This article is the third article in this series, the first two records to build a cluster of k8s process, but before less important to build a good part of the cluster, is the safety-related functions, including authentication and authorization mechanisms.
What is certification, what is it authorized, can be simply understood as the purpose of certification is to know who the user is, the purpose of the authorization is to know what the user can do. First certification, know who he is, sublicense know what to do.
The so-called security, mainly for apiserver said, because k8s provide RESTFUL interfaces apiserver, so if someone knows your apiserver address, you can modify your information on the cluster.
First, find out the relevant basics, including SSL, JWT, RBAC and so on.
SSL Introduction
SSL is a protocol, https in s, is represented by SSL.
About SSL Internet are many and very detailed, I just say here what I understand. To ensure information security during network transmission, transmission needs to be encrypted. Encryption can be divided into two categories, symmetric encryption and asymmetric encryption.
- Symmetric encryption
so-called symmetric encryption, that encryption and decryption methods are symmetrical encryptor how encryption, decryption turn side on how to decrypt. For example:
Client terminal md5 symmetric encryption algorithm and a secret key, encrypting a piece of information, and transmits the encrypted information to the server by requesting terminal:
secret = md5(key+info)
In order to verify the origin server side validity of the request, re-encrypts the same way, and the results sent to the client side, and the encryption result comparison, if the same, the request is considered legitimate.
This process, both sides need to hold the same key, and use the same encryption method.
- Asymmetric encryption
understand symmetric encryption, it is easy to think of asymmetric encryption is inconsistent operation between the two sides. RSA encryption used to here as example:
Server will generate a pair of end advance key, called a public key can be made public, it can not be called a private key is disclosed. Anyone seen the contents of the public key, but can only be used to encrypt the private key to decrypt (the specific principles, please refer to relevant information, the basic idea is the prime decomposition). Therefore, the above process becomes a client request with a server-side end to the public key, the encrypted request information, and then sent to the server, after receiving the request in the server-side, with their private key can be decrypted so as to obtain the request information. - Contrast
when using symmetric encryption, both sides need to know the key, this key is compromised there is a risk, but not this problem does not exist symmetric encryption, public key anyone can see, the process of transmission to other people's private key does not exist, security degree greatly enhanced.
However, asymmetric encryption problem that operation speed is relatively slow, the efficiency is relatively low. - SSL
Having said that, finally returned to the SSL, SSL is probably a combination of the above said symmetric and asymmetric encryption, utilizing the advantages of both, the specific operation is probably this:
Asymmetric encryption is not slow it? Symmetric encryption key is not easy to disclose what? Well, with asymmetric way to transmit encrypted using the symmetric key, two problems are solved. Generally works as follows:
- client sends a request to the server, the server-side public key to get
- client with its own public key to encrypt the generated key, and then sent to the server
- server with the private key to decrypt the received key client
- Happy ends can communicate with the symmetric encryption key passed.
Of course, the actual process my request much more complex than you yourself understand it ~ ~
JWT Introduction
JWT's full name is json web token, is a standard, mainly for authorization and information exchange.
At the name, this stock is a token, specifically, is a string of three parts separated composed by three parts are. "":
- header
- play load
- signature
As appears to be the aaaaaa.bbbb.cccc, the string itself contains some information, such as user ID, etc. can be saved, so the server after receiving the token, to get the ID by decrypting directly, do not go to the database inquired. Also included in the token signature algorithm used. Specifically, after the process is used, server when the client request is received, with its own secret using an encryption algorithm to generate the Token such a, then sent to the client, client token is obtained, each request in the Authorization header in the strip token obtained, header looks like this:
Authorization: Bearer <token>
server-side validation every time that the token is a valid token is not issued its own, in order to achieve the status of stateless http service, and the session is not feeling effect is somewhat similar? In fact, there are some differences, such as: the server, the client session JWT storage memory.
RBAC Introduction
RBAC stands for Role-Based Access Control, role-based access control.
Here is my shallow understanding:
the split of the operating system privileges to a small number of units, number of small units given a role, and then let the user belongs to a role, so that you can flexibly control user access control system a. Give you an example:
a management background, there are a lot of features, such as user management, order management, product management, user management messages, and define several roles: super administrator has all the rights, operations administrator user management and message management authority, the financial administrator orders have administrative privileges. ok, so that a user coming back this time, he needed to confer a role, he will have a corresponding management authority, a role can have multiple users, multiple roles can have the same privileges, you can always adjust the relationship between roles and permissions, very flexible. I do not know that clear no. Specific also consult the relevant documentation.
kubernetes authentication and authorization
- Certification
kubernetes supports authentication of three ways:
- HTTPS Certificate: based on two-way digital certificate authentication certificate signed by the root CA, used to say that in front of SSL;
- HTTP Token Authentication: identifying legitimate users through a Token, may be a normal token may be in front of the JWT said token;
- HTTP Base Certification: Certification by the username + password ways;
apiserver support setting one or more authentication methods, if a variety of settings, then by any of them are considered to be successful certification.
- Authorization
apiserver supports a variety of licensing models, such as Node, RBAC, Webhook, etc., you can specify the licensing mode when apiserver start, the same can also specify one or more, if you specify more, by some considered one of them It is authorized to success, and a similar certification.
When the client access apiserver, the http request initiated with a variety of properties, such as user, group, path, etc., the authorization process is configured with these properties to the licensing model, thereby judging whether the operation corresponding authorization.
to sum up
Ramble finally finished, say more, I do not like to roll up its sleeves ahead and do, then you build a good foundation before you go version cluster environment to test it ~ ~ ~