琼杰笔记一、简介
1.简述
api server是管理和使用kubernetes的访问入口,api分为众多群组,需要连入api server的所有组件,如schedule、controller manager等,都需要api server进行私钥、ssl证书、token令牌等方式的认证,认证用于身份识别,授权用于权限检查,认证信息保存在kubeconfig客户端配置文件中。
2.代理方式请求api server
创建代理
[root@master1 ~]# kubectl proxy --port=8090
此方式由于代理proxy和kubernetes有过认证,所以可以直接通过proxy的方式发起请求。例如,通过代理查看资源实例:
查看deployment信息:
[root@master1 ~]# curl http://localhost:8090/apis/apps/v1/namespaces/kubectl-system/deployments
{
"kind": "DeploymentList",
"apiVersion": "apps/v1",
"metadata": {
"selfLink": "/apis/apps/v1/namespaces/kubectl-system/deployments",
"resourceVersion": "751447"
},
"items": []
}
查看api群组下名称空间namespaces信息
[root@master1 ~]# curl http://localhost:8090/api/v1/namespaces
通用访问路径,Object URL
/apis/<GROUP>/<VERSION>/namespaces/<NAMESPACE_NAME>/<KIND>[/OBJECT_ID]/
二、serviceaccount(简称sa)
创建和查看serviceaccount,创建后会自动生成admin的token信息:
[root@master1 volumes]# kubectl create serviceaccount admin serviceaccount/admin created [root@master1 volumes]# kubectl get sa NAME SECRETS AGE admin 1 8s default 1 13d [root@master1 volumes]# kubectl get secret NAME TYPE DATA AGE admin-token-xrz4c kubernetes.io/service-account-token 3 20s default-token-5wbc9 kubernetes.io/service-account-token 3 13d mysql-root-password Opaque 1 2d21h
指定pod使用自定义的sa账号admin:
apiVersion: v1
kind: Pod
metadata:
name: podcm1
namespace: default
labels:
app: myapp
tier: frontend
annotations:
qjbj.com/created.by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
serviceAccountName: admin
- kuebctl create serviceaccount mysa -o yaml –dry-run: 可以以yaml格式输出需要编写的yaml文件内容,也可以重定向到某个文件中。其中–dry-run可以对命令进行测试
- kubectl config view: 查看配置信息常用选项;
Notes:
快速创建资源小技巧:
1.如果资源支持kubectl create命令创建,可以添加–dry-run -o yaml选项,重定向到yaml文件;
2.kubectl get pods PODNAME -o yaml –export,以yaml文件格式导出当前pod资源到配置文件;
三、kubernetes配置相关
1.kubeconfig
kubeconfig客户端配置文件操作命令为kubectl config,默认配置文件为用户家目录,相关操作说明如下:
[root@master1 volumes]# kubectl config --help
Modify kubeconfig files using subcommands like "kubectl config set current-context my-context"
The loading order follows these rules:
1. If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once
and no merging takes place.
2. If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path
delimiting rules for your system). These paths are merged. When a value is modified, it is modified
in the file that defines the stanza. When a value is created, it is created in the first file that
exists. If no files in the chain exist, then it creates the last file in the list.
3. Otherwise, ${HOME}/.kube/config is used and no merging takes place.
Available Commands:
current-context Displays the current-context
delete-cluster Delete the specified cluster from the kubeconfig
delete-context Delete the specified context from the kubeconfig
get-clusters Display clusters defined in the kubeconfig
get-contexts Describe one or many contexts
rename-context Renames a context from the kubeconfig file.
set Sets an individual value in a kubeconfig file
set-cluster Sets a cluster entry in kubeconfig
set-context Sets a context entry in kubeconfig
set-credentials Sets a user entry in kubeconfig
unset Unsets an individual value in a kubeconfig file
use-context Sets the current-context in a kubeconfig file
view Display merged kubeconfig settings or a specified kubeconfig file
Usage:
kubectl config SUBCOMMAND [options]
Use "kubectl <command> --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all commands).
查看配置文件相关信息:
[root@master1 volumes]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://k8s-api.ilinux.io:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
四、使用openssl创建证书和私钥进行认证
使用openssl创建证书和私钥,进行测试验证
1.制作私钥:
您暂时无权查看此隐藏内容!
查看配置文件信息:
[root@master1 pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://k8s-api.ilinux.io:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: jakeli
user:
client-certificate: /etc/kubernetes/pki/jakeli.crt
client-key: /etc/kubernetes/pki/jakeli.key
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
6.创建集群配置文件,配置文件默认为用户家目录,可通过配置选项–kubeconfig进行更改
[root@master1 ~]# kubectl config set-cluster jakelicluster --kubeconfig=/tmp/test.conf --server="https://192.168.222.150:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true Cluster "jakelicluster" set.
查看自定义cluster信息
[root@master1 ~]# kubectl config view --kubeconfig=/tmp/test.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.222.150:6443
name: jakelicluster
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
7.设置Context上下文使用户jakeli可以访问集群
[root@master1 pki]# kubectl config set-context jakeli@kubernetes --cluster=kubernetes --user=jakeli Context "jakeli@kubernetes" created.
查看此时的config信息
[root@master1 ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://k8s-api.ilinux.io:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: jakeli
name: jakeli@kubernetes
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: jakeli
user:
client-certificate: /etc/kubernetes/pki/jakeli.crt
client-key: /etc/kubernetes/pki/jakeli.key
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
8.切换用户账号(当前上下文),此时的jakeli因没有授权任何权限,所以无法查看pod相关信息,后续介绍授权操作后即可有相应的操作权限。
[root@master1 pki]# kubectl config use-context jakeli@kubernetes Switched to context "jakeli@kubernetes". [root@master1 pki]# kubectl get pods Error from server (Forbidden): pods is forbidden: User "jakeli" cannot list resource "pods" in API group "" in the namespace "default"
五、使用Token认证
1.创建serviceaccount
内容查看价格4.99元立即支付
注意:本站少数资源收集于网络,如涉及版权等问题请及时与站长联系,我们会在第一时间内与您协商解决。如非特殊说明,本站所有资源解压密码均为:zhangqiongjie.com。
作者:1923002089
评论前必须登录!
注册