{"id":654,"date":"2020-10-19T02:08:26","date_gmt":"2020-10-18T18:08:26","guid":{"rendered":"https:\/\/www.myway5.com\/?p=654"},"modified":"2023-07-05T21:24:04","modified_gmt":"2023-07-05T13:24:04","slug":"kubernetes-authn-authz","status":"publish","type":"post","link":"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/","title":{"rendered":"kubernetes \u4e2d\u7684\u8ba4\u8bc1\u548c\u6388\u6743"},"content":{"rendered":"<h2>\u4e00\u3001\u6982\u8ff0<\/h2>\n<p>kubernetes \u4e2d\u6709\u4e24\u79cd\u7528\u6237\u7c7b\u578b\uff1a<strong>\u670d\u52a1\u8d26\u6237\uff08service account)<\/strong>\u548c <strong>\u666e\u901a\u7528\u6237(user)<\/strong>\u3002\u8fd9\u4e24\u79cd\u7528\u6237\u7c7b\u578b\u5bf9\u5e94\u4e86\u4e24\u79cd\u4f7f\u7528\u573a\u666f\u3002<\/p>\n<p>\u670d\u52a1\u8d26\u6237\u63d0\u4f9b\u7ed9\u5728\u96c6\u7fa4\u4e2d\u8fd0\u884c\u7684 pod\uff0c\u5f53\u8fd9\u4e9b pod \u8981\u548c apiserver \u901a\u4fe1\u65f6\uff0c\u5c31\u662f\u4f7f\u7528 serviceaccount \u6765\u8ba4\u8bc1\u548c\u6388\u6743\u3002\u670d\u52a1\u8d26\u6237\u662f\u5b58\u50a8\u5728 k8s \u96c6\u7fa4\u4e2d\u7684\uff0c\u57fa\u4e8e RBAC\uff0c\u53ef\u4ee5\u548c\u89d2\u8272\u8fdb\u884c\u7ed1\u5b9a\uff0c\u4ece\u800c\u62e5\u6709\u7279\u5b9a\u8d44\u6e90\u7684\u7279\u5b9a\u6743\u9650\u3002<\/p>\n<p>\u666e\u901a\u7528\u6237\u662f\u975e pod \u7684\u573a\u666f\u4e0b\u7528\u6765\u505a\u8ba4\u8bc1\u548c\u6388\u6743\u3002\u6bd4\u5982\u50cf k8s \u7684\u4e00\u4e9b\u5173\u952e\u7ec4\u4ef6: scheduler, kubelet \u548c controller manager\uff0c\u5305\u62ec\u4f7f\u7528 kubectl \u548c k8s \u96c6\u7fa4\u505a\u4ea4\u4e92\u3002<\/p>\n<h2>\u4e8c\u3001\u670d\u52a1\u8d26\u6237<\/h2>\n<h3>2.1 \u81ea\u52a8\u5316<\/h3>\n<p>\u5373\u4f7f\u6211\u4eec\u4e0d\u5728 namespace \u4e0b\u521b\u5efa\u670d\u52a1\u8d26\u6237\uff0c\u4e5f\u4e0d\u4e3a pod \u7ed1\u5b9a\u4efb\u4f55\u7684\u670d\u52a1\u8d26\u6237\uff0cpod \u7684 serviceAccount \u5b57\u6bb5\u4e5f\u4f1a\u88ab\u8bbe\u7f6e\u4e3a default\u3002\u4efb\u4f55 namespace \u4e0b\u90fd\u4f1a\u6709\u8fd9\u6837\u7684\u670d\u52a1\u8d26\u6237\u3002\u6211\u4eec\u53ef\u4ee5\u67e5\u770b\u8fd9\u4e2a\u540d\u4e3a default \u7684\u670d\u52a1\u8d26\u6237\uff0c\u5b83\u4f1a\u5bf9\u5e94\u4e00\u4e2a secret\u3002secret \u4e2d\u8bb0\u5f55\u4e86 ca.crt\uff0cnamespace \u548c token \u8fd9\u4e09\u4e2a\u503c\u3002<\/p>\n<p>\u8fd9\u6574\u4e2a\u8fc7\u7a0b\u7531\u4e09\u4e2a\u7ec4\u4ef6\u5b8c\u6210\uff1a<\/p>\n<ul>\n<li>\u670d\u52a1\u8d26\u6237\u51c6\u5165\u63a7\u5236\u5668\uff08Service account admission controller\uff09<\/li>\n<li>Token \u63a7\u5236\u5668\uff08Token controller\uff09<\/li>\n<li>\u670d\u52a1\u8d26\u6237\u63a7\u5236\u5668\uff08Service account controller\uff09<\/li>\n<\/ul>\n<p>\u5176\u4e2d\uff0c\u670d\u52a1\u8d26\u6237\u63a7\u5236\u5668\u8d1f\u8d23\u5728\u6bcf\u4e2a namespace \u4e0b\u7ef4\u62a4\u9ed8\u8ba4\u7684\u670d\u52a1\u8d26\u6237\u3002\u8fd9\u6837\u5f53\u65b0\u7684 namespace \u88ab\u521b\u5efa\u540e\uff0c\u5c31\u4f1a\u81ea\u52a8\u521b\u5efa\u4e00\u4e2a default \u670d\u52a1\u8d26\u6237\u3002\u5373\u4f7f\u5220\u9664\u4e86\u8be5\u670d\u52a1\u8d26\u6237\uff0c\u4e5f\u4f1a\u7acb\u523b\u88ab\u91cd\u65b0\u81ea\u52a8\u521b\u5efa\u51fa\u6765\u3002<\/p>\n<p>token \u63a7\u5236\u5668\u8d1f\u8d23\u4ee5\u4e0b\u51e0\u9879\u5de5\u4f5c\uff1a<\/p>\n<ul>\n<li>\u68c0\u6d4b\u670d\u52a1\u8d26\u6237\u7684\u521b\u5efa\uff0c\u5e76\u4e14\u521b\u5efa\u76f8\u5e94\u7684 Secret \u4ee5\u652f\u6301 API \u8bbf\u95ee\u3002<\/li>\n<li>\u68c0\u6d4b\u670d\u52a1\u8d26\u6237\u7684\u5220\u9664\uff0c\u5e76\u4e14\u5220\u9664\u6240\u6709\u76f8\u5e94\u7684\u670d\u52a1\u8d26\u6237 Token Secret\u3002<\/li>\n<li>\u68c0\u6d4b Secret \u7684\u589e\u52a0\uff0c\u4fdd\u8bc1\u76f8\u5e94\u7684\u670d\u52a1\u8d26\u6237\u5b58\u5728\uff0c\u5982\u6709\u9700\u8981\uff0c\u4e3a Secret \u589e\u52a0 token\u3002<\/li>\n<li>\u68c0\u6d4b Secret \u7684\u5220\u9664\uff0c\u5982\u6709\u9700\u8981\uff0c\u4ece\u76f8\u5e94\u7684\u670d\u52a1\u8d26\u6237\u4e2d\u79fb\u9664\u5f15\u7528\u3002<\/li>\n<\/ul>\n<p>\u81f3\u4e8e\u4e3a\u4ec0\u4e48\u9700\u8981\u4e3a\u670d\u52a1\u8d26\u6237\u521b\u5efa token \u5e76\u751f\u6210 secret\uff0c\u5c06\u5728\u540e\u9762\u63d0\u5230\u3002<\/p>\n<p>\u73b0\u5728\u6211\u4eec\u77e5\u9053\u4e86\u670d\u52a1\u8d26\u53f7\u548c\u5176 token \u7684\u81ea\u52a8\u5316\u8fc7\u7a0b\u3002\u90a3\u670d\u52a1\u8d26\u6237\u51c6\u5165\u63a7\u5236\u5668\u53c8\u662f\u4ec0\u4e48\u4f5c\u7528\u5462\uff1f\u6211\u4eec\u5c06\u76ee\u5149\u6295\u5230 pod \u521b\u5efa\u7684\u8fc7\u7a0b\u4e2d\uff0c\u5927\u591a\u6570\u65f6\u5019\u6211\u4eec\u90fd\u4e0d\u4f1a\u4e3a pod \u6307\u5b9a\u670d\u52a1\u8d26\u6237\u3002\u90a3\u4e48 pod \u5728\u521b\u5efa\u6210\u529f\u540e\uff0c\u5173\u8054\u7684 default \u670d\u52a1\u8d26\u6237\u662f\u600e\u4e48\u56de\u4e8b\u5462\uff1f<\/p>\n<p>\u8fd9\u91cc\u5c31\u662f\u670d\u52a1\u8d26\u6237\u51c6\u5165\u63a7\u5236\u5668\u7684\u4f5c\u7528\u4e86\u3002\u5b83\u901a\u8fc7 admission controller \u7684\u673a\u5236\u6765\u5bf9 pod \u8fdb\u884c\u4fee\u6539\u3002\u5728 pod \u88ab\u521b\u5efa\u6216\u66f4\u65b0\u65f6\uff0c\u4f1a\u6267\u884c\u4ee5\u4e0b\u64cd\u4f5c\uff1a<\/p>\n<ul>\n<li>\u5982\u679c\u8be5 pod \u6ca1\u6709 <code>ServiceAccount<\/code> \u8bbe\u7f6e\uff0c\u5c06\u5176 <code>ServiceAccount<\/code> \u8bbe\u4e3a <code>default<\/code>\u3002<\/p>\n<\/li>\n<li>\n<p>\u4fdd\u8bc1 pod \u6240\u5173\u8054\u7684 <code>ServiceAccount<\/code> \u5b58\u5728\uff0c\u5426\u5219\u62d2\u7edd\u8be5 pod\u3002<\/p>\n<\/li>\n<li>\n<p>\u5982\u679c pod \u4e0d\u5305\u542b <code>ImagePullSecrets<\/code> \u8bbe\u7f6e\uff0c\u90a3\u4e48 \u5c06 <code>ServiceAccount<\/code> \u4e2d\u7684 <code>ImagePullSecrets<\/code> \u4fe1\u606f\u6dfb\u52a0\u5230 pod \u4e2d\u3002<\/p>\n<\/li>\n<li>\n<p>\u5c06\u4e00\u4e2a\u5305\u542b\u7528\u4e8e API \u8bbf\u95ee\u7684 token \u7684 <code>volume<\/code> \u6dfb\u52a0\u5230 pod \u4e2d\u3002<\/p>\n<\/li>\n<li>\n<p>\u5c06\u6302\u8f7d\u4e8e <code>\/var\/run\/secrets\/kubernetes.io\/serviceaccount<\/code> \u7684 <code>volumeSource<\/code> \u6dfb\u52a0\u5230 pod \u4e0b\u7684\u6bcf\u4e2a\u5bb9\u5668\u4e2d\u3002<\/p>\n<\/li>\n<\/ul>\n<h3>2.2 \u8ba4\u8bc1<\/h3>\n<p>\u5047\u8bbe\u6211\u4eec\u7684 pod \u5df2\u7ecf\u8bbe\u7f6e\u597d\u4e86\u670d\u52a1\u8d26\u6237\uff0c\u73b0\u5728\u8981\u548c apiserver \u901a\u4fe1\uff0c\u90a3\u4e48 apiserver \u662f\u600e\u4e48\u8ba4\u8bc1\u8fd9\u4e2a\u670d\u52a1\u8d26\u6237\u662f\u6709\u6548\u7684\u5462\uff1f<\/p>\n<p>\u6211\u4eec\u5728\u4e0a\u9762\u63d0\u5230\uff0ctoken \u63a7\u5236\u5668\u4f1a\u4e3a\u670d\u52a1\u8d26\u6237\u521b\u5efa secret\uff0csecret \u4e2d\u7684 token \u5c31\u662f\u670d\u52a1\u8d26\u6237\u7684\u6821\u9a8c\u4fe1\u606f\uff0c\u5177\u4f53\u6765\u8bf4\u662f\u901a\u8fc7 JWT \u6765\u8ba4\u8bc1\u7684\u3002\u8fd9\u4e2a token \u4e2d\u4f1a\u5b58\u50a8\u670d\u52a1\u8d26\u6237\u6240\u5728\u7684\u547d\u540d\u7a7a\u95f4\uff0c\u540d\u79f0\uff0cUID \u548c secret \u7684\u540d\u79f0\u7b49\u4fe1\u606f\u3002\u5982\u679c\u4f60\u5bf9 token \u5185\u5bb9\u611f\u5174\u8da3\u7684\u8bdd\uff0c\u53ef\u4ee5\u5c06 token \u503c\u7528 base64 \u89e3\u7801\uff0c\u7c98\u8d34\u5230<a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/jwt.io\/#debugger-io\">\u8fd9\u91cc<\/a>\u770b\u770b token \u4e2d\u7684\u5185\u5bb9\u3002\u7136\u540e\u4e5f\u53ef\u4ee5\u5c06\u79c1\u94a5\u548c\u516c\u94a5\u7c98\u8d34\u4e0a\u53bb\u9a8c\u8bc1\u7b7e\u540d\u662f\u5426\u6b63\u786e\u3002\u5177\u4f53\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-yaml line-numbers\">{\n  \"iss\": \"kubernetes\/serviceaccount\",\n  \"kubernetes.io\/serviceaccount\/namespace\": \"default\",\n  \"kubernetes.io\/serviceaccount\/secret.name\": \"default-token-894m5\",\n  \"kubernetes.io\/serviceaccount\/service-account.name\": \"default\",\n  \"kubernetes.io\/serviceaccount\/service-account.uid\": \"df5a8a9c-14d4-44c7-a55f-0100f51fc848\",\n  \"sub\": \"system:serviceaccount:default:default\"\n}\n<\/code><\/pre>\n<p>\u8fd9\u4e2a token \u5728\u751f\u6210\u7684\u8fc7\u7a0b\u4e2d\uff0c\u4f7f\u7528\u4e86\u670d\u52a1\u8d26\u6237\u4e13\u5c5e\u7684\u79c1\u94a5\u8fdb\u884c\u7b7e\u540d\uff0c\u8fd9\u4e2a\u79c1\u94a5\u662f\u5728 contrller-manager \u542f\u52a8\u65f6\uff0c\u901a\u8fc7<code>--service-account-private-key-file<\/code>\u4f20\u8fdb\u53bb\u7684\u3002\u540c\u6837\u7684\uff0c\u4e3a\u4e86\u5728 apiserver \u4e2d\u5bf9\u8fd9\u4e2a token \u8fdb\u884c\u6821\u9a8c\uff0c\u9700\u8981\u5728 apiserver \u542f\u52a8\u65f6\u901a\u8fc7\u53c2\u6570<code>--service-account-key-file<\/code>\u4f20\u5165\u5bf9\u5e94\u7684\u516c\u94a5\u3002<\/p>\n<h3>2.3 \u6388\u6743<\/h3>\n<p>\u8ba4\u8bc1\u7684\u95ee\u9898\u89e3\u51b3\u4e86\uff0c\u90a3\u4e48 apiserver \u600e\u4e48\u77e5\u9053\u8be5\u8bf7\u6c42\u7684\u670d\u52a1\u8d26\u6237\u662f\u5426\u6709\u6743\u9650\u64cd\u4f5c\u5f53\u524d\u7684\u8d44\u6e90\u5462\uff1f\u5728 k8s \u4e2d\uff0c\u5e38\u7528\u7684\u6388\u6743\u7b56\u7565\u5c31\u662f RBAC \u4e86\u3002\u6211\u4eec\u901a\u8fc7\u5c06\u670d\u52a1\u8d26\u6237\u548c\u89d2\u8272\u5173\u8054\uff0c\u5c31\u53ef\u4ee5\u8ba9\u670d\u52a1\u8d26\u6237\u6709\u6307\u5b9a\u8d44\u6e90\u7684\u76f8\u5173\u64cd\u4f5c\u6743\u9650\u4e86\u3002<\/p>\n<h2>\u4e09\u3001\u666e\u901a\u7528\u6237<\/h2>\n<h3>3.1 \u8ba4\u8bc1<\/h3>\n<p>\u4e0d\u540c\u4e8e\u670d\u52a1\u8d26\u6237\u7684\u662f\uff0ck8s \u672c\u8eab\u5e76\u4e0d\u5b58\u50a8\u666e\u901a\u7528\u6237\u7684\u4efb\u4f55\u4fe1\u606f\uff0c\u90a3\u4e48 apiserver \u662f\u5982\u4f55\u8ba4\u8bc1\u666e\u901a\u7528\u6237\u7684\u5462\uff1f<\/p>\n<p>\u5728\u521b\u5efa