嘗試通過遠程的一台電腦用 curl 命令連接 k8s 集群,實地體驗 k8s 的安全機制。
直接 curl 命令連接 control plane
curl https://k8s-api:6443
報錯
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
這是由於缺少 ca 證書,在集群 master 服務器通過下面的命令拿到 ca 證書
kubectl get secret \
$(kubectl get secrets | grep default-token | awk '{print $1}') \
-o jsonpath="{['data']['ca\.crt']}" | base64 --decode
curl 命令加上 ca 證書進行連接
curl --cacert ca.crt https://k8s-api:6443
服務器響應403
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
"reason": "Forbidden",
"details": {},
"code": 403
}
這是由於缺少與 ServiceAccount 對應的 access token ,創建一個 ServiceAccount
kubectl create serviceaccount curl-user -n kube-system
將該賬號加入到 cluster-admin 角色
kubectl create clusterrolebinding curl-user-binding --clusterrole=cluster-admin --serviceaccount=kube-system:curl-user -n kube-system
拿到該賬號對應的 access token
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep curl-user | awk '{print $1}')
curl 命令帶上 access token 連接集群
curl --cacert ca.crt -H "Authorization: Bearer $TOKEN" https://k8s-api:6443
連接成功
{
"paths": [
"/.well-known/openid-configuration",
"/api",
"/api/v1",
"/apis",
"/apis/",
...
]
}
小結
連接集群三要素:
1)control plane 地址(api server 地址)
2)集群 ca 證書
3)ServiceAccount token(訪問 api server 的 access token)