This is the 16th day of my participation in Gwen Challenge

User authentication system

Apiserver is the gateway interface for all requests. During the request process, authentication is used for identity identification and authorization is used for permission check. In fact, we use the command line: Kubectl apply-f ment. Yaml is actually converted to HTTP protocol to make requests to apiserver, and authentication information is provided by ~/. Kube /config file, which records the user information of administrator privileges.

• K8s’s API is RESTfull style, so resources are identified by paths, and in K8S, resources can only belong in two places: to a cluster or to a namespace.

Cluster level: Namespace, PV namespace: POD, Deployment, daemonSet, Service, PCVCopy the code

For example, requesting the myapp-deploy controller under the delFault namespace is written as follows

http://172.16.100.100/apis/apps/v1/namespaces/default/deployments/myapp-deploy
Copy the code

Under the above said: http://172.16.100.100:6443 cluster apis apps group under the namespaces of v1 version for default under myapp – deploy controller

13.1 User Types

We use kubectl to connect to the K8S cluster for control. In fact, we use the user’s home directory. Kube /config file to connect to apiserver for authentication, while some POD (e.g. CoreDNS) also need to get cluster information, they also need to connect to the K8S cluster, so there are two types of users in K8S:

1. Kubectl config –help to create userAccount. Kubectl config –help to create useraccount
2. POD user: Serviceaccunt, which is a K8S object that can be created using kubectl Create ServiceAccount –help

13.2 How Can A POD Connect to a Cluster

Pods need to connect to and authenticate to the cluster using ServiceAccount. Pods can connect to the cluster because a built-in Service proxies POD requests to the address of apiserver.

• Servie, named Kubernetes, provides the communication for pods to connect to Apiserver

$ kubectl describe service kubernetes                            The POD in the cluster communicates with apiserver using a service, but note that apiserver requires authenticationName: kubernetes Namespace: default Labels: component=apiserver provider=kubernetes Annotations: <none> Selector: < None > Type: ClusterIP IP: 10.96.0.1# gateway to access Apiserver within the cluster
Port:              https  443/TCP
TargetPort:        6443/TCP
Endpoints:         172.16.100.101:6443                           # apiserver work address
Session Affinity:  None
Events:            <none>
Copy the code

13.3 serviceaccount object

There are two types of certification for K8S: A serviceAccount is created for POD access to apiserver. A serviceAccount is created for POD access to apiserver Even the Kubectl command line authenticates to apiserver by reading the user in config.

• Create a ServiceAccount object that automatically creates and associates a Secret. This ServiceAccount can be authenticated on apiserver, but authentication does not mean permission, so authorization is required

$ kubectl create serviceaccount admin
$ kubectl get secret

Copy the code

• Create POD using the specified ServiceAccount object

apiVersion: v1
kind: Pod
metadata:
  name: pod-serviceaccount-demo
  namespace: default
  labels:
    app: myapp
    tier: frontend
spec:
  containers:
    - name: nginx
      image: ikubernetes/myapp:v1
      ports:
        - name: http
          containerPort: 80
  serviceAccountName: admin

Copy the code

13.3.1 Using ServiceAccount in a POD

• When POD connects to apiserver, the serviceAccountName field needs to be specified in the list. See kubectl explain Pods.spec

Each POD has its own volumes by default. This is a secret storage volume where default-token-bq2GN is used to access apiserver. The secret permission can only access POD information through the API. If you want a POD to manage the cluster, you can manually create a Secret and mount it to the POD using volumes.

Serviceaccout is also part of the standard K8S object, which provides account information, but accounts are determined by the RBAC mechanism without permissions.

13.4 Kubectl configuration file

• Kubectl config view kubectl config View

apiVersion: v1
kind: Config
clusters:                                             # cluster list
- cluster:                                            # a cluster object in the list
    certificate-authority-data: DATA+OMITTED          Server authentication mode
    server: https://172.16.100.101:6443               The apiserver address of the cluster
  name: kubernetes                                    # cluster name
users:                                                # user list
- name: kubernetes-admin                              # a user object in the list
  user:                                               # 
    client-certificate-data: REDACTED                 Client certificate
    client-key-data: REDACTED                         Client private key
contexts:                                             # context list
- context:                                            # a context object in the list
    cluster: kubernetes                               # cluster name
    user: kubernetes-admin                            # user name
  name: kubernetes-admin@kubernetes                   # context name
current-context: kubernetes-admin@kubernetes          # current context
preferences: {}

Copy the code

• Configuration files save: multiple cluster, multi-user configuration, Kubectl can use different users to access different clusters.

