1.首先写一个监听的后台服务,比如监听在3000端口。
package main
import (
"context"
"encoding/json"
"log"
"net/http"
"github.com/google/go-github/github"
"golang.org/x/oauth2"
authentication "k8s.io/api/authentication/v1beta1"
)
func main() {
http.HandleFunc("/authenticate", func(w http.ResponseWriter, r *http.Request) {
decoder := json.NewDecoder(r.Body)
var tr authentication.TokenReview
err := decoder.Decode(&tr)
if err != nil {
log.Println("[Error]", err.Error())
w.WriteHeader(http.StatusBadRequest)
json.NewEncoder(w).Encode(map[string]interface{}{
"apiVersion": "authentication.k8s.io/v1beta1",
"kind": "TokenReview",
"status": authentication.TokenReviewStatus{
Authenticated: false,
},
})
return
}
log.Print("receving request")
// Check User
ts := oauth2.StaticTokenSource(
&oauth2.Token{AccessToken: tr.Spec.Token},
)
//得出一个带token信息的tokenresource
tc := oauth2.NewClient(context.Background(), ts)
//新建github的client
client := github.NewClient(tc)
user, _, err := client.Users.Get(context.Background(), "")
if err != nil {
log.Println("[Error]", err.Error())
w.WriteHeader(http.StatusUnauthorized)
json.NewEncoder(w).Encode(map[string]interface{}{
"apiVersion": "authentication.k8s.io/v1beta1",
"kind": "TokenReview",
"status": authentication.TokenReviewStatus{
Authenticated: false,
},
})
return
}
log.Printf("[Success] login as %s", *user.Login)
w.WriteHeader(http.StatusOK)
trs := authentication.TokenReviewStatus{
Authenticated: true,
User: authentication.UserInfo{
Username: *user.Login,
UID: *user.Login,
},
}
json.NewEncoder(w).Encode(map[string]interface{}{
"apiVersion": "authentication.k8s.io/v1beta1",
"kind": "TokenReview",
"status": trs,
})
})
log.Println(http.ListenAndServe(":3000", nil))
}
- 创建配置文件
mkdir /etc/config cp web-config.json /etc/config
{
"kind": "Config",
"apiVersion": "v1",
"preferences": {},
"clusters": [
{
"name": "github-authn",
"cluster": {
"server": "http://192.168.34.2:3000/authenticate"
}
}
],
"users": [
{
"name": "authn-apiserver",
"user": {
"token": "secret"
}
}
],
"contexts": [
{
"name": "webhook",
"context": {
"cluster": "github-authn",
"user": "authn-apiserver"
}
}
],
"current-context": "webhook"
}
- 注册对应的config到/etc/kubernetes/manifest/kube-apiserver.yaml
- --authentication-token-webhook-config-file=/etc/config/webhook-config.json
以及
volumeMount下添加
- mountPath: /etc/config
- name: webhook-config
readOnly: true
volumes:
- hostPath:
path: /etc/config
type: DirectoryOrCreate
name: webhook-config
启动服务
在 ~/.kube/config 中加一个user ,并加上token
- name: myuser1
user:
token: ******** #在github上生成的
root@cloud:~# kubectl get po --user myuser1
Error from server (Forbidden): pods is forbidden: User "wuyongmax" cannot list resource "pods" in API group "" in the namespace "default"
./authn-webhook
2022/11/29 11:54:48 receving request
2022/11/29 11:54:49 [Success] login as wuyongmax