k8s \u96c6\u7fa4\u65f6\uff0c\u4e00\u822c\u90fd\u4f1a\u6709\u4e00\u4e2a\u6839\u8bc1\u4e66\u8d1f\u8d23\u7b7e\u53d1\u96c6\u7fa4\u4e2d\u6240\u9700\u7684\u5176\u4ed6\u8bc1\u4e66\u3002\u90a3\u4e48\u53ef\u4ee5\u8ba4\u4e3a\uff0c\u5982\u679c\u4e00\u4e2a\u666e\u901a\u7528\u6237\u53ef\u4ee5\u63d0\u4f9b\u7531\u6839\u8bc1\u4e66\u7b7e\u53d1\u7684\u8bc1\u4e66\uff0c\u4ed6\u5c31\u662f\u4e00\u4e2a\u5408\u6cd5\u7684\u7528\u6237\u3002\u5176\u4e2d\uff0c\u8bc1\u4e66\u7684 common name \u5c31\u662f\u7528\u6237\u540d\uff0corgnization \u662f\u7528\u6237\u7ec4\u3002\u6bd4\u5982\u6211\u4eec\u672c\u5730\u96c6\u7fa4\u4e0a\u7684 controller-manager \u7684\u8bc1\u4e66\u4fe1\u606f\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-yaml line-numbers\">$ cfssl certinfo -cert controller-manager.pem\n{\n  \"subject\": {\n    \"common_name\": \"system:kube-controller-manager\",\n    \"names\": [\n      \"system:kube-controller-manager\"\n    ]\n  },\n  \"issuer\": {\n    \"common_name\": \"kubernetes\",\n    \"names\": [\n      \"kubernetes\"\n    ]\n  },\n  \"serial_number\": \"7884702304157281003\",\n  \"not_before\": \"2020-10-09T05:51:52Z\",\n  \"not_after\": \"2021-10-09T05:51:54Z\",\n  \"sigalg\": \"SHA256WithRSA\",\n  \"authority_key_id\": \"11:F5:D7:48:AE:2E:7F:59:DD:4C:C4:A8:97:D2:C0:21:98:C6:3A:A7\",\n  \"subject_key_id\": \"\",\n  \"pem\": \"-----BEGIN CERTIFICATE-----\\nMIIDCDCCAfCgAwIBAgIIbWwW+H7\/quswDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE\\nAxMKa3ViZXJuZXRlczAeFw0yMDEwMDkwNTUxNTJaFw0yMTEwMDkwNTUxNTRaMCkx\\nJzAlBgNVBAMTHnN5c3RlbTprdWJlLWNvbnRyb2xsZXItbWFuYWdlcjCCASIwDQYJ\\nKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPCkXDAttbJHnoLuhGFPr\/28ag8NoI5\\nY0e00uv3ltyHlakfCeOV48eBgpMka3BdUxFOTHI5wtumlU3iymdDvTnKkLc75v6p\\nQ0Hfx0DYz8ykDcHQ04hIsgyXecaHl+hfy90bYAbF8V43MjA0X2VmIyLxS6wXgeM6\\n8d\/jc1X8Ggpw53ow7L4XiCMlXDPwzLlVUThYHRN+PA5EdADZHAzgXjsyg379\/ori\\nbS\/NZtmizzfHGWugrfwBGPL187mp1xN1tyjR+7obtsQYpgZ0Emz74fWNlike2I69\\ntlBDWYC5ddsbHtDu4h\/H5guwFtZ3+VVLogyw3CntPvoV840Ro5jxmtMCAwEAAaNI\\nMEYwDgYDVR0PAQH\/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB8GA1UdIwQY\\nMBaAFBH110iuLn9Z3UzEqJfSwCGYxjqnMA0GCSqGSIb3DQEBCwUAA4IBAQBvUxh0\\n+TDJn19qJPWXu5MGrRs1Efn+KCgSVMDcak9MfnG3kzCZ94SKw5PRYGQ6fzuUsgwT\\nkbGJ3o4PR\/BkZ9R2UUHa2prydQTHN+Qb\/DuF3kVYTRbWxTN3br8Tp1uqiQVOLPe0\\nrfRelwVR6y39O5Wc3VQCnQKM\/ih4k2LKGwinq2sO7HN6pjwoKfapaOb050vrGOTu\\n5RmX+SWs7CeWzITjC3sLfFyP\/lh8zK7TINOKRx1\/QBHlCnX4wnsXpOIe4Jf4ol1b\\nKKGcicAcSrj252oOIxspAW8a7vX4DjVGRTSneQen5wbHeZbkeMyuvAVs2a73x94d\\nfTH4K9+zxCLAVZFs\\n-----END CERTIFICATE-----\\n\"\n}\n<\/code><\/pre>\n<p>\u5176\u4e2d\uff0csubject \u662f\u8bc1\u4e66\u7533\u8bf7\u4eba\u7684\u4fe1\u606f\uff0cissuer \u662f\u7b7e\u53d1\u4eba\u7684\u4fe1\u606f\u3002\u8fd9\u91cc\u53ef\u4ee5\u77e5\u9053\uff0ccontroller-manager \u4f7f\u7528\u7684\u662f <code>system:kube-controller-manager<\/code> \u8fd9\u4e2a\u7528\u6237\u3002<\/p>\n<h3>3.2 \u6388\u6743<\/h3>\n<p>\u8ddf\u670d\u52a1\u8d26\u6237\u7684\u6388\u6743\u4e00\u6837\uff0c\u666e\u901a\u7528\u6237\u4e5f\u53ef\u4ee5\u901a\u8fc7 RBAC \u7684\u673a\u5236\u6765\u7ed1\u5b9a\u89d2\u8272\uff0c\u7136\u540e\u62e5\u6709\u67d0\u4e9b\u8d44\u6e90\u7684\u67d0\u4e9b\u6743\u9650\u3002\u6bd4\u5982 controller-manager \u7684 ClusterRoleBinding \u4fe1\u606f\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"line-numbers\">$ kubectl get clusterrolebinding  system:kube-controller-manager -o yaml\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRoleBinding\nmetadata:\n  annotations:\n    rbac.authorization.kubernetes.io\/autoupdate: \"true\"\n  creationTimestamp: \"2020-09-22T12:33:24Z\"\n  labels:\n    kubernetes.io\/bootstrapping: rbac-defaults\n  name: system:kube-controller-manager\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: system:kube-controller-manager\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n  kind: User\n  name: system:kube-controller-manager\n<\/code><\/pre>\n<p>\u4e5f\u5c31\u662f\u7ed1\u5b9a\u5230\u4e86 <code>system:kube-controller-manager<\/code> \u8fd9\u4e2a\u96c6\u7fa4\u89d2\u8272\uff0c\u5982\u679c\u4f60\u611f\u5174\u8da3\u7684\u8bdd\uff0c\u8fd8\u53ef\u4ee5\u7ee7\u7eed\u770b\u8fd9\u4e2a\u89d2\u8272\u7ed1\u5b9a\u4e86\u54ea\u4e9b\u8d44\u6e90\u6781\u5176\u64cd\u4f5c\u6743\u9650\u3002<\/p>\n<h3>3.3 \u5b9e\u8df5<\/h3>\n<p>\u56e0\u4e3a\u666e\u901a\u7528\u6237\u9700\u8981\u6211\u4eec\u81ea\u5df1\u4e3a\u5176\u7b7e\u53d1\u8bc1\u4e66\uff0c\u7136\u540e\u6388\u6743\u3002\u4e0b\u9762\u7528\u4e00\u4e2a\u7b80\u5355\u7684\u4f8b\u5b50\u6765\u8d70\u4e00\u904d\u3002<\/p>\n<p>\u9996\u5148\u521b\u5efa\u4e00\u4e2a\u8bc1\u4e66\u7b7e\u53d1\u8bf7\u6c42\u7684 json \u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-json line-numbers\">{\n    \"CN\": \"jiang\",\n    \"key\": {\n        \"algo\": \"ecdsa\",\n        \"size\": 256\n    },\n    \"names\": [\n        {\n            \"O\": \"dev\"\n        }\n    ]\n}\n<\/code><\/pre>\n<p>CN \u662f common name \u7684\u7b80\u5199\u3002\u4e5f\u5c31\u662f\u6211\u4eec\u8981\u8bbe\u7f6e\u7684\u7528\u6237\u540d\u3002O \u662f orgnization \u7684\u7b80\u5199\uff0c\u53ef\u4ee5\u7406\u89e3\u4e3a\u7528\u6237\u7ec4\u3002\u63a5\u4e0b\u6765\u7528 k8s \u7684\u6839\u8bc1\u4e66\u7b7e\u53d1\uff0c\u9700\u8981 ca.crt \u548c ca.key\u3002\u8fd9\u4e24\u4e2a\u6587\u4ef6\u53ef\u4ee5\u5728 master \u8282\u70b9\u4e0a\u7684 <code>\/etc\/kubernetes\/certs<\/code>\u6216\u5176\u4ed6\u5730\u65b9\u627e\u5230\u3002<\/p>\n<pre><code class=\"language-shell line-numbers\">cfssl gencert -ca ca.crt -ca-key=ca.key jiang.json | cfssljson -bare jiang\n<\/code><\/pre>\n<p>\u8fd9\u6761\u547d\u4ee4\u4f1a\u751f\u6210\u4e09\u4e2a\u65b0\u7684\u6587\u4ef6:<\/p>\n<ul>\n<li>jiang-key.pem\uff1a\u79c1\u94a5<\/li>\n<li>jiang.pem\uff1a\u8bc1\u4e66<\/li>\n<li>jiang.csr: \u8bc1\u4e66\u7b7e\u53d1\u8bf7\u6c42\u6587\u4ef6<\/li>\n<\/ul>\n<p>\u4e0b\u9762\u6211\u4eec\u7528 jiang \u7684\u79c1\u94a5\u548c\u8bc1\u4e66\u751f\u6210 kubeconfig \u4e2d\u7684\u7528\u6237\uff1a<\/p>\n<pre><code class=\"language-shell line-numbers\">kubectl config set-credentials jiang --client-key=.\/jiang-key.pem --client-certificate=.