Shulou(Shulou.com)06/02 Report--

Three-step installation of kubernetes cluster

Overview

The token of kubernetes server account is easy to obtain, but the token of User is very troublesome. This article gives a minimalist way to generate User token so that users can get it with a http request.

What is token mainly used for?

Required for official dashboard login. If you log in using a kubeconfig file and there is no token in the file, you will fail. Now most articles describe using service account's token to log in to dashboard. You can get through, but there is a problem:

First: specify the type of service account when binding the role:

ApiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata: name: kubernetes-dashboard labels: k8s-app: kubernetes-dashboardroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-adminsubjects:- kind: ServiceAccount # this is not the User type name: kubernetes-dashboard namespace: kube-system

Second: to understand that kubeconfig is to parse the certificate CN as the user name, then service account is the same as CN that is still two accounts, bind the role also need to bind twice, a bit like service account to the "person" to use, so it is often not appropriate to throw service account token to some developer to use, service account token is more often for the program to use.

If you want to call https directly, if there is no token, it will:

[root@iZj6cegflzze2l7fpcqoerZ ssl] # curl https://172.31.12.61:6443/api/v1/namespaces/default/pods-- insecure {"kind": "Status", "apiVersion": "v1", "metadata": {}, "status": "Failure", "message": "pods is forbidden: User\" system:anonymous\ "cannot list resource\" in API group\ "in the namespace\" default\ "," reason ":" Forbidden " "details": {"kind": "pods"}, "code": 403}

Because there is no authentication information, anonymous (anonymous) users do not have any permissions

With token, it goes like this:

[root@iZj6cegflzze2l7fpcqoerZ ssl] # curl-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkNnYzRPVEV5TlRVM0VnWm5hWFJvZFdJIn0.eyJpc3MiOiJodHRwczovL2RleC5leGFtcGxlLmNvbTo4MDgwIiwic3ViIjoiQ2djNE9URXlOVFUzRWdabmFYUm9kV0kiLCJhdWQiOiJleGFtcGxlLWFwcCIsImV4cCI6MTU1MTA5NzkwNiwiaWF0IjoxNTUwNzM3OTA2LCJlbWFpbCI6ImZodGpvYkBob3RtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJncm91cHMiOlsiZGV2Il0sIm5hbWUiOiJmYW51eCJ9.ZqKn461UW0aGtyjyqu2Dc5tiUzC-6eYLag542d3AvklUdZuw8i9XwyaUg_f1OAj0ZsEcOybOe9_PeGMaUYzU0OvlKPY-q2zbQVC-m6u6sQw6ZXx8pi0W8k4wQSJnMaOLddCfurlYufmr8kScDBQlnKapSR0F9mJzvpKkHD-XNshQKWhX3n03g7OfFgb4RuhLjKDNQnoGn7DfBNntibHlF9sPo0jC5JjqTZaGvoGmiRE4PAXwxA-RJifsWDNf_jW8lrDiY4NSO_3O081cia4N1GKht51q9W3eaNMvFDD9hje7abDdZoz9KPi2vc3zvgH7cNv0ExVHKaA0-dwAZgTx4g"-k https://172.31.12.61:6443/api/v1/namespaces/default/pods{ "kind": "Status", "apiVersion": "v1", "metadata": {}, "status": "Failure" "message": "pods is forbidden: User\" https://dex.example.com:8080#fanux\" cannot list resource\ "pods\" in API group\ "\" in the namespace\ "default\", "reason": "Forbidden", "details": {"kind": "pods"}, "code": 403}

Look, although it is still 403, we already have user information. As long as the user is authorized to access it, how to authorize it is described below.

Introduction to token category

There are many ways to generate token, which are mainly divided into three types:

Service account token can be used to create service account. It is relatively easy to get in secret, but it is necessary to distinguish between User and service account. This kind of token is an ordinary string. Generally, you can write an authenticated web hook by yourself. When you authenticate, call this hook to check whether the token is valid. Compared with low's jwt (josn web token) based on openid, authentication authorities put user information in json and encrypt it with private keys. After getting the token, K8s decrypts it with the public key. As long as the decryption is successful, the token is legal and can get the user information. It does not need to be requested by the certification authority.

Jwt based on openid is the focus of this article.

What the community uses more is dex, which is a relatively complete implementation, but for friends who are not familiar with the technology, it is still a bit of a threshold, which is easy to go around. And there are still some problems of inconvenient use.

If the dependency is complex, you must first need a real user management program, such as ldap or an auth3 server, which is also acceptable. The key point is that you may need to rely on the browser for jump authorization during authentication, which becomes very embarrassing in many scenarios, such as our scenario does not have it at all.

Interface, so generating token becomes a big problem. Secondly, when integrated into other systems, users are often logged in, so a secondary authorization process is needed to get the token. The system is difficult to design due to heavy dependence.

However, if it is not integrated into other systems, such as developing a completed PaaS platform from 0, then using dex is a perfect solution.

So we implemented a simple and crude solution that completely liberated the process, only the core of care.

Sealyun fist introduction

What do we want?

