如何将用户添加到Kubernetes(kubectl)? [英] How to Add Users to Kubernetes (kubectl)?
问题描述
我已经使用 kops 在AWS上创建了Kubernetes集群,并可以通过kubectl成功对其进行管理在我的本地计算机上.
I've created a Kubernetes cluster on AWS with kops and can successfully administer it via kubectl from my local machine.
我可以使用kubectl config view查看当前配置,也可以直接访问~/.kube/config处的存储状态,例如:
I can view the current config with kubectl config view as well as directly access the stored state at ~/.kube/config, such as:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://api.{CLUSTER_NAME}
name: {CLUSTER_NAME}
contexts:
- context:
cluster: {CLUSTER_NAME}
user: {CLUSTER_NAME}
name: {CLUSTER_NAME}
current-context: {CLUSTER_NAME}
kind: Config
preferences: {}
users:
- name: {CLUSTER_NAME}
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
password: REDACTED
username: admin
- name: {CLUSTER_NAME}-basic-auth
user:
password: REDACTED
username: admin
我需要使其他用户也可以管理.本用户指南描述了如何在另一台用户计算机上定义它们,但是没有.描述如何在群集本身中实际创建用户的凭据.你如何做到的?
I need to enable other users to also administer. This user guide describes how to define these on another users machine, but doesn't describe how to actually create the user's credentials within the cluster itself. How do you do this?
还可以安全地共享cluster.certificate-authority-data吗?
推荐答案
有关身份验证的完整概述,请参考授权
For a full overview on Authentication, refer to the official Kubernetes docs on Authentication and Authorization
对于用户而言,理想情况下,您可以使用Kubernetes的身份提供程序(OpenID Connect).
For users, ideally you use an Identity provider for Kubernetes (OpenID Connect).
如果您使用的是GKE/ACS,则应与各自的身份和访问管理框架集成
If you are on GKE / ACS you integrate with respective Identity and Access Management frameworks
如果您自托管kubernetes(使用kops时就是这种情况),则可以使用
If you self-host kubernetes (which is the case when you use kops), you may use coreos/dex to integrate with LDAP / OAuth2 identity providers - a good reference is this detailed 2 part SSO for Kubernetes article.
kops(1.10+)现在具有内置的身份验证支持(如果您在AWS上),可以轻松与作为身份提供者的AWS IAM集成.
kops (1.10+) now has built-in authentication support which eases the integration with AWS IAM as identity provider if you're on AWS.
对于Dex,有一些开源的cli客户端,如下所示:
for Dex there are a few open source cli clients as follows:
- Nordstrom/kubelogin
- pusher/k8s-auth-example
如果您正在寻找一种快速简便的方法(从长远来看不是最安全且易于管理),那么您可能会滥用serviceaccounts-带有2个用于控制访问的专用策略的选项. (请参见下文)
If you are looking for a quick and easy (not most secure and easy to manage in the long run) way to get started, you may abuse serviceaccounts - with 2 options for specialised Policies to control access. (see below)
注意,因为强烈建议您使用1.6基于角色的访问控制!此答案不包括RBAC设置
EDIT: Great guide by Bitnami on User setup with RBAC is also available.
启用服务帐户访问的步骤是(取决于您的群集配置是否包括RBAC或ABAC策略,这些帐户可能具有完整的管理员权限!):
Steps to enable service account access are (depending on if your cluster configuration includes RBAC or ABAC policies, these accounts may have full Admin rights!):
编辑:这是一个bash脚本,用于自动创建服务帐户-请参见下面的步骤
-
为用户
Alice
kubectl create sa alice
获取相关秘密
Get related secret
secret=$(kubectl get sa alice -o json | jq -r .secrets[].name)
从秘密中获取ca.crt(使用带有-D标志的OSX base64进行解码)
Get ca.crt from secret (using OSX base64 with -D flag for decode)
kubectl get secret $secret -o json | jq -r '.data["ca.crt"]' | base64 -D > ca.crt
从机密获取服务帐户令牌
Get service account token from secret
user_token=$(kubectl get secret $secret -o json | jq -r '.data["token"]' | base64 -D)
从您的kubectl配置(当前上下文,服务器..)中获取信息
Get information from your kubectl config (current-context, server..)
# get current context
c=$(kubectl config current-context)
# get cluster name of context
name=$(kubectl config get-contexts $c | awk '{print $3}' | tail -n 1)
# get endpoint of current context
endpoint=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"$name\")].cluster.server}")
在新机器上,请按照以下步骤操作(鉴于上面检索到的ca.cert和$endpoint信息:
On a fresh machine, follow these steps (given the ca.cert and $endpoint information retrieved above:
-
安装
kubectl
brew install kubectl
设置群集(在存储ca.crt的目录中运行)
Set cluster (run in directory where ca.crt is stored)
kubectl config set-cluster cluster-staging \
--embed-certs=true \
--server=$endpoint \
--certificate-authority=./ca.crt
设置用户凭据
Set user credentials
kubectl config set-credentials alice-staging --token=$user_token
定义alice用户与登台群集的组合
Define the combination of alice user with the staging cluster
kubectl config set-context alice-staging \
--cluster=cluster-staging \
--user=alice-staging \
--namespace=alice
为用户将当前上下文切换为alice-staging
kubectl config use-context alice-staging
要使用策略控制用户访问权限(使用 ABAC ),您需要创建一个 policy 文件(例如):
To control user access with policies (using ABAC), you need to create a policy file (for example):
{
"apiVersion": "abac.authorization.kubernetes.io/v1beta1",
"kind": "Policy",
"spec": {
"user": "system:serviceaccount:default:alice",
"namespace": "default",
"resource": "*",
"readonly": true
}
}
在每个主节点上提供此policy.json,并向API服务器添加--authorization-mode=ABAC --authorization-policy-file=/path/to/policy.json标志
Provision this policy.json on every master node and add --authorization-mode=ABAC --authorization-policy-file=/path/to/policy.json flags to API servers
这将允许Alice(通过她的服务帐户)仅对默认名称空间中的所有资源具有只读权限.
This would allow Alice (through her service account) read only rights to all resources in default namespace only.
这篇关于如何将用户添加到Kubernetes(kubectl)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
