Shulou(Shulou.com)05/31 Report--

This article introduces the relevant knowledge of "what is the operation method of Kubernetes identity authentication". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

In a production environment, Kubernetes administrators use namespaces to isolate resources and deployments. The namespace acts as a logical boundary to enforce basic access control.

Suppose we now have a new administrator named Bob who wants to join the development team to manage the Kubernetes deployment for the R & D group. We now need to provide him with sufficient access so that he can manage the project namespace. Assuming that you are a cluster administrator and have permission to manage global resources and objects, you need to log on to the Bob account and help him obtain the credentials he needs to access the Kubernetes cluster.

I used Minikube in my operation, but the scenario in this example applies to any Kubernetes cluster that is configured in other ways (as long as you are a cluster administrator).

First, create a directory called cred and run the following command to generate a private key for Bob.

Mkdir credcd credopenssl genrsa-out bob.key 2048Generating RSA private key 2048 bit long modulus.+++. ... + + e is 65537 (0x10001)

We also need a certificate signing request that can be generated from the private key.

Openssl req-new-key bob.key-out bob.csr-subj "/ CN=bob/O=eng"\ n

Move the key to the parent folder and encode it in Base64.

Cp bob.key.. cd.. cat cred/bob.csr | base64 | tr-d'\ n'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1lqQ0NBVW9DQVFBd0hURU1NQW9HQTFVRUF3d0RZbTlpTVEwd0N3WURWUVFLREFSbGJtZHVNSUlCSWpBTgpCZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEzSU9oUTArMFJUakpqZjBKTkd2Rmo0YWFlN1hYCkkrZWkzTzZWTEpqMHNKNDBvengyUTVndXBmeFc5b0lEYTJETnhVZjZkNHVMOUJ3V2lhdFdQdnBDNm80MHJQc2EKTjBUdEhEekFYeWppc0E5VXVRMVNKMWg5Mkg0TU9XWEpWNWJWaTlXYjBKU3hLbXVrSUVtaERJcW9TcEh7MU5xaApQMWNXOFFpNXpoVVBmWlpnOUhSaWVUQ2xEMmR3bWRtS1JjbU9uenNGVWhJWmZWanVZNzZJUm9KbksyaHNzVjZoCmMyY1JNTVNEdFA0ZDArYkxOY1BKdExpS3JjQkdwUGxLUEdrSHovM2NNbVhpVi8wY2xqUlppMzJCb3B4NlI1NUIKc0Z6cXZwcWgzNWxLNUVOUGxPZy9sdURFdllGeUtzOUY2aERBRFhDNzQxU0ZCQTI0TERzcTFiWWtVUUlEQVFBQgpvQUF3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUxTejgxL2N3bjQxbVRrUDhabWhhUUx3MkpIRkN4ZUlaOFdpCkZOV0U1cnRVd3hrSjJGWVJKRlFUL1hJN0FoL0pXTkhqeHlhOUNyN3c0OThmanN3bDF2ZzQ1QUgrR29DeVEwTWkKOU1MMHl0WmZyaG5jYmtpRG9oSUpuaWhJTjlCUGpHVkw2SG1USytGc0sybG1ZZ1JDdk9Cclg3Rkh7ZjgwM0ZFNAp4ZkgrZlFsdGxDdEZTSEhuaUlzZTFEQ2J4cFVTdnRISXpYMFcyb2hXV3RPVkRpOTAzOW8zY2VaWmdVK3VRYno0Cmp2djJoeVdRNDhORFl3RWF1UUU2S3NBQTFLT0IyUkI2dE45bjFTVWoxU1B2WnBsQkVieDZ5MTkzaUJSVFJRM2wKM2JhdFRNUUEzelBsdk01ZEE2Vy8rQWcwVm0xMk1SR091VFRLSEU2bE5INE1DbHQvRGZZPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K

We need to embed the generated base64-encoded string in the YAML file and submit it to Kubernetes as a certificate signing request. This step basically associates the private key of Bob with the Kubernetes cluster.

