使用TOKEN授权访问api-server在k8s运维场景中比较常见,

apiserver有三种级别的客户端认证方式

1,HTTPS证书认证:基于CA根证书签名的双向数字证书认证方式

2,HTTP Token认证:通过一个Token来识别合法用户

3,HTTP Base认证:通过用户名+密码的认证方式

通常的运维场景使用第二种Token较为方便Token的权限是关联service account,

# kubectl describe secrets admin-token-2q28f -n kube-systemName:         admin-token-2q28fNamespace:    kube-systemLabels:       <none>Annotations:  kubernetes.io/service-account.name: admin              kubernetes.io/service-account.uid: 93316ffa-7545-11e9-b617-00163e06992dType:  kubernetes.io/service-account-tokenData====ca.crt:     1419 bytesnamespace:  11 bytestoken:      eyJhbGciOiJ******

Service Account 的权限来自Clusterrolebinding-->ClusterRole

# kubectl describe serviceaccount admin -n kube-systemName:                adminNamespace:           kube-systemLabels:              <none>Annotations:         kubectl.kubernetes.io/last-applied-configuration:                       {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"admin","namespace":"kube-system"}}Image pull secrets:  <none>Mountable secrets:   admin-token-2q28fTokens:              admin-token-2q28fEvents:              <none>

通过clusterrolebinding 可以拿到ClusterRole对应的rolename

# kubectl get clusterrolebinding admin -o yamlapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:  annotations:    kubectl.kubernetes.io/last-applied-configuration: |      {"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"admin"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cluster-admin"},"subjects":[{"kind":"ServiceAccount","name":"admin","namespace":"kube-system"}]}  creationTimestamp: 2019-05-13T06:08:49Z  name: admin  resourceVersion: "1523"  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/admin  uid: 93356439-7545-11e9-b617-00163e06992droleRef:  apiGroup: rbac.authorization.k8s.io  kind: ClusterRole  name: cluster-adminsubjects:- kind: ServiceAccount  name: admin  namespace: kube-system

这个role是什么权限?

# kubectl get clusterrole cluster-admin -o yamlapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:  annotations:    rbac.authorization.kubernetes.io/autoupdate: "true"  creationTimestamp: 2019-05-13T06:01:10Z  labels:    kubernetes.io/bootstrapping: rbac-defaults  name: cluster-admin  resourceVersion: "55"  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-admin  uid: 817e2b9e-7544-11e9-9766-00163e0e34c8rules:- apiGroups:  - '*'  resources:  - '*'  verbs:  - '*'- nonResourceURLs:  - '*'  verbs:  - '*'

从clusterrole权限来看,admin关联的权限还是比较大的,正常的集群运维中建议根据自身的真实需要,去定制权限

https://kubernetes.io/docs/reference/access-authn-authz/rbac/

了解完这些,分享一个小技巧,这样后面客户再有curl访问apiserver的需求,我相信你没问题了!

# kubectl describe secrets $(kubectl get secrets -n kube-system |grep admin |cut -f1 -d ' ') -n kube-system |grep -E '^token' |cut -f2 -d':'|tr -d '\t'|tr -d ' 'eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi0ycTI4ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjkzMzE2ZmZhLTc1NDUtMTFlOS1iNjE3LTAwMTYzZTA2OTkyZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.EQzj2LsWn2k31m-ksn9GmB1bZTi1Xjw1fnmWFgRKlwhS2QAaVnDXfV_TgUovpq5oWKh7h0gTVaNaK4KKK76yAv6GfMehpOdIO5xHCfQAWVRhla1cwUDC64tz7vJ1zGcx_lz4hKfhdXN1T8FYS0B0hf3h2OloAMfCZTzDjRWz24GVwH-WRTEwY_5tav65GiZzBTsnz1vV7NOcx-Kl8AK2HbowtBYqK05x7oOmp84FiQMwpYU-7g0c03h61zev4lvf0e-HFtqKiByPi8gD-uiVRvE-xayOz5oIESWw2GfhzfNf_uyR7eLplCKUBecVMtwVsBauNaeqU-IIJW5VIHAOxw# TOKEN=$(kubectl describe secrets $(kubectl get secrets -n kube-system |grep admin |cut -f1 -d ' ') -n kube-system |grep -E '^token' |cut -f2 -d':'|tr -d '\t'|tr -d ' ')# kubectl config view |grep server|cut -f 2- -d ":" | tr -d " "https://192.168.0.130:6443# APISERVER=$(kubectl config view |grep server|cut -f 2- -d ":" | tr -d " ")

使用curl访问apiserver

# curl -H "Authorization: Bearer $TOKEN" $APISERVER/api  --insecure{  "kind": "APIVersions",  "versions": [    "v1"  ],  "serverAddressByClientCIDRs": [    {      "clientCIDR": "0.0.0.0/0",      "serverAddress": "192.168.0.130:6443"    }  ]}


本文作者:牧原

阅读原文

本文为云栖社区原创内容,未经允许不得转载。