1.概述
用kubectl向apiserver發起的命令,采用的是http方式,K8s支持多版本並存.
kubectl的認證信息存儲在~/.kube/config,所以用curl無法直接獲取apis中的信息,可以采用代理方式
kubectl proxy --port=8080
# HTTP request action,如get,post,put,delete,
# 這些action映射到k8s中,有:get,list,create,udate,patch,watch,proxy,redirect,delete
curl http://127.0.0.1:8080/apis/apps/v1/namespaces/kube-system/deployments
kubectl describe svc kubernetes
Name: kubernetes
Namespace: default
Labels: component=apiserver
provider=kubernetes
Annotations: <none>
Selector: <none>
Type: ClusterIP
IP: 10.96.0.1
Port: https 443/TCP
TargetPort: 6443/TCP
Endpoints: 10.0.0.10:6443
Session Affinity: None
Events: <none>
10.96.0.1是kubernetes apiserver的地址,實現了通過10.96.0.1訪問10.0.0.10:6443
# serviceAccount已經被替換成serviceAccountName
# apiServer驗證用戶和pod,它倆分別使用userAccount和serviceAccount
kubectl create serviceaccount mysa -o yaml --dry-run
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: null
name: mysa
# 創建其它資源時,可以參考系統標准的模板
kubectl get pods myapp-1 -o yaml --export
2.創建serviceAccount
kubectl create serviceaccount admin
kubectl get sa
NAME SECRETS AGE
admin 1 10s
default 1 15d
# 這個sa目前只存在於default名稱空間
kubectl describe sa admin
kubectl get secret
NAME TYPE DATA AGE
admin-token-bqcpl kubernetes.io/service-account-token 3 53s
default-token-g7t2x kubernetes.io/service-account-token 3 15d
# 用配置清單把serviceaccount和pod綁定起來,這表示該pod使用自定義的驗證信息admin
cat pod-sa-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-sa-demo
namespace: default
labels:
app: myapp
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
serviceAccountName: admin
# kubeconfig是客戶端連接apiserver時使用的認證格式的配置文件
# context定義哪個集群被哪個用戶訪問,current-context當前是用的是哪個context
kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.0.0.10:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
3.創建useraccount
# 證書存放位置 cd /etc/kubernetes/pki/ # 做一個私鑰,生成lixiang.key (umask 077; openssl genrsa -out lixiang.key 2048) # 基於私鑰生成一個證書,生成lixiang.csr,CN就是用戶賬號名 openssl req -new -key lixiang.key -out lixiang.csr -subj "/CN=lixiang" # 簽發證書,生成lixiang.crt,-days:表示證書的過期時間,x509:生成x509格式證書 openssl x509 -req -in lixiang.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out lixiang.crt -days 365 # 查看證書內容 openssl x509 -in lixiang.crt -text -noout # 把用戶賬戶信息添加到當前集群中,embed-certs=true隱藏證書信息 kubectl config set-credentials lixiang --client-certificate=lixiang.crt --client-key=lixiang.key --embed-certs=true # 設置該用戶可以訪問kubernetes集群 kubectl config set-context lixiang@kubernetes --cluster=kubernetes --user=lixiang # 切換到lixiang用戶,登錄k8s,可以看到lixiang用戶沒有管理器權限 kubectl config use-context lixiang@kubernetes # 切回k8s管理員 kubectl config use-context kubernetes-admin@kubernetes # 創建一個新的k8s集群,--kubeconfig:指定集群配置文件存放位置 kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://127.0.0.1:6443" \ --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true kubectl config view --kubeconfig=/tmp/test.conf
參考博客:http://blog.itpub.net/28916011/viewspace-2215100/