一 Kubernetes認證系統介紹
1.1 訪問控制
Kubernetes API的每個請求都會經過多階段的訪問控制之后才會被接受,這包括認證、授權以及准入控制(Admission Control)等
1.2 認證
在集群開啟TLS后,客戶端發往Kubernetes的所有API請求都需要進行認證,以驗證用戶的合法性。
Kubernetes支持多種認證機制,並支持同時開啟多個認證插件(只要有一個認證通過即可)。如果認證成功,則用戶的username會被傳入授權模塊做進一步授權驗證;而對於認證失敗的請求則返回HTTP 401。
所有的真書位置都在master節點
[root@docker-server1 secrets]# cd /etc/kubernetes/pki/
[root@docker-server1 pki]# ll
APIserver是基於一個證書文件/root/.kube/config這個文件包含有
- apiserver地址
- ca證書信息
- useracount
- useraount證書信息
[root@docker-server1 secrets]# cat /root/.kube/config
apiVersion: v1 clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01ERXdPVEU0TVRnME0xb1hEVE13TURFd05qRTRNVGcwTTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTWVBCkhoY3ZBdXFvTDZFOUFCYWdjeFkwT1ZuYXlJVWprY3JtZTBYbU1UcDJ1Nnl1VXhWZzNTVGJQVDlNM1VHSnlSc0YKWG1JK3FrKzg5VnhJcmgzRUE5Y2JNVm1YaE1hVHhGTHZVQVg4WGNwcmkzN0hvTDJ6amlrSUkwcjBLazhOWkUyWQpOTEowWTZNK2JDWDBEdkFiWXNRZmJOZ0VRT2VnMTBZTjd2VUpBeDE3MCtVeWxvdlBPYnVxUDc2dWZNcW80MW4yCkdXdm1FcW1YUVR0MzFnL0haeHhnYUZUUW5VSnR6QTY2VW50RmE1Y2ZpbVNIMVo3K0JyRkNzTmRkMHpCTmlCOUQKR3NlQTVCb2h5U1FVNndESEl3bllENEdIbzJNNmM0V0ZobTMwRUpjdk9UbnI0VFlOZFN0eHRKUjRuOHY1Um5oOApRNmlRQ2FkZC9uWU5qNmpDaUxVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFKME9uN3BaRkZLdGZlNUkvKzZUK0RkRnBwbmcKN0VwQmh0Ui9xVldjUWtjaG1UVksxNTloSEpTaUplSnJnWkFnVElEOGY4dENyMklPOVFQTTdtNjRBMkJMOWNvTgpBYzYrUUJ3Uk9jODNDejBqZHdVVXdudjBCU3ZQKzlWckNIQndpbjdpYi9WYW1MdDA1YTNFcEVFcW1TSDJHQ0xhCnBzVVAzSWFDejJwcm5YVEdJN2lJZUhmN2VLazB3eGt0ZVFaMGF4MXZtK0FMS1NreWZ3dzkxRWJ5MnN6c3VqaUYKbkFzb0RKTk43UEZFcDFWYmhpOGN2SDVaWFcvWHZvOTBqU3BQUUZWZmlqdWd2SlhpMjREa2h1QVJxYnhoaGI0ZAowNlBtTk9xQVgrdDlsTFc2c2QyUVRQTEllUEtKdmtuN1JqdGFiUmVLSE1xUHZLRGludEtlUTNkYjFQOD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= server: https://192.168.132.131:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJWWhZNzlUWVMzSVF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TURBeE1Ea3hPREU0TkROYUZ3MHlNVEF4TURneE9ERTRORFphTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXMyeklaaDhyYXd6NzJmcWkKUkd4T1hpN0JaZHdyM1FsdjJ4VkRJYWd4aUN2M1ZQOENWNkphSXZwaEU2bjcrY3ozVk5LR3Z2MnpzYW9VdjVDRwowVXUvVG1HWU9hbnQxeDY1K0tCanVsYjNsaS9aVGJwZDl4UWZNMVAxaFhiQ0QwWGNGL1RnWGRvTlljUzBvWnhZClo5aFVEVWc5emdPM3pGVUVUMVlaQW90MEhBVzRmbXU5eWRUaTkxelJkdVdRR2Ezd3MwOWplT0dXTUFEQ3pnRnIKakFNaFYvLzNmYWd5M2hpdTUxOU5mZlBUZ3Z1VUlOV1NEcTNVbUJmUC9yd3hoelF2WDZrUDlPeUdqMG9xY3JWYQpsUTJQMC9lYldnVnQxVGZvK1JvS1gxVlMwNnNuS1MwUGVORnM4TTlMRmJISTQrczlXcUhTZWFrcVVzVkM2Nk8xCmxRSmNhUUlEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLb0lpNkxQa0wzZjZxYWllVmR6OGE2cndDYWVreTRqQnFyYwovSFdPVkJGL2IyeVJHckJSTlNFd2piR2VCKzJtb3BZK1M3OTlneWRVcUp2RlZYOHNnWllBWFFURllmL0pQdTVmCmtXTS9Qc21Tc3FYQlRGZHhGR0N5RjFjc2VnT1pIQ05xTFNLdk5SN3NhTEsxV25pRzZYUThTTEVKSTY4aHNWaUoKQ2Y3MGxMOUQ3K3lkbzZRVHN0enY4ZmI4aVU1dEhnY0ZyRDdOZzJ2dlpraXdWWjhvWnVTTGw1Q0RIK3E1cmpOdAowSDJ4c1hrMzhTMk9MQkJOUDYrcSt4UVZ1RW5OR1pYdVc3SmRndEFzdVZJRXFpMVdKWGVHM1pLWGpOSE5nRWtvCmFBRWQzVHpqVmR6ZVVZcE1SV3F2TGNSeTNKQVNHT0UyaHdDWVZmWVE3ZStNMWx5M0dDMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBczJ6SVpoOHJhd3o3MmZxaVJHeE9YaTdCWmR3cjNRbHYyeFZESWFneGlDdjNWUDhDClY2SmFJdnBoRTZuNytjejNWTktHdnYyenNhb1V2NUNHMFV1L1RtR1lPYW50MXg2NStLQmp1bGIzbGkvWlRicGQKOXhRZk0xUDFoWGJDRDBYY0YvVGdYZG9OWWNTMG9aeFlaOWhVRFVnOXpnTzN6RlVFVDFZWkFvdDBIQVc0Zm11OQp5ZFRpOTF6UmR1V1FHYTN3czA5amVPR1dNQURDemdGcmpBTWhWLy8zZmFneTNoaXU1MTlOZmZQVGd2dVVJTldTCkRxM1VtQmZQL3J3eGh6UXZYNmtQOU95R2owb3FjclZhbFEyUDAvZWJXZ1Z0MVRmbytSb0tYMVZTMDZzbktTMFAKZU5GczhNOUxGYkhJNCtzOVdxSFNlYWtxVXNWQzY2TzFsUUpjYVFJREFRQUJBb0lCQUZlS1FMQUtqeDE0eFR3UgoyNiswZy92UnBnd3pncmNpVG8rK2JQVno0VTdGM0xOOGc4RUw5aHhRdXFKa2NncnJwTlNlcnAxcW5JeVhKZTVjCjdsb1pNZXBsRldjMDhGVGZxZTZUR25Va3owRlljUlpLVW1RbFRoKzEyL2xVK3RPR3l4NXBIRHJPRTI5YkVLSTAKN0xFbHk4UjdOYVJaRGdqRWhnakxRZ0tLMVlpQnRMeXMyRTZqRXovQVI2RERtK0pCbUlDTjBpbWE0NlJyTngyNQorRmxSMHRzcjR0WTVLcVBJNU9YdjlzbE5TQUgyYmIwU1Z0MG1SaGxRYTFMTTZuOG4yOEZIZVdLR0x4YzNDeW52CjNBbTl1RkRvQlF4QzdhVnR5L2Vpd2daV0pjNzN6ZUtFOE12TDkyRnYzQ1BBWFlEZGRRM1B1dVFHMGFrTFgwWWMKMnlsZHF4MENnWUVBM3BZdmp0TGN2NStiUlgxL1RLZ0NkenFmZmhFeko3clQ3VDVFeFExakN4THI1bWRXaTBuSgp0bXd4c2VhVVdMbi9MamdEaWZxTi9adCtIdzN5Sk9nd1c1ZlB6TGhJU2tqTWxUdm5pZis0RGk1MDJKR3VEUE5WCkVYd2szdUFJS0tURW5tc1NhZlpZN3VLc2FJYzU2bkdkL1UxQ0ZMcHpON3dseEdHRWNldDYzVHNDZ1lFQXpsdnQKeDBGL0Y2ZXh1endiRGpZbHdZYktvWnJJN2lHSThTQ2lLRFdyeEVjZlBsQkt6M05zS2Zvb2tPaW84VXF2QzBaUApFTlZpNGRhbmthUnluRkVjZXErYW1iSko5Y0xWcWlhTkU0OFJLaUlWM2oveWE1bVI3M1NUelBGUkxza3ZKT0RECnVtUmVlb21JNVdUUzI2UjRJZUhzLzNqaTJGNTFlWlJzMWEvQVlxc0NnWUVBbmNjSnFRelJDMGZnc1c1VzZRaUMKenU4UUZUV3Q5RENiZnFUUDdIb2p4YnJBMnM1UGEyWi9oRDdITHhxSjl5Ykl1b05jQnRkREJRek9ac2JrNk1KcApYTk9NcWNuSy9GVUVKNWlSOUtEK1g1Y1FubDhOYUFLb1B6K25oeEI0MkE2TGpOdks3cTkvdEwyYWhuR3NYUUh5CmdwWGNESU5wbm8xUW5CYWY0bnlQMS9jQ2dZQkFRTk42dFdRVFEzM05wTnR2dzJCaUw4d3NJWHZxMmJwQUNqOHoKY2ZLM3ZNVjNxNXgvbDVyWVB6SWVYTE10M21rK2czZmU3L0pJQzRSRmp3UzRzM0RBcXFqaXJtYmxCUE51ZFc1Nwo1cElib2wxWXhHU0JLR0lPUXlnNktmRnpOZVZlQURZeGRVc05zSUZWbTkwajBzUXRHS0dvc2tVL3hibWlUNXJMCnRsdWEzUUtCZ0czM0QvQlE0UENTY3I3bVhNdVp2Q0w3bmpHalVVUEY5eFc3QmEraDMzZ2ZJd1NERmxNNXNaZDQKOXZ0anQwVmdBN1NSTHZ5U3RrSGRkOFJqcDczSU5kYUFZOUh3WkthQTBUd21oSDZqVXRZd0U2SmZrTCt0ZUN5NApySUhPVkY5RzFET2JWU1JyeW5zckNtb1owcGg1YVVGRExhcFU4NGRhdnk4UjJaZVVjZC8rCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
1.3 證書加密
[root@docker-server1 pki]# cat sa.key |base64 -w 0
1.4 認證文件中的私鑰
[root@docker-server1 pki]# cat /root/.kube/config
1.5 認證方式流程
本地端的Apiserver,control managent和Schedule監聽的是本地的非安全端口,則不要任何認證,就擁有最大的權限,但是這個端口之只能運行再本地
node的kubelet和Apiserver的認證:apiserver再啟動的時候會生成一個token文件,kubelet第一次連接的時候是基於token的,默認的用戶是bootstrp-kubelet帶着token訪問apiserver,apiserver就會簽發證書,再kubelet.kubeconfig文件定義
apiserver和kubeproxy的認證:
認證插件
X509證書
- 使用X509客戶端證書只需要API Server啟動時配置--client-ca-file=SOMEFILE。在證書認證時,其CN域用作用戶名,而組織機構域則用作group名。
靜態Token文件
- 使用靜態Token文件認證只需要API Server啟動時配置--token-auth-file=SOMEFILE。
- 該文件為csv格式,每行至少包括三列token,username,user id,token,user,uid,"group1,group2,group3”
引導Token
- 引導Token是動態生成的,存儲在kube-system namespace的Secret中,用來部署新的Kubernetes集群。