Cluster list: cluster object list User list: user object list Context: Is a list that describes the relationship between clusters and users. Current context: Indicates which user is currently accessing which clusterCopy the code

Custom configuration information: see kubectl config --helpCa and certificate saving path: /etc/kubernetes Stores information about all cas and issued certificates.Copy the code

13.5 Adding certificate Users to Config

K8s Apiserver supports two authentication modes: SSL certificate and Token authentication. The SSL certificate is used to create users

13.5.1 Creating an SSL Certificate User

• Create a user certificate to connect to apiserver

Create private key
(umask 077; openssl genrsa -out kaliarch.key 2048)

O is the group, CN is the account, this account is used by K8S to identify the identity, authorization also needs to authorize this account
openssl req -new -key kaliarch.key -out kaliarch.csr -subj "/CN=kaliarch"
#penssl req -new -key kaliarch.key -out kaliarch.csr -subj "O=system:masters/CN=kaliarch/"

Use the CA to sign the certificate and it is valid for 1800 days
openssl x509 -req -in kaliarch.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out kaliarch.crt -days 1800

# check the certificate
openssl x509 -in kaliarch.crt -text -noout

Copy the code

13.5.2 Adding SSL Certificate Users to Config

• Add the kaliarch user to k8S config, set the client certificate to kaliarch. CRT, set the client private key to: kaliarch.key, and use –embed-certs=true to hide this confidential information

kubectl config set-credentials kaliarch --client-certificate=./kaliarch.crt --client-key=./kaliarch.key --embed-certs=true

Copy the code

13.5.3 Creating a Context for switching

• Create a context object to authorize user Kaliarch to access the cluster named Kubernetes

kubectl config set-context kaliarch@kubernetes --cluster=kubernetes --user=kaliarch

Copy the code

• Switch the currently used context to the context that authorized Kaliarch to Kubernetes

kubectl config use-context kaliarch@kubernetes

Copy the code

• Since the user is not authorized, the user cannot get the information and can switch back

$ kubectl get pods
$ kubectl config use-context kubernetes-admin@kubernetes

Copy the code

13.6 Creating a Config File

Create a new config file using kubectl config set-cluster. To set the new config file, use –kubeconfig=/ TMP /test.conf.

• Kubeconfig can specify the location of the configuration file used by kubectl. The default is config in user’s home directory. Kube

Kubectl config set - cluster k8s - cluster - server = https://172.16.100.101:6443 --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --kubeconfig=/tmp/test.conf 

Copy the code

• Add the kaliarch user to k8S config, set the client certificate to kaliarch. CRT, set the client private key to: kaliarch.key, and use –embed-certs=true to hide this confidential information

kubectl config set-credentials kaliarch --client-certificate=./kaliarch.crt --client-key=./kaliarch.key --embed-certs=true

Copy the code

• Create a context object to authorize user Kaliarch to access the cluster named Kubernetes

kubectl config set-context def-ns-admin@k8s-cluster --cluster=k8s-cluster --user=def-ns-admin --kubeconfig=/tmp/test.conf

Copy the code

• Switch the currently used context to the context that authorized Kaliarch to Kubernetes

kubectl config use-context def-ns-admin@k8s-cluster --kubeconfig=/tmp/test.con

Copy the code

13.7 Token-based Authentication

13.7.1 create serviceaccount

• Create a ServiceAccount object for POD, which is the POD’s credential to access apiserver

kubectl create serviceaccount dashborad-admin -n kube-system

Copy the code

13.7.2 Binding a Cluster Administrator Role

• Create a ClusterRoleBinding to bind a user to a cluster-admin cluster administrator (highest right)

kubectl create clusterrolebinding dashborad-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashborad-admin

Copy the code

13.7.3 Obtaining a Token Through the ServiceAccount

• Find the ServiceAccount object you just created

kubectl get secret -n kube-system

Copy the code

• Get the Token in the ServiceAccount object

kubectl describe secret -n kube-system dashborad-admin-token-skz95

Copy the code

other

Send your notes to: github.com/redhatxl/aw… Welcome one button three links