\/jiang.pem --embed-certs\n<\/code><\/pre>\n<p>\u63a5\u4e0b\u6765\u751f\u6210\u65b0\u7684 context\uff0c\u6307\u5b9a k8s \u96c6\u7fa4\u8981\u4f7f\u7528\u7684\u7528\u6237\uff1a<\/p>\n<pre><code class=\"language-shell line-numbers\">kubectl config set-context k8s-jiang --user=jiang --cluster=k8s\n<\/code><\/pre>\n<p>\u4e3a jiang \u8fd9\u4e2a\u7528\u6237\u521b\u5efa\u89d2\u8272\u548c\u7ed1\u5b9a\u3002\u8fd9\u91cc\u53ea\u5141\u8bb8 jiang \u8fd9\u4e2a\u7528\u6237\u8bfb\u53d6 default namespace \u4e0b\u7684 pod\u3002<\/p>\n<pre><code class=\"language-yaml line-numbers\">apiVersion: rbac.authorization.k8s.io\/v1\nkind: Role\nmetadata:\n    name: pod-reader\n    namespace: default\nrules:\n- apiGroups: [\"\"]\n  resources: [\"pods\"]\n  verbs: [\"get\", \"watch\", \"list\"]\n\n---\n\napiVersion: rbac.authorization.k8s.io\/v1\nkind: RoleBinding\nmetadata:\n    name: read-pods\n    namespace: default\nsubjects:\n- kind: User\n  name: jiang\n  apiGroup: rbac.authorization.k8s.io\nroleRef:\n  kind: Role\n  name: pod-reader\n  apiGroup: rbac.authorization.k8s.io\n<\/code><\/pre>\n<p>\u8fd9\u6837\u5c31\u5b8c\u6210\u4e86\u5bf9 jiang \u8fd9\u4e2a\u7528\u6237\u7684\u8ba4\u8bc1\u548c\u6388\u6743\u4e86\u3002\u4f7f\u7528\u4e0b\u9762\u547d\u4ee4\u5207\u6362\u5230\u8fd9\u4e2a\u7528\u6237\uff1a<\/p>\n<pre><code class=\"language-shell line-numbers\">kubectl config use-context k8s-jiang\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u4e00\u3001\u6982\u8ff0 kubernetes \u4e2d\u6709\u4e24\u79cd\u7528\u6237\u7c7b\u578b\uff1a\u670d\u52a1\u8d26\u6237\uff08service account)\u548c \u666e\u901a\u7528\u6237(us &hellip; <a href=\"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/\" class=\"more-link\">\u7ee7\u7eed\u9605\u8bfb<span class=\"screen-reader-text\">kubernetes \u4e2d\u7684\u8ba4\u8bc1\u548c\u6388\u6743<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[89],"tags":[],"class_list":["post-654","post","type-post","status-publish","format-standard","hentry","category-k8s"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>kubernetes \u4e2d\u7684\u8ba4\u8bc1\u548c\u6388\u6743 - \u4e00\u53ea\u5b89\u9759\u7684\u732b<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"kubernetes \u4e2d\u7684\u8ba4\u8bc1\u548c\u6388\u6743 - \u4e00\u53ea\u5b89\u9759\u7684\u732b\" \/>\n<meta property=\"og:description\" content=\"\u4e00\u3001\u6982\u8ff0 kubernetes \u4e2d\u6709\u4e24\u79cd\u7528\u6237\u7c7b\u578b\uff1a\u670d\u52a1\u8d26\u6237\uff08service account)\u548c \u666e\u901a\u7528\u6237(us &hellip; \u7ee7\u7eed\u9605\u8bfbkubernetes \u4e2d\u7684\u8ba4\u8bc1\u548c\u6388\u6743\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/\" \/>\n<meta property=\"og:site_name\" content=\"\u4e00\u53ea\u5b89\u9759\u7684\u732b\" \/>\n<meta property=\"article:published_time\" content=\"2020-10-18T18:08:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-05T13:24:04+00:00\" \/>\n<meta name=\"author\" content=\"jiangpengfei\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"jiangpengfei\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/\"},\"author\":{\"name\":\"jiangpengfei\",\"@id\":\"https:\/\/www.myway5.com\/#\/schema\/person\/b19267e8b106343431e163ec96950685\"},\"headline\":\"kubernetes \u4e2d\u7684\u8ba4\u8bc1\u548c\u6388\u6743\",\"datePublished\":\"2020-10-18T18:08:26+00:00\",\"dateModified\":\"2023-07-05T13:24:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/\"},\"wordCount\":146,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.myway5.com\/#\/schema\/person\/b19267e8b106343431e163ec96950685\"},\"articleSection\":[\"k8s\"],\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/\",\"url\":\"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/\",\"name\":\"kubernetes \u4e2d\u7684\u8ba4\u8bc1\u548c\u6388\u6743 - \u4e00\u53ea\u5b89\u9759\u7684\u732b\",\"isPartOf\":{\"@id\":\"https:\/\/www.myway5.com\/#website\"},\"datePublished\":\"2020-10-18T18:08:26+00:00\",\"dateModified\":\"2023-07-05T13:24:04+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9875\",\"item\":\"https:\/\/www.myway5.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"kubernetes \u4e2d\u7684\u8ba4\u8bc1\u548c\u6388\u6743\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.myway5.com\/#website\",\"url\":\"https:\/\/www.myway5.com\/\",\"name\":\"\u4e00\u53ea\u5b89\u9759\u7684\u732b\",\"description\":\"\u60f3\u5565\u5462\",\"publisher\":{\"@id\":\"https:\/\/www.myway5.com\/#\/schema\/person\/b19267e8b106343431e163ec96950685\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.myway5.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-Hans\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/www.myway5.com\/#\/schema\/person\/b19267e8b106343431e163ec96950685\",\"name\":\"jiangpengfei\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/www.myway5.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f8c7de757f6e0247412bcfd31b7c2271?s=96&d=monsterid&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f8c7de757f6e0247412bcfd31b7c2271?s=96&d=monsterid&r=g\",\"caption\":\"jiangpengfei\"},\"logo\":{\"@id\":\"https:\/\/www.myway5.com\/#\/schema\/person\/image\/\"},\"url\":\"https:\/\/www.myway5.com\/index.php\/author\/joyme\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"kubernetes \u4e2d\u7684\u8ba4\u8bc1\u548c\u6388\u6743 - \u4e00\u53ea\u5b89\u9759\u7684\u732b","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/","og_locale":"zh_CN","og_type":"article","og_title":"kubernetes \u4e2d\u7684\u8ba4\u8bc1\u548c\u6388\u6743 - \u4e00\u53ea\u5b89\u9759\u7684\u732b","og_description":"\u4e00\u3001\u6982\u8ff0 kubernetes \u4e2d\u6709\u4e24\u79cd\u7528\u6237\u7c7b\u578b\uff1a\u670d\u52a1\u8d26\u6237\uff08service account)\u548c \u666e\u901a\u7528\u6237(us &hellip; \u7ee7\u7eed\u9605\u8bfbkubernetes \u4e2d\u7684\u8ba4\u8bc1\u548c\u6388\u6743","og_url":"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/","og_site_name":"\u4e00\u53ea\u5b89\u9759\u7684\u732b","article_published_time":"2020-10-18T18:08:26+00:00","article_modified_time":"2023-07-05T13:24:04+00:00","author":"jiangpengfei","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"jiangpengfei","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"3 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/#article","isPartOf":{"@id":"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/"},"author":{"name":"jiangpengfei","@id":"https:\/\/www.myway5.com\/#\/schema\/person\/b19267e8b106343431e163ec96950685"},"headline":"kubernetes \u4e2d\u7684\u8ba4\u8bc1\u548c\u6388\u6743","datePublished":"2020-10-18T18:08:26+00:00","dateModified":"2023-07-05T13:24:04+00:00","mainEntityOfPage":{"@id":"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/"},"wordCount":146,"commentCount":0,"publisher":{"@id":"https:\/\/www.myway5.com\/#\/schema\/person\/b19267e8b106343431e163ec96950685"},"articleSection":["k8s"],"inLanguage":"zh-Hans","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/","url":"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/","name":"kubernetes \u4e2d\u7684\u8ba4\u8bc1\u548c\u6388\u6743 - \u4e00\u53ea\u5b89\u9759\u7684\u732b","isPartOf":{"@id":"https:\/\/www.myway5.com\/#website"},"datePublished":"2020-10-18T18:08:26+00:00","dateModified":"2023-07-05T13:24:04+00:00","breadcrumb":{"@id":"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.myway5.com\/index.php\/2020\/10\/19\/kubernetes-authn-authz\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"https:\/\/www.myway5.com\/"},{"@type":"ListItem","position":2,"name":"kubernetes \u4e2d\u7684\u8ba4\u8bc1\u548c\u6388\u6743"}]},{"@type":"WebSite","@id":"https:\/\/www.myway5.com\/#website","url":"https:\/\/www.myway5.com\/","name":"\u4e00\u53ea\u5b89\u9759\u7684\u732b","description":"\u60f3\u5565\u5462","publisher":{"@id":"https:\/\/www.myway5.com\/#\/schema\/person\/b19267e8b106343431e163ec96950685"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.myway5.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-Hans"},{"@type":["Person","Organization"],"@id":"https:\/\/www.myway5.com\/#\/schema\/person\/b19267e8b106343431e163ec96950685","name":"jiangpengfei","image":{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/www.myway5.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f8c7de757f6e0247412bcfd31b7c2271?s=96&d=monsterid&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f8c7de757f6e0247412bcfd31b7c2271?s=96&d=monsterid&r=g","caption":"jiangpengfei"},"logo":{"@id":"https:\/\/www.myway5.com\/#\/schema\/person\/image\/"},"url":"https:\/\/www.myway5.com\/index.php\/author\/joyme\/"}]}},"views":5599,"_links":{"self":[{"href":"https:\/\/www.myway5.com\/index.php\/wp-json\/wp\/v2\/posts\/654","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.myway5.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.myway5.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.myway5.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.myway5.com\/index.php\/wp-json\/wp\/v2\/comments?post=654"}],"version-history":[{"count":3,"href":"https:\/\/www.myway5.com\/index.php\/wp-json\/wp\/v2\/posts\/654\/revisions"}],"predecessor-version":[{"id":657,"href":"https:\/\/www.myway5.com\/index.php\/wp-json\/wp\/v2\/posts\/654\/revisions\/657"}],"wp:attachment":[{"href":"https:\/\/www.myway5.com\/index.php\/wp-json\/wp\/v2\/media?parent=654"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.myway5.com\/index.php\/wp-json\/wp\/v2\/categories?post=654"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.myway5.com\/index.php\/wp-json\/wp\/v2\/tags?post=654"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}