内容简介:使用TOKEN授权访问api-server在k8s运维场景中比较常见,apiserver有三种级别的客户端认证方式1,HTTPS证书认证:基于CA根证书签名的双向数字证书认证方式
使用TOKEN授权访问api-server在k8s运维场景中比较常见,
apiserver有三种级别的客户端认证方式
1,HTTPS证书认证:基于CA根证书签名的双向数字证书认证方式
2,HTTP Token认证:通过一个Token来识别合法用户
3,HTTP Base认证:通过用户名+密码的认证方式
通常的运维场景使用第二种Token较为方便Token的权限是关联service account,
# kubectl describe secrets admin-token-2q28f -n kube-system
Name: admin-token-2q28f
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin
kubernetes.io/service-account.uid: 93316ffa-7545-11e9-b617-00163e06992d
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1419 bytes
namespace: 11 bytes
token: eyJhbGciOiJ******
Service Account 的权限来自Clusterrolebinding-->ClusterRole
# kubectl describe serviceaccount admin -n kube-system
Name: admin
Namespace: kube-system
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"admin","namespace":"kube-system"}}
Image pull secrets: <none>
Mountable secrets: admin-token-2q28f
Tokens: admin-token-2q28f
Events: <none>
通过clusterrolebinding 可以拿到ClusterRole对应的rolename
# kubectl get clusterrolebinding admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"admin"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cluster-admin"},"subjects":[{"kind":"ServiceAccount","name":"admin","namespace":"kube-system"}]}
creationTimestamp: 2019-05-13T06:08:49Z
name: admin
resourceVersion: "1523"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/admin
uid: 93356439-7545-11e9-b617-00163e06992d
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin
namespace: kube-system
这个role是什么权限?
# kubectl get clusterrole cluster-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: 2019-05-13T06:01:10Z
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
resourceVersion: "55"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-admin
uid: 817e2b9e-7544-11e9-9766-00163e0e34c8
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
从clusterrole权限来看,admin关联的权限还是比较大的,正常的集群运维中建议根据自身的真实需要,去定制权限
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
了解完这些,分享一个小技巧,这样后面客户再有curl访问apiserver的需求,我相信你没问题了!
# kubectl describe secrets $(kubectl get secrets -n kube-system |grep admin |cut -f1 -d ' ') -n kube-system |grep -E '^token' |cut -f2 -d':'|tr -d '\t'|tr -d ' ' eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi0ycTI4ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjkzMzE2ZmZhLTc1NDUtMTFlOS1iNjE3LTAwMTYzZTA2OTkyZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.EQzj2LsWn2k31m-ksn9GmB1bZTi1Xjw1fnmWFgRKlwhS2QAaVnDXfV_TgUovpq5oWKh7h0gTVaNaK4KKK76yAv6GfMehpOdIO5xHCfQAWVRhla1cwUDC64tz7vJ1zGcx_lz4hKfhdXN1T8FYS0B0hf3h2OloAMfCZTzDjRWz24GVwH-WRTEwY_5tav65GiZzBTsnz1vV7NOcx-Kl8AK2HbowtBYqK05x7oOmp84FiQMwpYU-7g0c03h61zev4lvf0e-HFtqKiByPi8gD-uiVRvE-xayOz5oIESWw2GfhzfNf_uyR7eLplCKUBecVMtwVsBauNaeqU-IIJW5VIHAOxw # TOKEN=$(kubectl describe secrets $(kubectl get secrets -n kube-system |grep admin |cut -f1 -d ' ') -n kube-system |grep -E '^token' |cut -f2 -d':'|tr -d '\t'|tr -d ' ') # kubectl config view |grep server|cut -f 2- -d ":" | tr -d " " https://192.168.0.130:6443 # APISERVER=$(kubectl config view |grep server|cut -f 2- -d ":" | tr -d " ")
使用curl访问apiserver
# curl -H "Authorization: Bearer $TOKEN" $APISERVER/api --insecure
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "192.168.0.130:6443"
}
]
}
本文作者:牧原
本文为云栖社区原创内容,未经允许不得转载。
以上所述就是小编给大家介绍的《如何使用curl访问k8s的apiserver》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!
猜你喜欢:
- 如何使用不同语言访问bitcoinj
- 使用Fluentd + Elasticsearch收集访问日志
- [译] 使用Laravel访问前端Cookie
- python使用锁访问共享变量实例解析
- 使用.net通过odbc访问Hive
- golang如何使用sarama访问kafka
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
Docker——容器与容器云(第2版)
浙江大学SEL实验室 / 人民邮电出版社 / 2016-10 / 89.00元
本书根据Docker 1.10版和Kubernetes 1.2版对第1版进行了全面更新,从实践者的角度出发,以Docker和Kubernetes为重点,沿着“基本用法介绍”到“核心原理解读”到“高级实践技巧”的思路,一本书讲透当前主流的容器和容器云技术,有助于读者在实际场景中利用Docker容器和容器云解决问题并启发新的思考。全书包括两部分,第一部分深入解读Docker容器技术,包括Docker架......一起来看看 《Docker——容器与容器云(第2版)》 这本书的介绍吧!
