訪問到權限分兩部分
1.Authenticating認證
授權配置由kube-apiserver管理
這裏使用的是 Static Password File 方式。
apiserver啓動yaml裏配置basic-auth-file即可,容器啓動apiserver的話要注意這個文件需要是在容器內能訪問到的。(可以通過掛載文件,或者在已經掛載的路徑裏增加配置文件)
basic-auth-file文件格式見官方文檔https://kubernetes.io/docs/admin/authentication/#static-password-file 注意password在第一個,之前沒注意被卡了很久。
修改了文件以後需要重啓apiserver才能生效。這裏kubectl delete 刪除pod有問題,使用docker命令查看apiserver容器其實沒有重啓。解決方案是使用docker kill殺掉容器。自動重啓。
[root@tensorflow1 ~]# curl -u admin:admin "https://localhost:6443/api/v1/pods" -k
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "pods is forbidden: User \"system:anonymous\" cannot list pods at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}
這個就是沒有通過認證的報錯
2.Authorization授權
k8s RBAC授權規則
https://kubernetes.io/docs/admin/authorization/rbac/
簡單來說就是 權限--角色--用戶綁定
需要配置兩個文件
一個是role/clusterRole,定義角色以及其權限
一個是roleBinding/clusterRoleBinding,定義用戶和角色的關係
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "pods is forbidden: User \"admin\" cannot list pods at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}
這個就是沒有權限訪問,需要配置RBAC
文件如下:
方案1:role + roleBinding
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: user1
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["*"]
- apiGroups: [""] # "" indicates the core API group
resources: ["namespaces"]
verbs: ["*"]
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: user1-rolebinding
namespace: user1
subjects:
- kind: User
name: user1 # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: myauth-user
apiGroup: rbac.authorization.k8s.io
方案2:clusterRole + roleBinding (推薦)
clusterRole定義全局權限,roleBinding將權限限制到namespace。clusterRole僅需要定義一次。
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: myauth-user
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["*"]
- apiGroups: [""] # "" indicates the core API group
resources: ["namespaces"]
verbs: ["*"]
- apiGroups: [""] # "" indicates the core API group
resources: ["resourcequotas"]
verbs: ["*"]
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: user2-rolebinding
namespace: user2
subjects:
- kind: User
name: user2 # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: myauth-user
apiGroup: rbac.authorization.k8s.io
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: user1-rolebinding
namespace: user1
subjects:
- kind: User
name: user1 # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: myauth-user
apiGroup: rbac.authorization.k8s.io
3.配置
新建靜態密碼文件
# vi /etc/kubernetes/pki/basic_auth_file
admin,admin,1004
jane2,jane,1005
user1,user1,1006
user2,user2,1007
修改apiserver配置
修改/etc/kubernetes/manifests/kube-apiserver.yaml
在一堆參數配置下面增加
- --basic-auth-file=/etc/kubernetes/pki/basic_auth_file
eg:
- --etcd-servers=https://127.0.0.1:2379
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --basic-auth-file=/etc/kubernetes/pki/basic_auth_file
這裏將靜態文件放在/etc/kubernetes/pki/目錄下的原因是,apiserver通過容器啓動,這個路徑已經掛載容器中了,可以被訪問到。放在其他路徑需要額外配置掛載路徑。apiserver只會啓動在master節點上,故僅需要在master節點上配置即可。
啓動好以後在master機器上執行kubectl get all,多半是執行不成功的,因爲修改apiserver配置文件後,apiserver自動重啓,然後啓動失敗,所以就無法訪問集羣了。
使用docker ps 查看發現k8s_kube-scheduler 和k8s_kube-controller-manager重啓了,但是apiserver沒起來。
執行systemctl restart kubelet,再docker ps 就能看到apiserver啓動成功了。如果還沒啓動起來,那再看看上面哪裏配置有問題。
應用
使用--username={username} --password={password} 參數訪問kubectl
參考https://kubernetes-v1-4.github.io/docs/user-guide/kubectl/kubectl_create/
kubectl get all -n user1 --username=user1 --password=user1
kubectl create -f tf1-rc.yaml --username=user1 --password=user1
使用 curl -u {username}:{password} `
js
"https://{masterIP}:6443/api/v1/" -k 訪問http restful api
curl -u jane:jane2 "https://localhost:6443/api/v1/namespaces/user1/pods" -k
curl -u jane:jane2 "https://localhost:6443/api/v1/namespaces/user1" -k
curl -u user1:user1 "https://localhost:6443/api/v1/namespaces/user1" -k
curl -u user1:user1 "https://localhost:6443/api/v1/namespaces/user1/pods" -k
curl -u user1:user1 "https://localhost:6443/api/v1/namespaces/user1/resourcequotas/" -k
curl -u user2:user2 "https://localhost:6443/api/v1/namespaces/user2" -k
curl -u user2:user2 "https://localhost:6443/api/v1/namespaces/user2/pods" -k
curl -u user2:user2 "https://localhost:6443/api/v1/namespaces/user2/resourcequotas/" -k