--basic-auth-file=AUTHFILE这个参数在 1.20 之后就被弃用了,所以要使用新的方式。
bearer token 认证
bearer token 认证是静止 token 认证,这种认证要求 apiserver 启动时添加参数:--token-auth-file=AUTHFILE。
bearer token 认证和 HTTP 基本身份认证类似,只是 HTTP 请求时需要的用户名和密码变成 token 了而已。
AUTHFILE 文件格式如下:
1
|
token,user,uid,"group1,group2,group3"
|
每一行都是一个用户,第四列的 group 可选。
HTTP 客户端可以在 header 中添加Authorization: Bearer TOKEN来进行 HTTP 基本身份认证,TOKEN就是需要发送的 token。apiserver 收到后会根据 AUTHFILE 查找是否有符合的用户。
示例:
1
2
3
4
5
6
7
8
9
10
11
12
13
|
[root@node1 .kube]# curl -k -XGET -H "Authorization: Bearer 275gX5MPWpNWYsHHoUePEFIvxo4uWAEs" 'https://169.254.128.15:60002/api'
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "cls-qv3z2icb.ccs.tencent-cloud.com:60002"
}
]
}
|
认证成功,该 token 是我主用户的 token,已经记录在 master 的 AUTHFILE 中。
官方文档
–token-auth-file=SOMEFILE
实际操作
一. 创建令牌文件
vim /etc/kubernetes/basic_auth_file
token,user,uid,“group1,group2,group3” #格式
passwd,name,3,“system:authentication”
二. 修改 kube-apiserver 文件
所有 master 节点都要操作一遍
创建用户权限绑定
1
|
# kubectl create clusterrolebinding login-on-dashboard-with-cluster-admin --clusterrole=cluster-admin --user=hxf
|
root@f-master1 ingress-ex]# systemctl status kube-apiserver.service #获取文件位置
[root@f-master1 ingress-ex]# vi /etc/kubernetes/manifests/kube-apiserver.yaml
–token-auth-file=/etc/kubernetes/basic_auth_file ,还需要添加 hostpath 和 volume
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.37.12:6443
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=10.0.37.12
- --token-auth-file=/etc/kubernetes/basic_auth_file #添加的内容
- --allow-privileged=true
- --anonymous-auth=True
- --apiserver-count=1
- --authorization-mode=Node,RBAC
- --bind-address=0.0.0.0
- --client-ca-file=/etc/kubernetes/ssl/ca.crt
- --default-not-ready-toleration-seconds=300
- --default-unreachable-toleration-seconds=300
- --enable-admission-plugins=NodeRestriction
- --enable-aggregator-routing=False
- --enable-bootstrap-token-auth=true
- --endpoint-reconciler-type=lease
- --etcd-cafile=/etc/ssl/etcd/ssl/ca.pem
- --etcd-certfile=/etc/ssl/etcd/ssl/node-k8s-single.pem
- --etcd-keyfile=/etc/ssl/etcd/ssl/node-k8s-single-key.pem
- --etcd-servers=https://10.0.37.12:2379
- --event-ttl=1h0m0s
- --kubelet-client-certificate=/etc/kubernetes/ssl/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/ssl/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP
- --profiling=False
- --proxy-client-cert-file=/etc/kubernetes/ssl/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/ssl/front-proxy-client.key
- --request-timeout=1m0s
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/ssl/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
- --service-account-key-file=/etc/kubernetes/ssl/sa.pub
- --service-account-lookup=True
- --service-account-signing-key-file=/etc/kubernetes/ssl/sa.key
- --service-cluster-ip-range=10.233.0.0/18
- --service-node-port-range=30000-32767
- --storage-backend=etcd3
- --tls-cert-file=/etc/kubernetes/ssl/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/ssl/apiserver.key
image: 10.0.37.153:5000/kube-apiserver:v1.24.2
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 8
httpGet:
host: 10.0.37.12
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
name: kube-apiserver
readinessProbe:
failureThreshold: 3
httpGet:
host: 10.0.37.12
path: /readyz
port: 6443
scheme: HTTPS
periodSeconds: 1
timeoutSeconds: 15
resources:
requests:
cpu: 250m
startupProbe:
failureThreshold: 30
httpGet:
host: 10.0.37.12
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
volumeMounts:
- mountPath: /etc/kubernetes/basic_auth_file //添加的内容
name: basic-auth-file //添加的
readOnly: true // 添加的
- mountPath: /etc/ssl/certs
name: ca-certs
readOnly: true
- mountPath: /etc/pki
name: etc-pki
readOnly: true
- mountPath: /etc/pki/ca-trust
name: etc-pki-ca-trust
readOnly: true
- mountPath: /etc/pki/tls
name: etc-pki-tls
readOnly: true
- mountPath: /etc/ssl/etcd/ssl
name: etcd-certs-0
readOnly: true
- mountPath: /etc/kubernetes/ssl
name: k8s-certs
readOnly: true
hostNetwork: true
priorityClassName: system-node-critical
securityContext:
seccompProfile:
type: RuntimeDefault
volumes:
- hostPath: //添加的
path: /etc/kubernetes/basic_auth_file // 添加的
name: basic-auth-file //添加的
- hostPath:
path: /etc/ssl/certs
type: DirectoryOrCreate
name: ca-certs
- hostPath:
path: /etc/pki
type: DirectoryOrCreate
name: etc-pki
- hostPath:
path: /etc/pki/ca-trust
type: ""
name: etc-pki-ca-trust
- hostPath:
path: /etc/pki/tls
type: ""
name: etc-pki-tls
- hostPath:
path: /etc/ssl/etcd/ssl
type: DirectoryOrCreate
name: etcd-certs-0
- hostPath:
path: /etc/kubernetes/ssl
type: DirectoryOrCreate
name: k8s-certs
status: {}
|
然后会自动重启,不重启不生效,通过查看 ps -ef|grep kube-apiserver 判断是否生效
三. 修改 dashboard 的 deploy
1
2
3
4
5
6
7
8
|
[root@f-master1 ingress-ex]# kubectl edit deploy kubernetes-dashboard -n kubernetes-dashboard
spec:
containers:
- args:
- --auto-generate-certificates
- --namespace=kube-system
- --authentication-mode=basic,token # 添加这一行
|
然后保存退出等待新 pods 启动
修改完的样子
登录时,请用 token,输入上面填入的 token 即可登录,这样不用每次都去生成了,😊。
参考文献:
https://github.com/kubernetes/kubernetes/pull/89069
https://staight.github.io/2019/09/26/kubernetes%E4%B8%AD%E7%9A%84%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6-%E7%94%A8%E6%88%B7%E8%AE%A4%E8%AF%81/
https://blog.csdn.net/weixin_44946147/article/details/125782094
https://kubernetes.io/docs/reference/access-authn-authz/authentication/
参考 k8s
https://github.com/rootsongjc/kubernetes-handbook