Input:

{"User": "fanux", "Group": ["sealyun", "develop"]}

Output:

EyJhbGciOiJSUzI1NiIsImtpZCI6IkNnYzRPVEV5TlRVM0VnWm5hWFJvZFdJIn0.eyJpc3MiOiJodHRwczovL2RleC5leGFtcGxlLmNvbTo4MDgwIiwic3ViIjoiQ2djNE9URXlOVFUzRWdabmFYUm9kV0kiLCJhdWQiOiJleGFtcGxlLWFwcCIsImV4cCI6MTU1MTA5NzkwNiwiaWF0IjoxNTUwNzM3OTA2LCJlbWFpbCI6ImZodGpvYkBob3RtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJncm91cHMiOlsiZGV2Il0sIm5hbWUiOiJmYW51eCJ9.ZqKn461UW0aGtyjyqu2Dc5tiUzC-6eYLag542d3AvklUdZuw8i9XwyaUg_f1OAj0ZsEcOybOe9_PeGMaUYzU0OvlKPY-q2zbQVC-m6u6sQw6ZXx8pi0W8k4wQSJnMaOLddCfurlYufmr8kScDBQlnKapSR0F9mJzvpKkHD-XNshQKWhX3n03g7OfFgb4RuhLjKDNQnoGn7DfBNntibHlF9sPo0jC5JjqTZaGvoGmiRE4PAXwxA-RJifsWDNf_jW8lrDiY4NSO_3O081cia4N1GKht51q9W3eaNMvFDD9hje7abDdZoz9KPi2vc3zvgH7cNv0ExVHKaA0-dwAZgTx4g

It's over, how easy it is, don't do so much useless.

So in order to achieve the above functions, we have developed fist. The auth module of fist implements the core token generation function and jwt function in dex.

Sealyun fist/auth uses tutorials to install and deploy

Generate a certificate

# mkdir / etc/kubernetes/pki/fist# cd / etc/kubernetes/pki/fist# sh gencert.sh # Code in script content

Start the fist auth module

Kubectl create-f deploy/fist-auth.yaml

Modify k8s apiserver startup parameters

Vim / etc/kubernetes/manifests/kube-apiserver.yaml-command:-kube-apiserver-oidc-issuer-url= https://fist.sealyun.svc.cluster.local:8080-oidc-client-id=example-app-oidc-ca-file=/etc/kubernetes/pki/fist/ca.pem-oidc-username-claim=name-oidc-groups-claim=groups obtain and use token

Get token

Curl https://fist.sealyun.svc.cluster.local:8080/token?user=fanux&group=sealyun,develop-- cacert ca.pem

Use token

Direct curl plus bare token see above

Add to kubeconfig:

Kubectl config set-credentials-token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkNnYzRPVEV5TlRVM0VnWm5hWFJvZFdJIn0.eyJpc3MiOiJodHRwczovL2RleC5leGFtcGxlLmNvbTo4MDgwIiwic3ViIjoiQ2djNE9URXlOVFUzRWdabmFYUm9kV0kiLCJhdWQiOiJleGFtcGxlLWFwcCIsImV4cCI6MTU1MTEwMDI5MywiaWF0IjoxNTUwNzQwMjkzLCJlbWFpbCI6ImZodGpvYkBob3RtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJncm91cHMiOlsiZGV2Il0sIm5hbWUiOiJmYW51eCJ9.OAK4oIYqJszm1EACYW2neXTo738RW9kXFOIN5bOT4Z2CeKAvYqyOVKCWZf04xX45jwT78mATR3uas2YvRooDXlvxaD3K43ls4KBSG-Ofp-ynqlcVTpD3sUDqyux2iieNv4N6IyCv11smrU0lIlkrQC6oyxzTGae1FrJVGc5rHNsIRZHp2WrQvw83uLn_elHgUfSlsOq0cPtVONaAQWMAMi2DX-y5GCNpn1CDvudGJihqsTciPx7bj0AOXyiOznWhV186Ybk-Rgqn8h0eBaQhFMyNpwVt6oIP5pvJQs0uoODeRv6P3I3-AjKyuCllh9KDtlCVvSP4WtMUTfHQN4BigQ kubernetes-admin

Then the user.client-certifacate-data and client-key-data in the kube/config file can be deleted, and then kubectl will:

[root@iZj6cegflzze2l7fpcqoerZ ~] # kubectl get podError from server (Forbidden): pods is forbidden: User "https://dex.example.com:8080#fanux" cannot list resource" pods "in API group"in the namespace" default "

It means that the new user is successful.

Authorization

[root@iZj6cegflzze2l7fpcqoerZ ~] # cat rolebind.yamlkind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: read-secrets-globalsubjects:- kind: User name: "https://dex.example.com:8080#fanux" # Name is case sensitive apiGroup: rbac.authorization.k8s.ioroleRef: kind: ClusterRole name: cluster-admin # Super user gives him apiGroup: rbac.authorization.k8s.io

Just create a role binding:

[root@iZj6cegflzze2l7fpcqoerZ ~] # kubectl-- kubeconfig / etc/kubernetes/admin.conf create-f rolebind.yaml # uses the administrator's kubeconfigclusterrolebinding.rbac.authorization.k8s.io/read-secrets-global created [root@iZj6cegflzze2l7fpcqoerZ ~] # kubectl get pod # to access pod. Introduction to jwt principle https://fist.sealyun.cluster.local:8080k8s jwt server | / .well-known/openid-configuration | |- -- > | K8s finds some information through this url The most important thing is the address used to verify the token public key | discover info | | get the address in the previous step, and get the public key in this step | public keys |

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.