openshift 使用curl命令访问apiserver

使用oc(同kubectl)命令访问apiserver资源的时候，会使用到/root/.kube/config文件中使用的配置。

使用user访问apiserver

oc命令使用config中定义的user和证书(公钥和私钥)访问apiserver。使用如下命令查看当前使用的config上下文：monitor为当前的namespace，test-openshfit-com:8443为apiserver暴露的server，system:admin为访问apiserver使用的user名称

# oc config current-context
monitor/test-openshfit-com:8443/system:admin

查看system:admin对应的证书(下面使用变量代替)

users:
- name: system:admin/test-openshift-com:8443
  user:
    client-certificate-data: ${CA}
    client-key-data: ${KEY}

导出证书，将下面decode出的内容分别保存到/home/ca.cert，/home/ca.key

# echo -n ${CA}|base64 --decode   #/home/ca.cert
# echo -n ${KEY}|base64 --decode  #/home/ca.key

使用如下方式即可访问cluster范围内的资源，该方式与oc命令的原理一样。下面以访问servers为例

APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
curl $APISERVER/api/v1/services --cert /home/ca.cert --key /home/ca.key --user system:admin

使用serviceaccount访问apiserver

serviceaccount除了可以为pod提供secret外，还可以作为访问apiserver资源的凭证。使用如下命令创建一个名为curltest的serviceaccount，并获取其token

oc create serviceaccount curltest
APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
TOKEN=$(oc serviceaccounts get-token curltest)

使用如下命令进行rolebinding之后就可以查看namespaces为monitor下面的资源，但不可以查看其他namespace的资源。system:master可以看作一个超级账户，可参见user-facing-roles

oc policy add-role-to-user system:master -z curltest
curl $APISERVER/api/v1/namespaces/monitor/services --header "Authorization: Bearer $TOKEN"

使用下面命令查看当前rolebinding情况，可以查看当前serveraccount可进行的操作权限。注：openshift的add-role-to-user/add-cluster-role-to-user其实就是kubernetes进行rolebinding/clusterrolebinding的操作，将一个role权限赋予一个user或serviceaccount。

# oc describe rolebinding system:master
Name:                   system:master
Namespace:              monitor
Created:                5 minutes ago
Labels:                 <none>
Annotations:            <none>
Role:                   /system:master
Users:                  <none>
Groups:                 <none>
ServiceAccounts:        curltest
Subjects:               <none>
Verbs                   Non-Resource URLs       Resource Names  API Groups      Resources
[*]                     []                      []              [*]             [*]
[*]                     [*]                     []              []              []

使用如下命令进行clusterrolebinding之后就可以访问cluster范围内的资源，首先需要删除先前的rolebinding

oc policy remove-role-from-user system:master -z curltest
oadm policy add-cluster-role-to-user system:master -z curltest
TOKEN=$(oc serviceaccounts get-token curltest)
curl $APISERVER/api/v1/services --header "Authorization: Bearer $TOKEN"

查看clusterrolebinding情况

# oc describe clusterrolebinding system:master
Name:                   system:masters
Created:                2 weeks ago
Labels:                 <none>
Annotations:            <none>
Role:                   /system:master
Users:                  <none>
Groups:                 system:masters
ServiceAccounts:        monitor/curltest
Subjects:               <none>
Verbs                   Non-Resource URLs       Resource Names  API Groups      Resources
[*]                     []                      []              [*]             [*]
[*]                     [*]                     []              []              []

环境清理

oadm policy remove-cluster-role-from-user system:master -z liu
oc delete sa curltest

PS：

使用kubectl get RESOURECE -v=NUM可以查看kubectl的与apiserver的交互，RESOURECE为pod，service等；NUM取值为6-8

参考：

https://kubernetes.io/docs/reference/access-authn-authz/rbac/

https://docs.openshift.com/container-platform/3.5/rest_api/index.html

https://docs.openshift.com/container-platform/3.9/admin_guide/manage_rbac.html

https://docs.openshift.com/enterprise/3.0/admin_guide/manage_authorization_policy.html

openshift 使用curl命令访问apiserver

猜你喜欢