RBAC可以设置subject:user,group和serviceaccount.
user不是k8s管理的,可以通过具体的服务进行管理。对应k8s中就是secret。
serviceaccount是通过k8s管理的。就是每个pod访问api server的权限。
api启动参数分为--client的各种crt,key kubelete各种证书,tls(api srever自己用于客户端认证)各种证书,service account,etcd,bootstrap-token-auth(用于kubelete启动自动获取证书的证书)
aggregate api:
The kube-apiserver needs a proxy client certificate for the aggregated API servers to trust in order to effectively proxy authentication. kubeadm already has the cert/key pairs required and #43715 wires them together.
We need similar wiring for kube-up.sh so that our e2e tests can test the authentication and authorization flows.
所以apiserver需要设置如下:
- --proxy-client-cert-file=/etc/kubernetes/secrets/apiserver-proxy.crt
- --proxy-client-key-file=/etc/kubernetes/secrets/apiserver-proxy.key
- --requestheader-client-ca-file=/etc/kubernetes/secrets/aggregator-ca.crt
- --requestheader-allowed-names=kube-apiserver-proxy
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User