- 使用引導Token需要API Server啟動時配置--experimental-bootstrap-token-auth,並且Controller Manager開啟TokenCleaner --controllers=*,tokencleaner,bootstrapsigner。
- 在使用kubeadm部署Kubernetes時,kubeadm會自動創建默認token,可通過kubeadm token list命令查詢。
靜態密碼文件
- 需要API Server啟動時配置--basic-auth-file=SOMEFILE,文件格式為csv,每行至少三列password, user, uid,后面是可選的group名,如
- password,user,uid,"group1,group2,group3”
Service Account
- ServiceAccount是Kubernetes自動生成的,並會自動掛載到容器的/run/secrets/kubernetes.io/serviceaccount目錄中。
OpenID
- OAuth2的認證機制
OpenStack Keystone密碼
- 需要API Server在啟動時指定--experimental-keystone-url=<AuthURL>,而https時還需要設置--experimental-keystone-ca-file=SOMEFILE。
匿名請求
- 如果使用AlwaysAllow以外的認證模式,則匿名請求默認開啟,但可用--anonymous-auth=false禁止匿名請求。
Kubernetes認證帳戶
- USER帳戶給管理人員使用,SERVICEACCOUNT是給POD里的進程使用的。
- USER帳戶是全局性的,Service Account屬於某個namespace。
- Group用來關聯多個帳戶,集群中有一些默認創建的組,如cluster-admin
- Kubernetes沒有User Account API對象,所以無法在集群當中查看USER
Service Account
- Service account是為了方便Pod里面的進程調用Kubernetes API或其他外部服務而設計的。它與User account不同
- User account是為人設計的,而service account則是為Pod中的進程調用Kubernetes API而設計;
- User account是跨namespace的,而service account則是僅局限它所在的namespace;
- 每個namespace都會自動創建一個default service account
- Token controller檢測service account的創建,並為它們創建secret
- 開啟ServiceAccount Admission Controller后
- 每個Pod在創建后都會自動設置spec.serviceAccountName為default(除非指定了其他ServiceAccout)
- 驗證Pod引用的service account已經存在,否則拒絕創建
- 如果Pod沒有指定ImagePullSecrets,則把service account的ImagePullSecrets加到Pod中
- 每個container啟動后都會掛載該service account的token和ca.crt到/var/run/secrets/kubernetes.io/serviceaccount/
默認的認證是基於證書的雙向認證,再創建一個K8S集群,會默認創建一系列證書
1.6 授權
授權主要是用於對集群資源的訪問控制,通過檢查請求包含的相關屬性值,與相對應的訪問策略相比較,API請求必須滿足某些策略才能被處理。跟認證類似,Kubernetes也支持多種授權機制,並支持同時開啟多個授權插件(只要有一個驗證通過即可)。如果授權成功,則用戶的請求會發送到准入控制模塊做進一步的請求驗證;對於授權失敗的請求則返回HTTP 403。
授權依據roles
[root@docker-server1 secrets]# kubectl get clusterroles
NAME AGE admin 8d cluster-admin 8d edit 8d flannel 8d kubernetes-dashboard 8d system:aggregate-to-admin 8d system:aggregate-to-edit 8d system:aggregate-to-view 8d system:auth-delegator 8d system:basic-user 8d system:certificates.k8s.io:certificatesigningrequests:nodeclient 8d system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 8d system:controller:attachdetach-controller 8d system:controller:certificate-controller 8d system:controller:clusterrole-aggregation-controller 8d system:controller:cronjob-controller 8d system:controller:daemon-set-controller 8d system:controller:deployment-controller 8d system:controller:disruption-controller 8d system:controller:endpoint-controller 8d system:controller:expand-controller 8d system:controller:generic-garbage-collector 8d system:controller:horizontal-pod-autoscaler 8d system:controller:job-controller 8d system:controller:namespace-controller 8d system:controller:node-controller 8d system:controller:persistent-volume-binder 8d system:controller:pod-garbage-collector 8d system:controller:pv-protection-controller 8d system:controller:pvc-protection-controller 