Shulou(Shulou.com)06/01 Report--

This article mainly introduces the kubernetes security mechanism API Server authentication Service Account Token example analysis, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor with you to understand.

One: preface

Kubernetes has two separate account systems, User Account and Service Account.

1.User Account is for human use, Service Account is for processes in Pod, and different objects are oriented.

2.User Account is global, and Service Account belongs to a specific Namespace.

3.User Account is synchronized with the back-end user database.

Two: brief introduction to Kubernetes API Server

Kubernetes API Server provides services through a process called kube-apiserver, which runs on the Master node. By default, the kube-apiserver process provides REST services on port 8080 (--insecure-port) on this machine. We can start the HTTPS secure port (--secure=6443) at the same time to activate the security mechanism and enhance the security of REST API access.

Usually we use kubectl to interact with Kubernetes API Server, and the interface between them is REST calls. You can also use the curl command line tool for quick verification.

In addition, calling Kubernetes API Server by programming is subdivided into the following two scenarios:

1. The process running in POD calls Server API. How do processes in Pod specify the access address of API Server? The answer is simple, because Kubernetes API Server itself is a Service, its name is "kubernetes", and the IP address is the first address in the ClusterIP address pool. The service port is HTTPS port 443.

two。 Develop a Kubernetes-based management platform, such as calling Kubernetes API to complete the graphical creation and management interface of resource objects such as Pod,Service,RC. The relevant Client Library in the community can be used.

Normally, in order to ensure the security of the Kubernetes cluster, API Server authenticates the client. If the authentication fails, API cannot be called. In addition, when you access the Kubernetes API Server service in Pod, you access the service named kubernetes in the way of Service, and the kubernetes service only provides the service on HTTPS 443.How to authenticate? The answer is Service Account Token.

Three: Service Account

Public key certificate, which is used by Process in Pod to verify the server digital certificate of API Server. Namespace and token are placed in the container so that the container can access apiserver through the request of https.

Four:

Service account Verification process of API Server

Take the "default" serviceaccount under kube-system namespace as an example, the full name of Pod's usrname is: system:serviceaccount:kube-system:default. With username, what about credentials? It is the token in service-account-token mentioned above. The verification process of API Server supports a variety of identity verification methods: CA certificate authentication, Token authentication, Base authentication. Once API Server discovers that the request initiated by client uses the service account token method, API Server automatically uses the signed bearer token method for identity verification. Request will use the carried service account token to participate in the verification. This token is generated by API Server signing (sign) with the value of the API server startup parameter-service-account-key-file when creating the service account. If no value is passed in to-service-account-key-file, the value of-tls-private-key-file, the private key of API Server, is used by default.

Five:

Secret

Kubernetes provides Secret to handle sensitive information, and there are currently three types of Secret:

1.Opaque (default): any string

2.kubernetes.io/service-account-token: acting on ServiceAccount, that's what I said above.

3.kubernetes.io/dockercfg: works on Docker registry, and users download docker images for authentication.

Under each Namespace, there is a default Service Account object named default. In this Service Account, there is a Secret named Tokens that can be Mount to Podcast as a Volume. When Pod is started, the Secret will be automatically Mount to the specified directory of Pod to help complete the identity authentication process when the process in Pod accesses API Server.

Thank you for reading this article carefully. I hope the article "sample Analysis of API Server Certification Service Account Token in kubernetes" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.