-controller                                2022-03-17T05:45:31Z
system:controller:deployment-controller                                2022-03-17T05:45:31Z
system:controller:disruption-controller                                2022-03-17T05:45:31Z
system:controller:endpoint-controller                                  2022-03-17T05:45:31Z
system:controller:endpointslice-controller                             2022-03-17T05:45:31Z
system:controller:endpointslicemirroring-controller                    2022-03-17T05:45:31Z
system:controller:ephemeral-volume-controller                          2022-03-17T05:45:31Z
system:controller:expand-controller                                    2022-03-17T05:45:31Z
system:controller:generic-garbage-collector                            2022-03-17T05:45:31Z
system:controller:horizontal-pod-autoscaler                            2022-03-17T05:45:31Z
system:controller:job-controller                                       2022-03-17T05:45:31Z
system:controller:namespace-controller                                 2022-03-17T05:45:31Z
system:controller:node-controller                                      2022-03-17T05:45:31Z
system:controller:persistent-volume-binder                             2022-03-17T05:45:31Z
system:controller:pod-garbage-collector                                2022-03-17T05:45:31Z
system:controller:pv-protection-controller                             2022-03-17T05:45:31Z
system:controller:pvc-protection-controller                            2022-03-17T05:45:31Z
system:controller:replicaset-controller                                2022-03-17T05:45:31Z
system:controller:replication-controller                               2022-03-17T05:45:31Z
system:controller:resourcequota-controller                             2022-03-17T05:45:31Z
system:controller:root-ca-cert-publisher                               2022-03-17T05:45:31Z
system:controller:route-controller                                     2022-03-17T05:45:31Z
system:controller:service-account-controller                           2022-03-17T05:45:31Z
system:controller:service-controller                                   2022-03-17T05:45:31Z
system:controller:statefulset-controller                               2022-03-17T05:45:31Z
system:controller:ttl-after-finished-controller                        2022-03-17T05:45:31Z
system:controller:ttl-controller                                       2022-03-17T05:45:31Z
system:coredns                                                         2022-03-17T05:45:33Z
system:discovery                                                       2022-03-17T05:45:31Z
system:heapster                                                        2022-03-17T05:45:31Z
system:kube-aggregator                                                 2022-03-17T05:45:31Z
system:kube-controller-manager                                         2022-03-17T05:45:31Z
system:kube-dns                                                        2022-03-17T05:45:31Z
system:kube-scheduler                                                  2022-03-17T05:45:31Z
system:kubelet-api-admin                                               2022-03-17T05:45:31Z
system:metrics-server                                                  2022-03-23T05:52:41Z
system:monitoring                                                      2022-03-17T05:45:31Z
system:node                                                            2022-03-17T05:45:31Z
system:node-bootstrapper                                               2022-03-17T05:45:31Z
system:node-problem-detector                                           2022-03-17T05:45:31Z
system:node-proxier                                                    2022-03-17T05:45:31Z
system:persistent-volume-provisioner                                   2022-03-17T05:45:31Z
system:public-info-viewer                                              2022-03-17T05:45:31Z
system:service-account-issuer-discovery                                2022-03-17T05:45:31Z
system:volume-scheduler                                                2022-03-17T05:45:31Z
view                                                                   2022-03-17T05:45:31Z

image.png

相关命令

  • 创建role
kubectl create role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run]

rolebinding与clusterrolebinding

  • rolebinding: namespaced级别
  • clusterrolebinding: 全局级别

授权组合

  • role + user + rolebinding:让一个用户只在特定命名空间有特定的权限,role和rolebinding都必须位于同一个命名空间,这个用户也只能在这个命名空间有相应权限
  • role + user + clusterrolebinding~~ ~~:无效组合
  • clusterRole + user + rolebinding:让一个用户在特定的命名空间拥有特定的权限,clusterrole此时会当成role使用
  • **clusterrole + user + clusterrolebinding:**一个用户可以在所有命名空间获得相应权限

image.png

Kubernetes RBAC的演示

User --> Rolebinding --> Role

  • 创建角色

    • 获取yaml配置命令:kubectl create role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run]