8d system:controller:replicaset-controller 8d system:controller:replication-controller 8d system:controller:resourcequota-controller 8d system:controller:route-controller 8d system:controller:service-account-controller 8d system:controller:service-controller 8d system:controller:statefulset-controller 8d system:controller:ttl-controller 8d system:coredns 8d system:discovery 8d system:heapster 8d system:kube-aggregator 8d system:kube-controller-manager 8d system:kube-dns 8d system:kube-scheduler 8d system:kubelet-api-admin 8d system:node 8d system:node-bootstrapper 8d system:node-problem-detector 8d system:node-proxier 8d system:persistent-volume-provisioner 8d system:public-info-viewer 8d system:volume-scheduler 8d view 8d
以上為內置權限
cluster-admin是超級管理員權限
權限組:
roles:namespce級別
clusterroles:集群級別
授權操作:為某一賬戶綁定全權限,rolebongding 和clusterroleboding,就會行成新的資源
這種授權方式成為rabc授權
二 解讀一個ingress授權
2.1 發布一個系統,都會有一個sa身份運行的
[root@docker-server1 pki]# kubectl get sa
NAME SECRETS AGE default 1 8d
[root@docker-server1 pki]# kubectl get sa default -o yaml
apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: "2020-01-09T18:19:18Z" name: default namespace: default resourceVersion: "359" selfLink: /api/v1/namespaces/default/serviceaccounts/default uid: 47332a49-bbac-46b8-9fd7-18943e710021 secrets: - name: default-token-bwbrn
2.2 查看ingress賬號的SA信息(serviceaccount)
[root@docker-server1 pki]# vi /yamls/ingress/nginx-controller.yaml
2.3 rule規則
apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: nginx-ingress-clusterrole labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx rules: - apiGroups: - "" resources: - configmaps - endpoints - nodes - pods - secrets verbs: - list - watch - apiGroups: - "" resources: - nodes verbs: - get - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - "extensions" - "networking.k8s.io" resources: - ingresses verbs: - get - list - watch - apiGroups: - "extensions" - "networking.k8s.io" resources: - ingresses/status verbs: - update
2.4 綁定權限
2.5 查看cluter-admin的role
[root@docker-server1 pki]# kubectl get clusterrole -o yaml cluster-admin
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: "2020-01-09T18:18:59Z" labels: kubernetes.io/bootstrapping: rbac-defaults name: cluster-admin resourceVersion: "45" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-admin uid: 277dddfd-c72d-4450-97e1-244c56ad837a rules: - apiGroups: - '*' resources: - '*' verbs: - '*' - nonResourceURLs: - '*' verbs: - '*'
三 創建一個超級管理員賬戶
3.1 創建一個用戶
[root@docker-server1 pki]# mkdir /yamls/sa
[root@docker-server1 pki]# cd /yamls/sa
[root@docker-server1 sa]# vi test-sa.taml
apiVersion: v1
kind: ServiceAccount
metadata:
name: test-sa
[root@docker-server1 sa]# kubectl apply -f test-sa.taml
serviceaccount/test-sa created
[root@docker-server1 sa]# kubectl get sa
NAME SECRETS AGE default 1 8d test-sa 1 12s
讓這個sa變成超級管理員
3.3 和cluster-admin綁定
