认证练习
X509 证书
Create private key and csr
openssl genrsa -out myuser.key 2048
请求签发证书
openssl req -new -key myuser.key -out myuser.csr
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:sz
Locality Name (eg, city) []:sz
Organization Name (eg, company) [Internet Widgits Pty Ltd]:myuser
Organizational Unit Name (eg, section) []:myuser
Common Name (e.g. server FQDN or YOUR name) []:myuser
Email Address []:myuser@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
查看证书
cat myuser.csr | base64 | tr -d "\n"
openssl req -new -x509 -days 10000 -key .key -out <CA_public>.crt
Encode csr
cat myuser.csr | base64 | tr -d "\n"
output
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ3ZUQ0NBYVVDQVFBd2VERUxNQWtHQTFVRUJoTUNRMDR4Q3pBSkJnTlZCQWdNQW5ONk1Rc3dDUVlEVlFRSApEQUp6ZWpFUE1BMEdBMVVFQ2d3R2JYbDFjMlZ5TVE4d0RRWURWUVFMREFadGVYVnpaWEl4RHpBTkJnTlZCQU1NCkJtMTVkWE5sY2pFY01Cb0dDU3FHU0liM0RRRUpBUllOYlhsMWMyVnlRSEZ4TG1OdmJUQ0NBU0l3RFFZSktvWkkKaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMNlk2Q2cvcDd3QjBBRGhHbHZ3NDNyc0RSREY4bDRIWllSRgo1SHNSZmZVWVZ2eXI1aXAxbWx3bG9QNmlFVlU2dG9CV3dKaWIrWHFZeVJtZzNNMnJNVXN4Q29mMklYSVloUWRzClJqbTBwSEdQalBTaGcweDZxTkVJVmtjbENGMlg1NWpIU3FycVBBNnE4QW1DOXhITWUvRFB0cE56Q1RFYXgxamMKWTAvL1d0KzZzWlVTWFR1d0lDZ1NpQnZ5Qm1IVFBQaWZ6MjlUdmQwYURNRG1QUERRNUhSc2d4SVRCbWR0cWRsMApqYkU1ZEdrd3pzZ1ppZmxobjFsOG1kVVIzaWs0OHZ0VFNoNFpTLzhvSS9McGFyZVFySzBEYjVVZGpnVjRlNitlCk9DNU1lLzJ3T3VpS3FFMDM5YU1NS2k0TExjSnUwTlpnaXpXazVzUVhZcXNwTExyRERPa0NBd0VBQWFBQU1BMEcKQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJ3Snhvek1TVGQ1K2xqUnJjS2E5UXRwSENBcmhweWlLWExld0hlenBJQgpWWDZWU2NKcnFRZnREMlVQRTVicStvZDc0MWdsbDViL3RucC9wczlKS3FYT0hYNWR0OXNGeUEwMHBUMzhhZjdTCmhHM2pGMU8xcEM1dHBiVTE4REY3T1dIcENacTh3VGNPSlFmbmJKd3h6ZzRxMnNVbUVrUlhwS1RTWGd0eFpacUQKRGZySjJMRmpaM0RoTHFrVEQvb3lGVnV3eUs5bVV3aFZxT0VRLy9xOFNOVStXTmU0Q0lkZnc5TWs3azd2M0FsNwpuWU9lN2VkOFB5b2VYV2QxUHhCdEx0amVmZ0RJeHdrdGdVWHNHc0JOcm5qVnhDQk1rWi9ua3BJMnFXMlRXMk9RCnh0SmxzOVFWN3hBR0xWTEdZcXJPdWNrL2VnMUxVeFZLcHY0NExCRlpCTGViCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
Replace request and create csr
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: myuser
spec:
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ3ZUQ0NBYVVDQVFBd2VERUxNQWtHQTFVRUJoTUNRMDR4Q3pBSkJnTlZCQWdNQW5ONk1Rc3dDUVlEVlFRSApEQUp6ZWpFUE1BMEdBMVVFQ2d3R2JYbDFjMlZ5TVE4d0RRWURWUVFMREFadGVYVnpaWEl4RHpBTkJnTlZCQU1NCkJtMTVkWE5sY2pFY01Cb0dDU3FHU0liM0RRRUpBUllOYlhsMWMyVnlRSEZ4TG1OdmJUQ0NBU0l3RFFZSktvWkkKaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMNlk2Q2cvcDd3QjBBRGhHbHZ3NDNyc0RSREY4bDRIWllSRgo1SHNSZmZVWVZ2eXI1aXAxbWx3bG9QNmlFVlU2dG9CV3dKaWIrWHFZeVJtZzNNMnJNVXN4Q29mMklYSVloUWRzClJqbTBwSEdQalBTaGcweDZxTkVJVmtjbENGMlg1NWpIU3FycVBBNnE4QW1DOXhITWUvRFB0cE56Q1RFYXgxamMKWTAvL1d0KzZzWlVTWFR1d0lDZ1NpQnZ5Qm1IVFBQaWZ6MjlUdmQwYURNRG1QUERRNUhSc2d4SVRCbWR0cWRsMApqYkU1ZEdrd3pzZ1ppZmxobjFsOG1kVVIzaWs0OHZ0VFNoNFpTLzhvSS9McGFyZVFySzBEYjVVZGpnVjRlNitlCk9DNU1lLzJ3T3VpS3FFMDM5YU1NS2k0TExjSnUwTlpnaXpXazVzUVhZcXNwTExyRERPa0NBd0VBQWFBQU1BMEcKQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJ3Snhvek1TVGQ1K2xqUnJjS2E5UXRwSENBcmhweWlLWExld0hlenBJQgpWWDZWU2NKcnFRZnREMlVQRTVicStvZDc0MWdsbDViL3RucC9wczlKS3FYT0hYNWR0OXNGeUEwMHBUMzhhZjdTCmhHM2pGMU8xcEM1dHBiVTE4REY3T1dIcENacTh3VGNPSlFmbmJKd3h6ZzRxMnNVbUVrUlhwS1RTWGd0eFpacUQKRGZySjJMRmpaM0RoTHFrVEQvb3lGVnV3eUs5bVV3aFZxT0VRLy9xOFNOVStXTmU0Q0lkZnc5TWs3azd2M0FsNwpuWU9lN2VkOFB5b2VYV2QxUHhCdEx0amVmZ0RJeHdrdGdVWHNHc0JOcm5qVnhDQk1rWi9ua3BJMnFXMlRXMk9RCnh0SmxzOVFWN3hBR0xWTEdZcXJPdWNrL2VnMUxVeFZLcHY0NExCRlpCTGViCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400 # one day
usages:
- client auth
EOF
Approve csr
kubectl certificate approve myuser
Check csr
kubectl get csr/myuser -o yaml
Extract crt
kubectl get csr myuser -o jsonpath='{.status.certificate}'| base64 -d > myuser.crt
Set credential
修改连接配置
kubectl config set-credentials myuser --client-key=myuser.key --client-certificate=myuser.crt --embed-certs=true
查看连接配置
cat ~/.kube/config
使用 myuser
k get ns --user myuser
output
Error from server (Forbidden): namespaces is forbidden: User "myuser" cannot list resource "namespaces" in API group "" at the cluster scope
Grant permission
赋予权限
kubectl create role developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods
kubectl create rolebinding developer-binding-myuser --role=developer --user=myuser
验证权限
k get ns --user myuser
Error from server (Forbidden): namespaces is forbidden: User "myuser" cannot list resource "namespaces" in API group "" at the cluster scope
k get pod --user myuser
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 2 (52s ago) 8d
静态 Token 文件
Put static-token to target folder
mkdir -p /etc/kubernetes/auth
cp static-token /etc/kubernetes/auth
Backup your orginal apiserver
cp /etc/kubernetes/manifests/kube-apiserver.yaml ~/kube-apiserver.yaml
Override your kube-apiserver with the one with static-token config
主要修改 /etc/kubernetes/auth 对应的部分(--token-auth-file 等)
cp ./kube-apiserver.yaml /etc/kubernetes/manifests/kube-apiserver.yaml
api server 自动重启
ks get po -w
检查对象是否修改
ks get po kube-apiserver-cjx -oyaml
搜索 --token-auth-file 对应值
添加用户
修改文件
- root:
/etc/kubernetes/admin.conf - 普通用户:
~/.kube/config
添加
- name: static
user:
token: static-token
Get kubernetes object with static token
curl 命令
执行
k get ns default -v 9
获取 curl 命令
curl -v -XGET -H "Authorization: Bearer static-token" 'https://192.168.1.218:6443/api/v1/namespaces/default' -k
output
......