      • 使用kubectl create进行创建角色,指定角色名称,–verb指定权限,–resource指定资源或者资源组,–dry-run单跑模式并不会创建

    • 相关命令

      • 创建角色:kubectl apply -f role-demo.yaml
      • 查看角色:
        • kubectl get role
        • kubectl get clusterrole
# 创建role角色
apiVersion: rbac.authorization.k8s.io/v1
kind: Role #资源类型
# metadata
metadata:
  name: create-resources
  namespace: cka
rules:
- apiGroups: #对那些api组内的资源进行操作
  - "apps"
  resources: #对那些资源定义
  - deployments
  - statefulsets
  - daemonsets
  verbs:  #操作权限定义
  - create
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  
# 创建ClusterRole角色 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
# metadata
metadata:
  name: create-resources
rules:
- apiGroups:
  - "apps"
  resources:
  - deployments
  - statefulsets
  - daemonsets
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  - list
  • 示例:对deployment,statefulset, daemonsets,pod 这几种资源有创建的权限
# 权限
# gvk --> gvr   gv    group version 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
# metadata
metadata:
  name: hengine-cr
rules:
- apiGroups:
  - "apps"
  resources:
  - deployments
  - statefulsets
  - daemonsets
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  - list

image.png

角色的绑定
  • 获取yaml配置命令:kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname] 使用kubectl create进行创建角色绑定,指定角色绑定的名称,–role|–clusterrole指定绑定哪个角色,–user指定哪个用户
    • kubectl create rolebinding train@create-rs --clusterrole=create-resources --user=train -n cka 
# ClusterRoleBinding 权限绑定
# gvk
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
# metadata
metadata:
  name: user1@create-rs
# 绑定什么权限
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: create-resources
# 哪一个用户
subjects:
- kind: ServiceAccount
  name: user1
  namespace: default
  
  
# RoleBinding 权限绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: train@create-rs
  namespace: cka
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: create-resources
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: train
班婕妤
关注
  • 0
    点赞
  • 5
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
2、Kubernetes 集群安全 - 认证1
08-04
Kubernetes集群中,安全是至关重要的,特别是对于认证机制,它是确保只有授权的实体能够访问和操作资源的关键。本文将详细阐述Kubernetes集群安全中的认证机制,主要关注HTTP Base认证、HTTP Token认证以及HTTPS...
Go-GuardbyAppsCode是一个Kubernetes认证WebHook服务器
08-14
Guard by AppsCode是一个 Kubernetes 认证WebHook服务器
kubernetes安全认证
weixin_73882207的博客
08-04 233
Kubernetes作为一个分布式集群的管理工具,保证集群的安全性是其一个重要的任务。所谓的安全性其实就是保证对Kubernetes的各种客户端进行认证和鉴权操作。
Kubernetes运维篇】RBAC认证授权详解(一)
热门推荐
秦子腾
07-08 1万+
RBAC是一种基于角色访问控制方式,它将权限和角色相关联,用户加入到角色中,就会拥有角色中的权限,RBAC的核心思想是,将权限赋予给角色,角色中加入多个用户,加入进来的用户会具有角色的权限,如果修改权限也是针对角色进行操作,而不是针对每个用户进行权限操作,这样效率太低了。官方中文参考文档在K8S中准入控制器的模块有很多,其中比较常用的有LimitRanger、ResourceQuota、ServiceAccount,也是K8S默认启用的准入模块(具体看K8S版本),我们只需要定义对应的规则即可。
Kubernetes kube-admin部署安装
最新发布
Kiryu7的博客
05-17 795
【代码】Kubernetes kube-admin部署安装。
Kubernetes 的证书认证
Kubernetes中文社区
09-20 9227
今天让我们聊聊 Kubernetes 的公私钥和证书认证。 本文内容会提及如何根据需要对 CA、公私钥进行组织并对集群进行设置。 Kubernetes 的组件中有很多不同的地方可以放置证书之类的东西。在进行集群安装的时候,我感觉有一百多亿个不同的命令参数是用来设置证书、密钥的,真不明白是怎么弄到一起工作的。 当然了,没有一百亿那么多的参数,不过的确很多的。比如 API Serve
Kubernetes之scert-manager证书控制器(证书自动颁发)
weixin_43357497的博客
12-14 1171
cert-manager证书控制器 cert-manager作为一系列部署资源在Kubernetes集群中运行。它 CustomResourceDefinitions 用于配置证书颁发机构和请求证书。 它使用常规的YAML清单进行部署,就像Kubernetes上的任何其他应用程序一样。 部署证书管理器后,您必须配置Issuer或ClusterIssuer 代表证书颁发机构的资源。有关配置不同Issuer类型的更多信息,请参见各自的配置指南。 注意:从cert-managerv0.14.0开始,Kubern
kubernetes常见错误
Gblfy_Blog
04-22 864
kubernetes常见错误
027 Kubernetes的Dashboard认证及分级授权.mp4
05-07
027 Kubernetes的Dashboard认证及分级授权.mp4
kubernetes的用户权限认证体系
01-20
kubernetes认证 我们知道任何应用的控制都需要通过一定的认证之后,我们才可以获取到应用的控制权。而此处,我们来了解k8s的认证授权是怎么做。 像一般应用,都是提供一个登陆界面,然后我们输入账号密码,登陆后,...
Key concepts in Kubernetes
11-14
Service Account 是一种特殊的身份认证机制,用于提供身份认证授权服务。Service Account 可以提供基于角色的访问控制(RBAC),从而确保应用程序的安全性。 RBAC RBAC(基于角色的访问控制)是 Kubernetes 中的...
kubernetes-starter:kubernetes入门,包括kubernetes概念,架构设计,部署环境构建,认证授权
02-03
kubernetes-starter:kubernetes入门,包括kubernetes概念,架构设计,部署环境构建,认证授权
基于kubernetes构建Docker集群环境培训视频.rar
10-01
│ 15-kubernetes认证及serviceaccount.mp4 │ 16-kubernetes RBAC.mp4 │ 17-kubernetes dashboard认证及分级授权.mp4 │ 18-配置网络插件flannel.mp4 │ 19-基于canel的网络策略.mp4 │ 20-调度器、预选策略及优选...
kafka-kubernetes-authenticator:Kafka Kubernetes身份验证者和授权
05-26
Kafka Kubernetes身份验证者和授权者该项目提供了基于Kubernetes服务帐户和Kubernetes RBAC的Kafka身份验证器和授权者。 它正在使用Kafka提供的服务帐户令牌和SASL OAUTHBEARER身份验证机制。 您可以在YouTube上观看...
CIS-Kubernetes-Benchmark-v1.7.0
07-31
这份文档不仅仅是一个列表,更是一份综合的指南,涵盖了从身份认证授权到网络策略、日志记录和监控的各个层面。通过遵循CIS Kubernetes Benchmark v1.7.0,组织可以确保他们的Kubernetes集群在安全性、稳定性和可...
2021年最新Kubernetes中文加固手册.pdf
09-30
第四部分为认证授权,介绍了Kubernetes认证授权机制,包括RBAC、RoleBinding和ClusterRoleBinding等。 第五部分为日志审计,介绍了Kubernetes的日志审计机制,包括日志收集、日志分析和日志存储等。 第六...
关于kubernetes1.9证书过期(certificate has expired or is not yet valid)
qq_25934401的博客
04-08 3668
胆战心惊的一天 今天突然收到告警,k8s的节点NotReady,我靠!吓了一身冷汗,遂远程登录上去查看,果然都是notready!这一吓真是不轻啊,要知道所有node节点挂掉,等于整个集群挂掉了,线上的服务都不能访问。当时要是采访我当时在想什么,我只能高冷的回答你:“啥都没想”,当时真是脑袋一片空白。 不过呢,辛好留了一手,使用k8s之前,也用虚拟机把k8s上的服务也部署了一遍,就是防止这种现象出...
深入理解 Kubernetes 中的用户与身份认证授权
云原生实验室
11-23 945
❝本文转自 Cylon 的博客,原文:https://www.cnblogs.com/Cylon/p/16905335.html,版权归原作者所有。欢迎投稿,投稿请添加微信好友:cloud-native-yang本章主要简单阐述 kubernetes 认证相关原理,最后以实验来阐述 kubernetes 用户系统的思路。主要内容:了解 kubernetes 各种认证机制的原理了解 kubernet...
Kubernetes(K8s)安全认证-10
qq_36255346的博客
12-05 413
Kubernetes(K8s)安全认证
kubernetes常用命令表
02-19
13. kubectl create serviceaccount: 创建服务账户,用于Pod内部的认证授权。 14. kubectl create secret: 创建secret以安全地存储密码、密钥和其他敏感信息。secret有几种类型,如tls(用于TLS证书),generic...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

班婕妤

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值