用户访问
客户端 访问 API server
user: username uid
group:
extra:
API
Request path
http://10.0.0.11:6443/apis/apps/v1/namespaces/default/deployments/myapp-deploy/
HTTP request verb:
- get
- post
- put
- delete
API requests verb:
- get
- list
- create
- update
- patch
- watch
- proxy
- redirect
- delete
- deletecollection
- Resource
- Subresource
- namespace
kubectl proxy --port=8081
curl http://localhost:8081/api/v1/namespaces
curl http://localhost:8081/apis/apps/v1/namespaces/kube-system/coredns
[root@k8s-master1 ~]# kubectl describe service kubernetes
Name: kubernetes
Namespace: default
Labels: component=apiserver
provider=kubernetes
Annotations: <none>
Selector: <none>
Type: ClusterIP
IP: 10.254.0.1
Port: https 443/TCP
TargetPort: 6443/TCP
Endpoints: 10.0.0.11:6443
Session Affinity: None
Events: <none>
用户(认证)
- 用户账号(serviceAccountName)
- 服务账号(serviceAccount)
serviceaccount
# 创建试运行
kubectl create serviceaccount mysa -o yaml --dry-run
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: null
name: mysa
kubectl get pods myapp-deploy-65df64765c-x6wwv -o yaml --export
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
generateName: myapp-deploy-65df64765c-
labels:
app: myapp
pod-template-hash: 65df64765c
release: canary
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: myapp-deploy-65df64765c
uid: d048424c-143e-11ea-83d0-000c29b4d624
selfLink: /api/v1/namespaces/default/pods/myapp-deploy-65df64765c-x6wwv
spec:
containers:
- image: ikubernetes/myapp:v1
imagePullPolicy: IfNotPresent
name: myapp
ports:
- containerPort: 80
name: http
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-7m57r
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
nodeName: 10.0.0.12
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- name: default-token-7m57r
secret:
defaultMode: 420
secretName: default-token-7m57r
status:
phase: Pending
qosClass: BestEffort
创建serviceaccount
kubectl create serviceaccount admin
查看serviceaccounts
kubectl get serviceaccounts
[root@k8s-master1 manifests]# kubectl describe serviceaccounts admin
Name: admin
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: admin-token-45jlv
Tokens: admin-token-45jlv
Events: <none>
[root@k8s-master1 manifests]# kubectl get secrets
NAME TYPE DATA AGE
admin-token-45jlv kubernetes.io/service-account-token 3 3m1s
default-token-7m57r kubernetes.io/service-account-token 3 184d
mysql-pass Opaque 1 180d
mysql-root-password Opaque 1 29h
nginx-ingress-serviceaccount-token-pzzm7 kubernetes.io/service-account-token 3 174d
tomcat-ingress-secret kubernetes.io/tls 2 7d5h
pod-sa-daemon.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-sa-demo
namespace: default
labels:
app: myapp
tier: frontend
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
serviceAccountName: admin
kubeconfig
客户端连入APIserver的客户端(配置文件)认证工具
kubectl config view
创建密钥证书
(umask 077; openssl genrsa -out wuxing.key 2048)
openssl req -new -key wuxing.key -out wuxing.csr -subj "/CN=wuxing"
openssl x509 -req -in wuxing.csr -CA ./ca.pem -CAkey ./ca-key.pem -CAcreateserial -out wuxing.crt -days 3650
查看证书
openssl x509 -in wuxing.crt -text -noout
创建客户端认证配置
kubectl config set-credentials wuxing --client-certificate=/k8s/kubernetes/ssl/wuxing.crt --client-key=/k8s/kubernetes/ssl/wuxing.key --embed-certs=true
设置context
kubectl config set-context wuxing@kubernetes --cluster=kubernetes --user=wuxing
查看
[root@k8s-master1 ~]# kubectl config view
apiVersion: v1
clusters: []
contexts:
- context:
cluster: kubernetes
user: wuxing
name: wuxing@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: wuxing
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
~/.kube/config
切换用户
kubectl config use-context wuxing@kubernetes
设置集群
kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://10.0.0.11:6443" --certificate-authority=/k8s/kubernetes/ssl/ca.pem --embed-certs=true
[root@k8s-master1 ~]# kubectl config view --kubeconfig=/tmp/test.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.0.0.11:6443
name: mycluster
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []