如何将用户添加到 Kubernetes (kubectl)? [英] How to Add Users to Kubernetes (kubectl)?

问题描述

我在 AWS 上使用 kops 创建了一个 Kubernetes 集群，并且可以通过 成功管理它kubectl 来自我的本地机器.

I've created a Kubernetes cluster on AWS with kops and can successfully administer it via kubectl from my local machine.

我可以通过kubectl config view查看当前配置，也可以直接访问~/.kube/config中存储的状态，例如:

I can view the current config with kubectl config view as well as directly access the stored state at ~/.kube/config, such as:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://api.{CLUSTER_NAME}
  name: {CLUSTER_NAME}
contexts:
- context:
    cluster: {CLUSTER_NAME}
    user: {CLUSTER_NAME}
  name: {CLUSTER_NAME}
current-context: {CLUSTER_NAME}
kind: Config
preferences: {}
users:
- name: {CLUSTER_NAME}
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
    password: REDACTED
    username: admin
- name: {CLUSTER_NAME}-basic-auth
  user:
    password: REDACTED
    username: admin

我需要让其他用户也能管理.这个用户指南 描述了如何在另一台用户机器上定义这些，但没有t 描述如何在集群本身内实际创建用户的凭据.你是怎么做到的?

I need to enable other users to also administer. This user guide describes how to define these on another users machine, but doesn't describe how to actually create the user's credentials within the cluster itself. How do you do this?

此外，仅共享 cluster.certificate-authority-data 是否安全?

Also, is it safe to just share the cluster.certificate-authority-data?

推荐答案

有关身份验证的完整概述，请参阅 身份验证 和 授权一个>

For a full overview on Authentication, refer to the official Kubernetes docs on Authentication and Authorization

对于用户，理想情况下您使用 Kubernetes 的身份提供程序 (OpenID Connect).

For users, ideally you use an Identity provider for Kubernetes (OpenID Connect).

如果您使用的是 GKE/ACS，则您将与相应的身份和访问管理框架集成

If you are on GKE / ACS you integrate with respective Identity and Access Management frameworks

如果您自托管 kubernetes(使用 kops 时就是这种情况)，您可以使用 coreos/dex 与 LDAP/OAuth2 身份提供者集成 - 一个很好的参考是这个详细的 2 部分 Kubernetes 的 SSO 文章.

If you self-host kubernetes (which is the case when you use kops), you may use coreos/dex to integrate with LDAP / OAuth2 identity providers - a good reference is this detailed 2 part SSO for Kubernetes article.

kops (1.10+) 现在内置了 身份验证支持，如果您在 AWS 上，它可以简化与作为身份提供商的 AWS IAM 的集成.

kops (1.10+) now has built-in authentication support which eases the integration with AWS IAM as identity provider if you're on AWS.

对于 Dex，有一些开源 cli 客户端如下:

for Dex there are a few open source cli clients as follows:

• Nordstrom/kubelogin
• pusher/k8s-auth-example

如果您正在寻找一种快速简便(从长远来看不是最安全且易于管理的)入门方式，您可能会滥用 serviceaccounts - 有 2 个选项可用于控制专门的策略使用权.(见下文)

If you are looking for a quick and easy (not most secure and easy to manage in the long run) way to get started, you may abuse serviceaccounts - with 2 options for specialised Policies to control access. (see below)

注意，强烈建议使用基于角色的访问控制 1.6！此答案不包括 RBAC 设置

编辑:很棒，但已经过时(2017-2018 年)，Bitnami 在 RBAC 用户设置 也可用.

EDIT: Great, but outdated (2017-2018), guide by Bitnami on User setup with RBAC is also available.

启用服务帐户访问的步骤是(取决于您的集群配置是否包含 RBAC 或 ABAC 策略，这些帐户可能具有完整的管理员权限！):

Steps to enable service account access are (depending on if your cluster configuration includes RBAC or ABAC policies, these accounts may have full Admin rights!):

编辑:这里是自动创建服务帐户的 bash 脚本 - 请参阅以下步骤

1. 为用户 Alice

kubectl create sa alice

获取相关机密

Get related secret

secret=$(kubectl get sa alice -o json | jq -r .secrets[].name)

从秘密中获取 ca.crt(使用 OSX base64 和 -D 标志进行解码)

Get ca.crt from secret (using OSX base64 with -D flag for decode)

kubectl get secret $secret -o json | jq -r '.data["ca.crt"]' | base64 -D > ca.crt

从秘密中获取服务帐户令牌

Get service account token from secret

user_token=$(kubectl get secret $secret -o json | jq -r '.data["token"]' | base64 -D)

从您的 kubectl 配置(当前上下文、服务器..)中获取信息

Get information from your kubectl config (current-context, server..)

# get current context
c=$(kubectl config current-context)

# get cluster name of context
name=$(kubectl config get-contexts $c | awk '{print $3}' | tail -n 1)

# get endpoint of current context 
endpoint=$(kubectl config view -o jsonpath="{.clusters[?(@.name == "$name")].cluster.server}")

在一台新机器上，按照以下步骤操作(给定上面检索到的 ca.cert 和 $endpoint 信息:

1. 安装 kubectl

 brew install kubectl

设置集群(在存储ca.crt的目录中运行)

 kubectl config set-cluster cluster-staging 
   --embed-certs=true 
   --server=$endpoint 
   --certificate-authority=./ca.crt

设置用户凭据

Set user credentials

 kubectl config set-credentials alice-staging --token=$user_token

定义 alice 用户与暂存集群的组合

Define the combination of alice user with the staging cluster

 kubectl config set-context alice-staging 
   --cluster=cluster-staging 
   --user=alice-staging 
   --namespace=alice

为用户将当前上下文切换到 alice-staging

 kubectl config use-context alice-staging

要使用策略控制用户访问(使用 ABAC)，您需要创建一个 policy 文件(用于示例):

To control user access with policies (using ABAC), you need to create a policy file (for example):

{
  "apiVersion": "abac.authorization.kubernetes.io/v1beta1",
  "kind": "Policy",
  "spec": {
    "user": "system:serviceaccount:default:alice",
    "namespace": "default",
    "resource": "*",
    "readonly": true
  }
}

在每个主节点上提供这个 policy.json 并添加 --authorization-mode=ABAC --authorization-policy-file=/path/to/policy.json API 服务器的标志

Provision this policy.json on every master node and add --authorization-mode=ABAC --authorization-policy-file=/path/to/policy.json flags to API servers

这将允许 Alice(通过她的服务帐户)仅对默认命名空间中的所有资源具有只读权限.

This would allow Alice (through her service account) read only rights to all resources in default namespace only.

这篇关于如何将用户添加到 Kubernetes (kubectl)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！