kubectl -> Authentication ---> Authorization -> Access Control
Certification: Certificate Identity
Authorization: rbac permission checks
Access control: add more plug-ins to achieve authorization mechanism supplement only do when you create or modify delete the agent operations
user account:
user
Client -> API server ->
user:username,uid
group:
extra:
API
Request path access the requested resource
http://192.168.81.10:6443/apis/apps/v1/namespaces/default/deployments/myapp-deploy
kubectl api-versions
kubectl certificate
cat .kube / config locally by a certificate, a credit can be directly connected apiserver
kubectl proxy --port = 8080 open apiserver by this listener listens to establish a connection with apiserver on other servers
curl HTTP: // localhost: 8080 / API / V1 / Namespaces request sent by url apiserver response is a result json
kubectl get deploy -n kube-system
curl http://localhost:8080/apis/apps/v1/namespaces/kube-system/deployments
curl http://localhost:8080/apis/apps/v1/namespaces/kube-system/deployments/coredns
All resources are controlled by api that request
/ Apis is the total interface
kubectl get deploy
curl http://localhost:8080/apis/apps/v1/namespaces/default/deployments/myapp-deploy
Http request verb: Action Request curl -s
get posts put delete
API requests verb that is kubectl command
get list create update patch watch proxy delete deletecollection
Rescource:
Subresource Namespace Api group
kubectl get statefulset
curl http://localhost:8080/apis/apps/v1/namespaces/default/statefulsets
curl http://localhost:8080/apis/apps/v1/namespaces/default/statefulsets/myapp
What the client needs to contact apiserver
Outside the cluster client monitor through apiserver node address kubectl proxy --port = 8080
Cluster pods by kubectl get svc, kubectl describe svc kubernetes, i.e. into the interior of the cluster by 10.96.0.1 kubernetes be connected via the service
pods -> service kubernetes 10.96.0.1 -> 192.168.81.10:6443 apiserver pod so that the service can be requested directly apiserver
apiserver need to do Certification: apiserver his own certificate to the client -> client identity verification apiserver -> apiserver verify client identity (pod address 10.96.0.1)
pod serviceaccount sa account certification service account
kubectl explain pods.spec.serviceAccountName
Explanation:
kubectl describe pods myapp-deploy-55b78d8548-t4xxx
Volumes:
default-token-dkt94:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-dkt94
That is sercretName pod account or authentication information volumes of default-token-dkt94 mounted onto pods
serviceAccount also standard k8s resources loaded onto the pods by serviceAccountName
How to create serviceaccount
kubectl create serviceaccount -h
E.g:
kubectl create serviceaccount mysa --dry-run
Creating an account serviceaccount account name --dry-run: no real framework to create a generation
kubectl get in
kubectl create serviceaccount admin
kubectl get sa query has been created in the system will be automatically generated for admin secret information
kubectl describe sa admin admin's secret inquiry
kubectl get secrets confirm secret
kubectl describe secrets admin-token-5kqwt this serviceaccount limited connection apiserver login authentication, but can not do other things, requires authorization
Use custom sa
cp-demo.yaml pod pod-to-demo.yaml
vim pod-to-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-to-demo
namespace: default
labels:
app: myapp
tier: frontend
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
serviceAccount: admin defined pod sa account using a custom-defined will not automatically use the default-token-dkt94
verification
kubectl apply -f pod-to-demo.yaml
kubectl describe pods pod-sa-demo
Volumes:
admin-token-5kqwt:
Type: Secret (a volume populated by a Secret)
SecretName: admin-token-5kqwt
Template access to resources
kubectl create serviceaccount mysa --dry-run -o yaml> xxxx.yaml available resource templates yaml
kubectl get pods myapp-1 -o yaml --export> xxxx.yaml access to resources list
secret
docker-registry docker docker to private service certification
Other common generics generics
tls to provide a certificate pod
Mirroring warehouse registery certification imagePullSecrets authentication secret is docker-registry, you can use to log registry verification sa, sa defined in the pods
Only you need to add the Image pull secret item in the list of resources defined pod
kubectl explain pods.spec.imagePullSecrets
kubectl create secret --help
kubectl describe sa admin
Image pull secrets: <none>
Human account authentication useraccount
Rbac Authorization
kubectl config -help management kubectl profile
kubeconfig
kubectl config view to see how many clusters
Certificate store: / etc / kubernetes / pki /
Create an account:
Create a private key
(umask 077; openssl genrsa -out mageedu.key 2048)
Sub-shell private key encryption private key size output
结果: mageedu.key
Based on the private key to create a certificate, signed by ca.crt
Mr. Cheng Certificate Signing Request
openssl req -new -key mageedu.key -out mageedu.csr -subj "/CN=mageedu"
Certificate signing request specifies the name: user account
The results: mageedu.csr
Visa: to sign with ca.crt
openssl x509 -req -in mageedu.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mageedu.crt -days 365
-in designated signing request file -CA designated ca CA signed -CAcreateserial designated to sign their own
-out -days save the certificate file is saved as long
The results: mageedu.crt
View the contents of the certificate
openssl x509 -in mageedu.crt -text -noout
Text output
Adding to user account information to authenticate the information connected to the cluster k8s
kubectl config set-credentials –help
Set the authentication
kubectl config set-credentials mageedu --client-certificate=./mageedu.crt --client-key=./mageedu.key --embed-certs=true
mageedu Certification Certification enter the name of the cluster, the user account should be the same
--client-certificate specifies the crt certificate
--client-key Specify the private key
--embed-certs whether hidden credentials
kubectl config view View have created a cluster administrator account
Set the context contexts, let mageedu, but also to access the cluster
kubectl config set-context mageedu @ Kubernetes --cluster = Kubernetes --user = mageedu
Specifies the context name of the cluster specified login user name
- context:
cluster: kubernetes cluster name
user: mageedu login name
name: clusteradmin @ kubernetes context name
Switching context switching is equal account
kubectl config use-context clusteradmin@kubernetes
Test Access
Kubectl get pods
Setting up a cluster
kubectl config set-cluster –help
kubectl config --help
kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://192.168.85.110:6443"
Specifies the name of the cluster configuration file specifies the server
--certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
Specify whether to hide the CA certificate CA
Verifying the cluster cluster view created
kubectl config view --kubeconfig=/tmp/test.conf