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "namespaces \"default\" is forbidden: User \"static\" cannot get resource \"namespaces\" in API group \"\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"name": "default",
"kind": "namespaces"
},
"code": 403
* Connection #0 to host 192.168.1.218 left intact
}
用户已识别,但是没有权限,鉴权操作后面做
客户端命令(已修改了连接配置后可用)
k get ns --user static
output
Error from server (Forbidden): namespaces is forbidden: User "static" cannot list resource "namespaces" in API group "" at the cluster scope
用户已识别,但是没有权限,鉴权操作后面做
ServiceAccount
系统账户, Kubernetes 自带的, 在每次创建 ns 时会自动创建一个名为 default 的 ServiceAccount
查看 ServiceAccount
以 default namespace 为例
k -n default get sa default -oyaml
output
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2022-11-18T13:36:43Z"
name: default
namespace: default
resourceVersion: "411"
uid: 9f9aa11d-b258-432f-b436-e205430632b5
secrets:
- name: default-token-9nl4z
查看 secrets
k -n default get secret default-token-9nl4z -oyaml
token 解码
echo ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklrSkRNRlZmUlhOVldrOVRlbEpYWmtWVll6VlZRbkF5UVU5YVMzYzNORlJqWldaSWNqQkhaSGw0YVUwaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbVJsWm1GMWJIUXRkRzlyWlc0dE9XNXNOSG9pTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWkdWbVlYVnNkQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJamxtT1dGaE1URmtMV0l5TlRndE5ETXlaaTFpTkRNMkxXVXlNRFUwTXpBMk16SmlOU0lzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pXWmhkV3gwT21SbFptRjFiSFFpZlEucXNDU0lnWWkxLU5rcVZNM3J3b0FZWUlXT2RKVktNRzVZbWYwSDZHMEN6MGUzMlYyQldhNEpmOVJxamJnSXVWLWxvSjAyNU9TZzIzak9HTHZhbVU2cnplZWM3U3BBeVVfclZ1N3g4RkF2U1oxejlxN2NtOGp3MzdCbkpLQUZOTGpDZGMwVHZhS0VFbjBHZ0JQSjY1S3hybEJmOUdRX25CcVJaZHMtT3MxemhuT0pBdEZyMlBjU3JRRGQxUlhWem9hMnJFMFBaTTJhTWNqVnRKcDlhTUJnMVhKd0NnWTRPU0NkZGp1SV93OUdaWnl0MzFVXzhyX3VVRWZMbHV5dWI4SHJrZzFyR1Y0NElobU53NW14cjFSYXhWZHA1WFNoNEc4clFkMjNNTTA0dW44anJtMXV5TW9rQWE1U3p3STFQRUR1TDgwb2FYaUdUNFpRbjctSXZ2bXBB|base64 -d
output
eyJhbGciOiJSUzI1NiIsImtpZCI6IkJDMFVfRXNVWk9TelJXZkVVYzVVQnAyQU9aS3c3NFRjZWZIcjBHZHl4aU0ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tOW5sNHoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjlmOWFhMTFkLWIyNTgtNDMyZi1iNDM2LWUyMDU0MzA2MzJiNSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.qsCSIgYi1-NkqVM3rwoAYYIWOdJVKMG5Ymf0H6G0Cz0e32V2BWa4Jf9RqjbgIuV-loJ025OSg23jOGLvamU6rzeec7SpAyU_rVu7x8FAvSZ1z9q7cm8jw37BnJKAFNLjCdc0TvaKEEn0GgBPJ65KxrlBf9GQ_nBqRZds-Os1zhnOJAtFr2PcSrQDd1RXVzoa2rE0PZM2aMcjVtJp9aMBg1XJwCgY4OSCddjuI_w9GZZyt31U_8r_uUEfLluyub8Hrkg1rGV44IhmNw5mxr1RaxVdp5XSh4G8rQd23MM04un8jrm1uyMokAa5SzwI1PEDuL80oaXiGT4ZQn7-IvvmpA
JWT token 分三段,用"."分隔
创建 ServiceAccount
控制器会自动生成 token
k create sa demo
k get sa
k get sa demo -oyaml
k get secret demo-token-7k9j2 -oyaml
k get secret demo-token-7k9j2 -oyaml|grep token
webhook
Start authservice
编译
make build
运行 webhook 程序
./bin/amd64/authn-webhook
测试启动结果
curl 192.168.1.218:3000/authenticate
outpur
{"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"user":{}}}
Create webhook config
mkdir -p /etc/config
cp webhook-config.json /etc/config
Backup old apiserver
cp /etc/kubernetes/manifests/kube-apiserver.yaml ~/kube-apiserver.yaml
Update apiserver configuration to enable webhook
主要修改: --authentication-token-webhook-config-file=/etc/config/webhook-config.json 相关配置(关键字: /etc/config)
cp specs/kube-apiserver.yaml /etc/kubernetes/manifests/kube-apiserver.yaml
Create a personal access token in github and put your github personal access token to kubeconfig
在 GitHub 上创建 token
https://github.com/settings/tokens/new 下,New GitHub App
复制下来生成的 Token
修改连接配置
vi ~/.kube/config
- name: cjx
user:
token: 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
Get pods by cjx
kubectl get po --user cjx
output
Error from server (Forbidden): pods is forbidden: User "chenjinxin1124" cannot list resource "pods" in API group "" in the namespace "default"
webhook output
2022/11/27 22:32:10 receving request
2022/11/27 22:32:11 [Success] login as chenjinxin1124
Reset the env
cp ~/kube-apiserver.yaml /etc/kubernetes/manifests/kube-apiserver.yaml