ApiVersion: certificates.k8s.io/v1beta1kind: CertificateSigningRequestmetadata: name: bob-csrspec: groups:-system:authenticated request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1lqQ0NBVW9DQVFBd0hURU1NQW9HQTFVRUF3d0RZbTlpTVEwd0N3WURWUVFLREFSbGJtZHVNSUlCSWpBTgpCZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEzSU9oUTArMFJUakpqZjBKTkd2Rmo0YWFlN1hYCkkrZWkzTzZWTEpqMHNKNDBvengyUTVndXBmeFc5b0lEYTJETnhVZjZkNHVMOUJ3V2lhdFdQdnBDNm80MHJQc2EKTjBUdEhEekFYeWppc0E5VXVRMVNKMWg5Mkg0TU9XWEpWNWJWaTlXYjBKU3hLbXVrSUVtaERJcW9TcEh7MU5xaApQMWNXOFFpNXpoVVBmWlpnOUhSaWVUQ2xEMmR3bWRtS1JjbU9uenNGVWhJWmZWanVZNzZJUm9KbksyaHNzVjZoCmMyY1JNTVNEdFA0ZDArYkxOY1BKdExpS3JjQkdwUGxLUEdrSHovM2NNbVhpVi8wY2xqUlppMzJCb3B4NlI1NUIKc0Z6cXZwcWgzNWxLNUVOUGxPZy9sdURFdllGeUtzOUY2aERBRFhDNzQxU0ZCQTI0TERzcTFiWWtVUUlEQVFBQgpvQUF3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUxTejgxL2N3bjQxbVRrUDhabWhhUUx3MkpIRkN4ZUlaOFdpCkZOV0U1cnRVd3hrSjJGWVJKRlFUL1hJN0FoL0pXTkhqeHlhOUNyN3c0OThmanN3bDF2ZzQ1QUgrR29DeVEwTWkKOU1MMHl0WmZyaG5jYmtpRG9oSUpuaWhJTjlCUGpHVkw2SG1USytGc0sybG1ZZ1JDdk9Cclg3Rkh7ZjgwM0ZFNAp4ZkgrZlFsdGxDdEZTSEhuaUlzZTFEQ2J4cFVTdnRISXpYMFcyb2hXV3RPVkRpOTAzOW8zY2VaWmdVK3VRYno0Cmp2djJoeVdRNDhORFl3RWF1UUU2S3NBQTFLT0IyUkI2dE45bjFTVWoxU1B2WnBsQkVieDZ5MTkzaUJSVFJRM2wKM2JhdFRNUUEzelBsdk01ZEE2Vy8rQWcwVm0xMk1SR091VFRLSEU2bE5INE1DbHQvRGZZPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K usages:-digital signature-key encipherment-server authkubectl create-f signing-request.yamlcertificatesigningrequest.certificates.k8s.io/bob-csr created

Use the following kubectl command to verify CSR:

Kubectl get csrNAME AGE REQUESTOR CONDITIONbob-csr 41s minikube-user Pending

Notice that the request is still in the pending state at this time. The cluster administrator needs to approve it before it becomes active.

Kubectl certificate approve bob-csrcertificatesigningrequest.certificates.k8s.io/bob-csr approvedkubectl get csrNAME AGE REQUESTOR CONDITIONbob-csr 104s minikube-user Approved,Issued

Now that the certificate has been approved and issued, we need to obtain the signing certificate from the cluster. This is the most critical step in logging into a Bob account.

Kubectl get csr bob-csr-o jsonpath=' {.status.certificate}'| base64-- decode > bob.crt

The bob.crt file is a client certificate used for Bob authentication. We now have the private key of Kubernetes (bob.key) and the approved certificate (bob.crt). As long as Bob has these two credentials, he can authenticate through the cluster.

So, you can now add Bob to Kubernetes as a user.

Kubectl config set-credentials bob-client-certificate=bob.crt-client-key=bob.keyUser "bob" set.

Open the ~ / .kube/config file to confirm that the credentials have been set.

Let's create a new namespace called engineering, of which Bob is the administrator.

Kubectl create namespace engineeringnamespace/engineering createdkubectl get namespaceNAME STATUS AGEdefault Active 37mengineering Active 0skube-node-lease Active 37mkube-public Active 37mkube-system Active 37m

Kubectl CLI provides a very useful switch in the form of auth to verify the permissions of a specific user. Let's check to see if the current administrator user can access the engineering namespace. Given your identity as a cluster administrator, you can easily see the output.

Kubectl auth can-i list pods-namespace engineeringyes

We can also check whether Bob can access the engineering namespace.

Kubectl auth can-i list pods-namespace engineering-as bobno

Obviously, Bob cannot access the namespace because we created credentials but did not explicitly authorize Bob to do any specific action on any object.

This is the end of the content of "what is the operation method of Kubernetes authentication". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.