集群平安机制
apiserver对立协调:认证 > 鉴权(受权)> 准入管制
认证
传输平安: 对外不裸露8080端口,只能外部拜访,对外应用的端口6443
客户端身份认证罕用形式
- https证书认证,基于ca证书
- http token认证,通过token来辨认用户
- http根本认证,用户名 + 明码认证
鉴权:RBAC
RBAC:基于角色的访问控制,某个角色设置拜访内容,而后用户调配该角色后,就领有该角色的拜访权限
角色
- Role:特定命名空间拜访权限
- ClusterRole:所有命名空间的拜访权限
角色绑定
- roleBinding:角色绑定到主体
- ClusterRoleBinding:集群角色绑定到主体
主体
- user:用户
- group:用户组
- serviceAccount:服务账号
测试
1.创立命名空间
kubectl create ns roledemo2.在命名空间下创立一个Pod
kubectl run nginx --image=nginx -n roledemo3.创立角色
tip:这个角色只对pod 有 get、list权限
# 创立kubectl apply -f rbac-role.yaml# 查看kubectl get role -n roledemo4.角色绑定用户
# 创立角色绑定kubectl apply -f rbac-rolebinding.yaml# 查看角色绑定kubectl get role, rolebinding -n roledemo5.应用证书辨认身份
这里蕴含了很多证书文件,在TSL目录下,须要复制过去
通过上面命令执行咱们的脚本
./rbac-user.sh测试
# 切换命名空间看输入后果区别kubectl get pods -n roledemo --kubeconfig=./mary-kubeconfig 准入管制
就是准入控制器的列表,对api-server的申请进行过滤:如果列表有申请的内容就通过,没有的话 就回绝
Ingress
前言
原来咱们须要将端口号对外裸露,通过 ip + 端口号就能够进行拜访
原来是应用Service中的NodePort来实现
在每个节点上都会启动端口
在拜访的时候通过任何节点,通过ip + 端口号就能实现拜访
然而NodePort还存在一些缺点
因为端口不能反复,所以每个端口只能应用一次,一个端口对应一个利用
理论拜访中都是用域名,依据不同域名跳转到不同端口服务中
Ingress和Pod关系
Pod 和 Ingress 是通过Service进行关联的,而Ingress作为对立入口,由Service关联一组Pod中
- 首先service就是关联咱们的pod
- 而后ingress作为入口,首先须要到service,而后发现一组pod
- 发现pod后,就能够做负载平衡等操作
Ingress工作流程
不同域名对应不同的Service,而后service治理不同的pod
须要留神,ingress不是内置的组件,须要咱们独自的装置
应用Ingress
- 部署ingress Controller【须要下载官网的】
- 创立ingress规定【对哪个Pod、名称空间配置规定】
应用Ingress对外裸露利用
1.创立一个nginx利用,而后对外裸露端口
# 创立podkubectl create deployment web --image=nginx# 查看kubectl get pods对外裸露端口
kubectl expose deployment web --port=80 --target-port=80 --type=NodePortkubectl get svcNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEkubernetes ClusterIP 10.96.0.1 <none> 443/TCP 147mweb NodePort 10.107.12.59 <none> 80:30812/TCP 38s2.部署ingress controller
vim ingress-con.yaml
apiVersion: v1kind: Namespacemetadata: name: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx---kind: ConfigMapapiVersion: v1metadata: name: nginx-configuration namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx---kind: ConfigMapapiVersion: v1metadata: name: tcp-services namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx---kind: ConfigMapapiVersion: v1metadata: name: udp-services namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx---apiVersion: v1kind: ServiceAccountmetadata: name: nginx-ingress-serviceaccount namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx---apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRolemetadata: name: nginx-ingress-clusterrole labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxrules: - apiGroups: - "" resources: - configmaps - endpoints - nodes - pods - secrets verbs: - list - watch - apiGroups: - "" resources: - nodes verbs: - get - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - "extensions" - "networking.k8s.io" resources: - ingresses verbs: - get - list - watch - apiGroups: - "extensions" - "networking.k8s.io" resources: - ingresses/status verbs: - update---apiVersion: rbac.authorization.k8s.io/v1beta1kind: Rolemetadata: name: nginx-ingress-role namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxrules: - apiGroups: - "" resources: - configmaps - pods - secrets - namespaces verbs: - get - apiGroups: - "" resources: - configmaps resourceNames: # Defaults to "<election-id>-<ingress-class>" # Here: "<ingress-controller-leader>-<nginx>" # This has to be adapted if you change either parameter # when launching the nginx-ingress-controller. - "ingress-controller-leader-nginx" verbs: - get - update - apiGroups: - "" resources: - configmaps verbs: - create - apiGroups: - "" resources: - endpoints verbs: - get---apiVersion: rbac.authorization.k8s.io/v1beta1kind: RoleBindingmetadata: name: nginx-ingress-role-nisa-binding namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxroleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: nginx-ingress-rolesubjects: - kind: ServiceAccount name: nginx-ingress-serviceaccount namespace: ingress-nginx---apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata: name: nginx-ingress-clusterrole-nisa-binding labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: nginx-ingress-clusterrolesubjects: - kind: ServiceAccount name: nginx-ingress-serviceaccount namespace: ingress-nginx---apiVersion: apps/v1kind: Deploymentmetadata: name: nginx-ingress-controller namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxspec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx template: metadata: labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx annotations: prometheus.io/port: "10254" prometheus.io/scrape: "true" spec: hostNetwork: true # wait up to five minutes for the drain of connections terminationGracePeriodSeconds: 300 serviceAccountName: nginx-ingress-serviceaccount nodeSelector: kubernetes.io/os: linux containers: - name: nginx-ingress-controller image: lizhenliang/nginx-ingress-controller:0.30.0 args: - /nginx-ingress-controller - --configmap=$(POD_NAMESPACE)/nginx-configuration - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - --publish-service=$(POD_NAMESPACE)/ingress-nginx - --annotations-prefix=nginx.ingress.kubernetes.io securityContext: allowPrivilegeEscalation: true capabilities: drop: - ALL add: - NET_BIND_SERVICE # www-data -> 101 runAsUser: 101 env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace ports: - name: http containerPort: 80 protocol: TCP - name: https containerPort: 443 protocol: TCP livenessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 readinessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 lifecycle: preStop: exec: command: - /wait-shutdown---apiVersion: v1kind: LimitRangemetadata: name: ingress-nginx namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxspec: limits: - min: memory: 90Mi cpu: 100m type: Container部署
kubectl apply -f ingress-con.yaml查看状态
kubectl get pods -n ingress-nginx须要留神的是 hostNetwork: true,示意对外裸露网络,改成ture是为了让前面拜访到
创立Ingress规定
1.创立ingress规定文件,ingress-h.yaml
apiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata: name: example-ingressspec: rules: - host: ingressdemo.com http: paths: - path: / backend: serviceName: web servicePort: 80部署
kubectl apply -f ingress-h.yamlingress.networking.k8s.io/example-ingress created查看pod
kubectl get pods -n ingress-nginx -o wideNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESnginx-ingress-controller-766fb9f77-g8hgz 1/1 Running 0 5m3s 10.206.0.2 k8s-node1 <none> <none>到k8s-node1查看80端口
netstat -antp |grep 80tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 29326/nginx: master 2.批改本地hosts文件,增加域名拜访规定(k8s-node1的公网IP)
vim /etc/hosts
119.45.233.2 ingressdemo.com3.通过域名就能拜访