[root@docker-server1 sa]# vim test-sa-role.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: test-sa-role-binding namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: test-sa
namespace: default
[root@docker-server1 sa]# kubectl apply -f test-sa-role.yaml
clusterrolebinding.rbac.authorization.k8s.io/test-sa-role-binding created
[root@docker-server1 sa]# kubectl get clusterrolebinding |grep test
3.3 查看管理員信息
[root@docker-server1 sa]# kubectl describe clusterrolebinding test-sa-role-binding
Name: test-sa-role-binding Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"test-sa-role-binding"},... Role: Kind: ClusterRole Name: cluster-admin Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount test-sa default
[root@docker-server1 sa]# kubectl describe clusterrole cluster-admin
Name: cluster-admin Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- *.* [] [] [*] [*] [] [*]
[root@docker-server1 sa]# kubectl describe sa test-sa
Name: test-sa Namespace: default Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"test-sa","namespace":"default"}} Image pull secrets: <none> Mountable secrets: test-sa-token-rn7db Tokens: test-sa-token-rn7db #有自己的token Events: <none>
3.4 查看這個secret的token
[root@docker-server1 sa]# kubectl get secret
NAME TYPE DATA AGE default-token-bwbrn kubernetes.io/service-account-token 3 8d hub-secret kubernetes.io/dockerconfigjson 1 164m test-sa-token-rn7db kubernetes.io/service-account-token 3 13m
[root@docker-server1 sa]# kubectl describe secret test-sa-token-rn7db
Name: test-sa-token-rn7db Namespace: default Labels: <none> Annotations: kubernetes.io/service-account.name: test-sa kubernetes.io/service-account.uid: 6e767195-c019-43b0-ad6a-81b35e86b9f7 Type: kubernetes.io/service-account-token Data ==== ca.crt: 1025 bytes namespace: 7 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6Inl0U2JtWkVaSkNjbFpCMGpkVktHTGtTUTFvZFc3LVUxeUllRkRyalcxYncifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRlc3Qtc2EtdG9rZW4tcm43ZGIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoidGVzdC1zYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjZlNzY3MTk1LWMwMTktNDNiMC1hZDZhLTgxYjM1ZTg2YjlmNyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnRlc3Qtc2EifQ.RydJTCW3yocxk3_3ThwuWz4zSzymQScvOc7gw1-GsATHfilDK7-CPrEYSkaA90uNFIBfQJovxzpbEtPmge7MAoweCp52Sx8cdA8ppxxgBGpIMC-EiV4unsazxZprrqbGuQ45UCumZYVu70X4UjuPaScf9fHRfJtESDbDEWjeIknhNFcLSw8TCxVpoprC1teF6HflFXG90sR3V_ag2lAXFMeobrnhcTPL5NCxKbwYzsJkiCDIlOsEppCS8d1AZ77pQcTzPLtpe7GtJIhQN-ZBlBrhlEqRCNsEPnG-Ar6eGu5jb5gvOf8NXm_OPnRRyYh8OEHJ_LcdAjq92w2BXmdTYw
3.5 訪問dashboard
可以收用這個token訪問dashboard
[root@docker-server1 sa]# kubectl get pods -n kubernetes-dashboard -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES dashboard-metrics-scraper-76585494d8-95j9v 1/1 Running 1 8d 10.244.2.13 192.168.132.133 <none> <none> kubernetes-dashboard-b7ffbc8cb-nz5gf 1/1 Running 0 4d20h 10.244.0.11 192.168.132.131 <none> <none>
