Kubernetes身份验证机制演示

19-01-07 banq
         

Kubernetes有许多身份验证机制来验证谁实际访问群集资源。完整列表检查身份验证策略列表。在这个演示中,让我们测试最简单的静态密码文件

演示先决条件

  • Minikube kubernetes集群
  • 静态密码文件名为users.csv

让我们显示文件及其结构(密码,用户名,userId):

$ pwd /Users/tomask79/workspace
$ cat users.csv tomask123,tomask79,100

使用基本身份验证启动Minikube群集

第一步是将位于当前目录中的密码文件users.csv挂载到Minikube中。 让我们使用/ var / lib / localkube / certs /目录来获取minikube vm和apiserver容器之间共享的内容。

$ minikube mount $(pwd)/:/var/lib/localkube/certs/mini
Mounting /Users/tomask79/workspace/ into /var/lib/localkube/certs/mini on the minikube VM
This daemon process needs to stay alive for the mount to still be accessible...

让进程按照建议运行并打开另一个终端,使用该文件作为静态密码资源启动minikube,这样实现基本身份验证。

$ minikube start --extra-config=apiserver.basic-auth-file=/var/lib/localkube/certs/mini/users.csv --kubernetes-version=v1.10.0
Starting local Kubernetes v1.10.0 cluster...
Starting VM...
Getting VM IP address...
Moving files into cluster...
Setting up certs...
Connecting to cluster...
Setting up kubeconfig...
Starting cluster components...
Kubectl is now configured to use the cluster.
Loading cached images from config file.

好的Minikube正在运行。当然,我们应该验证基本属性。

$ minikube ip
192.168.99.100
$ minikube version
minikube version: v0.28.2
$ kubectl cluster-info
Kubernetes master is running at https://192.168.99.100:8443
KubeDNS is running at https://192.168.99.100:8443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

通过基本身份验证与Kubernetes API交互

为了与Kubernetes API服务器 交互,您基本上有两个选择:

  • 通过REST API直接调用
  • 使用最终调用REST API的Kubectl。

首先让我们尝试第一个选项,让pod在默认命名空间中运行。要通过针对API服务器的基本身份验证进行身份验证,文档说:

从http客户端使用基本身份验证时,API服务器需要
一个值为Basic BASE64ENCODED(USER:PASSWORD)的Authorization     标头。

首先让我们创建不正确凭据的Base64字符串(我们只配置了用户tomask79):

$ echo -n baduser:badpassword | base64
YmFkdXNlcjpiYWRwYXNzd29yZA==

现在使用此Base64字符串来获取在默认命名空间内运行的pod:

$ curl -H "Authorization: Basic YmFkdXNlcjpiYWRwYXNzd29yZA==" https://192.168.99.100:8443/api/v1/namespaces/default/pods -k
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}

我们得到了我们的期望结果。在下一步中,让我们准备正确凭据的Base64字符串:

$ cat users.csv tomask123,tomask79,100
$ echo -n tomask79:tomask123 | base64 dG9tYXNrNzk6dG9tYXNrMTIz

并再次在默认命名空间内运行pods:

$ curl -H "Authorization: Basic dG9tYXNrNzk6dG9tYXNrMTIz" https://192.168.99.100:8443/api/v1/namespaces/default/pods -k
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "pods is forbidden: User \"tomask79\" cannot list pods in the namespace \"default\"",
  "reason": "Forbidden",
  "details": {
    "kind": "pods"
  },
  "code": 403
}

嗯,tomask79用户没有权限查看默认命名空间内的pod。那讲得通。 要解决这个问题,我们需要RoleBinding ,它是单个命名空间和clusteroles之一。clusterRoles集群角色有四种默认类型:

  • cluster-admin
  • admin
  • edit
  • view

我们希望用户tomask79只能查看pod,所以让我们给他一个view集群角色:

$ kubectl create rolebinding tomask79-view-binding-default --clusterrole=view --user=tomask79 --namespace=default
rolebinding.rbac.authorization.k8s.io/tomask79-view-binding-default created

并且这次再次从默认命名空间运行pods:

$ curl -H "Authorization: Basic dG9tYXNrNzk6dG9tYXNrMTIz" https://192.168.99.100:8443/api/v1/namespaces/default/pods -k
{
  "kind": "PodList",
  "apiVersion": "v1",
  "metadata": {
    "selfLink": "/api/v1/namespaces/default/pods",
    "resourceVersion": "1054"
  },
  "items": []
}

API服务器返回了pod!

Kubectl和具有不同用户的多个上下文

大多数情况下,您希望使用Kubectl与API Server进行迭代。通过Kubectl的配置允许您通过切换上下文来访问多个集群。让我们使用这个想法并使用相同的集群创建新的kubectl上下文,但是使用新注册的tomask79用户

首先让我们将新用户添加到当前的kubectl配置中:

$ kubectl config set-credentials tomask79 --username=tomask79 --password=tomask123
User "tomask79" set.

很好,让我们检查一下用户添加的配置:

$ kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /Users/tomask79/.minikube/ca.crt
    server: https://192.168.99.100:8443
  name: minikube
contexts:
- context:
    cluster: minikube
    user: minikube
  name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
  user:
    client-certificate: /Users/tomask79/.minikube/client.crt
    client-key: /Users/tomask79/.minikube/client.key
- name: tomask79
  user:
    password: tomask123
    username: tomask79

我们希望能够在访问相同的minikube集群时在用户之间切换,所以让我们添加一个上下文指向minikube集群,但需要通过tomask79用户访问:

$ kubectl config set-context tomask79-context --cluster=minikube --user=tomask79
Context "tomask79-context" created.

好的,让我们切换到新的上下文:

$ kubectl config use-context tomask79-context
Switched to context "tomask79-context".

并显示最终配置:

$ kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /Users/tomask79/.minikube/ca.crt
    server: https://192.168.99.100:8443
  name: minikube
 contexts:
 - context:
    cluster: minikube
    user: minikube
 name: minikube
 - context:
   cluster: minikube
   user: tomask79
 name: tomask79-context
current-context: tomask79-context
kind: Config
preferences: {}
users:
- name: minikube
  user:
    client-certificate: /Users/tomask79/.minikube/client.crt
    client-key: /Users/tomask79/.minikube/client.key
- name: tomask79
  user:
    password: tomask123
    username: tomask79

现在来自kubectl运行的所有内容都将作为“tomask79”用户身份!

$ kubectl get pods
No resources found.

这些是我们已经授予tomask79用户的默认命名空间中的pod。 现在让我们试试kube-public命名空间:

$ kubectl get -n kube-public pods
No resources found.
Error from server (Forbidden): pods is forbidden: User "tomask79" cannot list pods in the namespace "kube-public"

Kube-public命名空间仍然禁止tomask79用户。如果我们尝试在他的帐户下创建RoleBinding,该怎么办?)

$ kubectl create rolebinding tomask79-view-binding-public --clusterrole=view --user=tomask79 --namespace=kube-public
Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io is forbidden: User "tomask79" cannot create rolebindings.rbac.authorization.k8s.io in the namespace "kube-public"

说得通。因此,让我们切换到默认上下文,允许tomask79用户访问kube-public命名空间 并切换回tomask79上下文来测试它。

$ kubectl config use-context minikube
Switched to context "minikube".
$ kubectl create rolebinding tomask79-view-binding-public --clusterrole=view --user=tomask79 --namespace=kube-public
rolebinding.rbac.authorization.k8s.io/tomask79-view-binding-public created
$ kubectl config use-context tomask79-context
Switched to context "tomask79-context".
$ kubectl get -n kube-public pods
No resources found.