[root@docker-server1 sa]# kubectl get svc -n kubernetes-dashboard -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR dashboard-metrics-scraper ClusterIP 10.96.93.119 <none> 8000/TCP 8d k8s-app=dashboard-metrics-scraper kubernetes-dashboard NodePort 10.96.87.98 <none> 443:32443/TCP 8d k8s-app=kubernetes-dashboard
https://192.168.132.131:32443/
高級
接收風險,輸入token
登入
得到界面
3.6 使用命令行訪問dashboard
直接訪問被拒絕
[root@docker-server1 sa]# curl -k https://192.168.132.131:6443
{ "kind": "Status", "apiVersion": "v1", "metadata": { }, "status": "Failure", "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"", "reason": "Forbidden", "details": { }, "code": 403 }
帶token訪問
[[root@docker-server1 sa]# curl -k --header "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Inl0U2JtWkVaSkNjbFpCMGpkVtHTGtTUTFvZFc3LVUxeUllRkRyalcxYncifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRlc3Qtc2EtdG9rZW4tcm43ZGIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoidGVzdC1zYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjZlNzY3MTk1LWMwMTktNDNiMC1hZDZhLTgxYjM1ZTg2YjlmNyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnRlc3Qtc2EifQ.RydJTCW3yocxk3_3ThwuWz4zSzymQScvOc7gw1-GsATHfilDK7-CPrEYSkaA90uNFIBfQJovxzpbEtPmge7MAoweCp52Sx8cdA8ppxxgBGpIMC-EiV4unsazxZprrqbGuQ45UCumZYVu70X4UjuPaScf9fHRfJtESDbDEWjeIknhNFcLSw8TCxVpoprC1teF6HflFXG90sR3V_ag2lAXFMeobrnhcTPL5NCxKbwYzsJkiCDIlOsEppCS8d1AZ77pQcTzPLtpe7GtJIhQN-ZBlBrhlEqRCNsEPnG-Ar6eGu5jb5gvOf8NXm_OPnRRyYh8OEHJ_LcdAjq92w2BXmdTYw" https://192.168.132.131:6443
{ "paths": [ "/api", "/api/v1", "/apis", "/apis/", "/apis/admissionregistration.k8s.io", "/apis/admissionregistration.k8s.io/v1", "/apis/admissionregistration.k8s.io/v1beta1", "/apis/apiextensions.k8s.io", "/apis/apiextensions.k8s.io/v1", "/apis/apiextensions.k8s.io/v1beta1", "/apis/apiregistration.k8s.io", "/apis/apiregistration.k8s.io/v1", "/apis/apiregistration.k8s.io/v1beta1", "/apis/apps", "/apis/apps/v1", "/apis/authentication.k8s.io", "/apis/authentication.k8s.io/v1", "/apis/authentication.k8s.io/v1beta1", "/apis/authorization.k8s.io", "/apis/authorization.k8s.io/v1", "/apis/authorization.k8s.io/v1beta1", "/apis/autoscaling", "/apis/autoscaling/v1", "/apis/autoscaling/v2beta1", "/apis/autoscaling/v2beta2", "/apis/batch", "/apis/batch/v1", "/apis/batch/v1beta1", "/apis/certificates.k8s.io", "/apis/certificates.k8s.io/v1beta1", "/apis/coordination.k8s.io", "/apis/coordination.k8s.io/v1", "/apis/coordination.k8s.io/v1beta1", "/apis/discovery.k8s.io", "/apis/discovery.k8s.io/v1beta1", "/apis/events.k8s.io", "/apis/events.k8s.io/v1beta1", "/apis/extensions", "/apis/extensions/v1beta1", "/apis/networking.k8s.io", "/apis/networking.k8s.io/v1", "/apis/networking.k8s.io/v1beta1", "/apis/node.k8s.io", "/apis/node.k8s.io/v1beta1", "/apis/policy", "/apis/policy/v1beta1", "/apis/rbac.authorization.k8s.io", "/apis/rbac.authorization.k8s.io/v1", "/apis/rbac.authorization.k8s.io/v1beta1", "/apis/scheduling.k8s.io", "/apis/scheduling.k8s.io/v1", "/apis/scheduling.k8s.io/v1beta1", "/apis/storage.k8s.io", "/apis/storage.k8s.io/v1", "/apis/storage.k8s.io/v1beta1", "/healthz", "/healthz/autoregister-completion", "/healthz/etcd", "/healthz/log", "/healthz/ping", "/healthz/poststarthook/apiservice-openapi-controller", "/healthz/poststarthook/apiservice-registration-controller", "/healthz/poststarthook/apiservice-status-available-controller", "/healthz/poststarthook/bootstrap-controller", "/healthz/poststarthook/crd-informer-synced", "/healthz/poststarthook/generic-apiserver-start-informers", "/healthz/poststarthook/kube-apiserver-autoregistration", "/healthz/poststarthook/rbac/bootstrap-roles", "/healthz/poststarthook/scheduling/bootstrap-system-priority-classes", "/healthz/poststarthook/start-apiextensions-controllers", "/healthz/poststarthook/start-apiextensions-informers", "/healthz/poststarthook/start-cluster-authentication-info-controller", "/healthz/poststarthook/start-kube-aggregator-informers", "/healthz/poststarthook/start-kube-apiserver-admission-initializer", "/livez", "/livez/autoregister-completion", "/livez/etcd", "/livez/log", "/livez/ping", "/livez/poststarthook/apiservice-openapi-controller", "/livez/poststarthook/apiservice-registration-controller", "/livez/poststarthook/apiservice-status-available-controller", "/livez/poststarthook/bootstrap-controller", "/livez/poststarthook/crd-informer-synced", "/livez/poststarthook/generic-apiserver-start-informers", "/livez/poststarthook/kube-apiserver-autoregistration", "/livez/poststarthook/rbac/bootstrap-roles", "/livez/poststarthook/scheduling/bootstrap-system-priority-classes", "/livez/poststarthook/start-apiextensions-controllers", "/livez/poststarthook/start-apiextensions-informers", "/livez/poststarthook/start-cluster-authentication-info-controller", "/livez/poststarthook/start-kube-aggregator-informers", "/livez/poststarthook/start-kube-apiserver-admission-initializer", "/logs", "/metrics", "/openapi/v2", "/readyz", "/readyz/autoregister-completion", "/readyz/etcd", "/readyz/log", "/readyz/ping", "/readyz/poststarthook/apiservice-openapi-controller", "/readyz/poststarthook/apiservice-registration-controller", "/readyz/poststarthook/apiservice-status-available-controller", "/readyz/poststarthook/bootstrap-controller", "/readyz/poststarthook/crd-informer-synced", "/readyz/poststarthook/generic-apiserver-start-informers", "/readyz/poststarthook/kube-apiserver-autoregistration", "/readyz/poststarthook/rbac/bootstrap-roles", "/readyz/poststarthook/scheduling/bootstrap-system-priority-classes", "/readyz/poststarthook/start-apiextensions-controllers", "/readyz/poststarthook/start-apiextensions-informers", "/readyz/poststarthook/start-cluster-authentication-info-controller", "/readyz/poststarthook/start-kube-aggregator-informers", "/readyz/poststarthook/start-kube-apiserver-admission-initializer", "/readyz/shutdown", "/version" ] }
實驗完成
博主聲明:本文的內容來源主要來自譽天教育晏威老師,由本人實驗完成操作驗證,需要的博友請聯系譽天教育(http://www.yutianedu.com/),獲得官方同意或者晏老師(https://www.cnblogs.com/breezey/)本人同意即可轉載,謝謝!