摘要:介紹我們想要啥結(jié)束多簡(jiǎn)單�,別整那么多沒(méi)用的。創(chuàng)建密鑰對(duì)私鑰加密總結(jié)核心代碼已經(jīng)可用�,不過(guò)為了更方便使用還需要進(jìn)一步梳理,敬請(qǐng)期待�����。鑒權(quán)僅是其其中一個(gè)功能���,定位是一個(gè)極簡(jiǎn)的管理平臺(tái)��。
kubernetes集群三步安裝
概述
kubernetes server account的token很容易獲取��,但是User的token非常麻煩,本文給出一個(gè)極簡(jiǎn)的User token生成方式,讓用戶可以一個(gè)http請(qǐng)求就能獲取到���。
token主要用來(lái)干啥
官方dashboard登錄時(shí)需要�����。 如果通過(guò)使用kubeconfig文件登錄而文件中又沒(méi)有token的話會(huì)失敗��,現(xiàn)在大部分文章都介紹使用service account的token來(lái)登錄dashboard����,能通�����,不過(guò)有問(wèn)題:
第一:綁定角色時(shí)要指定類型是service account:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount # 這里不是User類型
name: kubernetes-dashboard
namespace: kube-system
第二:要理解kubeconfig里是解析證書把CN作為用戶名的��,這時(shí)service account即便與CN一樣那還是兩個(gè)賬戶��,綁定角色時(shí)還需要綁定兩次��,有點(diǎn)像把service account給"人"用, 所以把service account的token扔給某個(gè)開發(fā)人員去用往往不合適��,service account token更多時(shí)候是給程序用的���。
想直接調(diào)用https的�����,沒(méi)有token就會(huì):
[root@iZj6cegflzze2l7fpcqoerZ ssl]# curl https://172.31.12.61:6443/api/v1/namespaces/default/pods --insecure
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "pods is forbidden: User "system:anonymous" cannot list resource "pods" in API group "" in the namespace "default"",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}
因?yàn)闆](méi)有任何認(rèn)證信息��,所以匿名(anonymous)用戶沒(méi)有任何權(quán)限
加了token是這樣的:
[root@iZj6cegflzze2l7fpcqoerZ ssl]# curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkNnYzRPVEV5TlRVM0VnWm5hWFJvZFdJIn0.eyJpc3MiOiJodHRwczovL2RleC5leGFtcGxlLmNvbTo4MDgwIiwic3ViIjoiQ2djNE9URXlOVFUzRWdabmFYUm9kV0kiLCJhdWQiOiJleGFtcGxlLWFwcCIsImV4cCI6MTU1MTA5NzkwNiwiaWF0IjoxNTUwNzM3OTA2LCJlbWFpbCI6ImZodGpvYkBob3RtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJncm91cHMiOlsiZGV2Il0sIm5hbWUiOiJmYW51eCJ9.ZqKn461UW0aGtyjyqu2Dc5tiUzC-6eYLag542d3AvklUdZuw8i9XwyaUg_f1OAj0ZsEcOybOe9_PeGMaUYzU0OvlKPY-q2zbQVC-m6u6sQw6ZXx8pi0W8k4wQSJnMaOLddCfurlYufmr8kScDBQlnKapSR0F9mJzvpKkHD-XNshQKWhX3n03g7OfFgb4RuhLjKDNQnoGn7DfBNntibHlF9sPo0jC5JjqTZaGvoGmiRE4PAXwxA-RJifsWDNf_jW8lrDiY4NSO_3O081cia4N1GKht51q9W3eaNMvFDD9hje7abDdZoz9KPi2vc3zvgH7cNv0ExVHKaA0-dwAZgTx4g" -k https://172.31.12.61:6443/api/v1/namespaces/default/pods
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "pods is forbidden: User "https://dex.example.com:8080#fanux" cannot list resource "pods" in API group "" in the namespace "default"",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}
看����,雖然還是403 但是已經(jīng)有了用戶信息,只要給該用戶授權(quán)就可正常訪問(wèn)了��,如何授權(quán)下文介紹
token種類介紹
token的生成方式有很多�,主要分成三種:
service account token 這個(gè)創(chuàng)建service account就有,存在secret里 獲取比較簡(jiǎn)單����,但是要區(qū)分好 User 和 service account區(qū)別
普通的token,這種token就是個(gè)普通的字符串�����,一般是自己寫一個(gè)認(rèn)證的web hook, k8s認(rèn)證時(shí)調(diào)用這個(gè)hook 查詢token是否有效��,比較low
基于openid的jwt(josn web token) 這種token�����,認(rèn)證中心把用戶信息放在json里�,用私鑰加密,k8s拿到token后用公鑰解密�����,只要解密成功token就是合法的而且能拿到用戶信息�,不需要再像認(rèn)證中心請(qǐng)求
基于openid的jwt是本文介紹的重點(diǎn)。
社區(qū)用的比較多的就是dex,是一個(gè)比較完整的實(shí)現(xiàn)����,但是對(duì)于不熟悉該技術(shù)的朋友來(lái)說(shuō)還是有點(diǎn)門檻的,容易繞進(jìn)去�����。 而且還存在一些使用不方便的問(wèn)題�。
如依賴復(fù)雜,首先得需要一個(gè)真正的用戶管理程序����,如ldap 或者一個(gè)auth2服務(wù)端,這還可以接受��,關(guān)鍵是認(rèn)證時(shí)可能需要依賴瀏覽器進(jìn)行跳轉(zhuǎn)授權(quán),這在十分多的場(chǎng)景里就變的十分尷尬���,就比如我們的場(chǎng)景壓根沒(méi)有
界面�����,這樣生成token就成了一個(gè)大問(wèn)題�。 其次集成到別的系統(tǒng)中時(shí)往往用戶已經(jīng)登錄過(guò)了����,所以需要一個(gè)二次授權(quán)的過(guò)程才能拿到token,依賴過(guò)重導(dǎo)致系統(tǒng)難以設(shè)計(jì)�。
然而如果不是集成到別的系統(tǒng)中,比如從0開發(fā)一個(gè)完成的PaaS平臺(tái)那使用dex還是一個(gè)完美的方案����。
所以我們實(shí)現(xiàn)了一個(gè)簡(jiǎn)單粗暴的方案,完全解放了這個(gè)過(guò)程, 只care最核心的東西�����。
sealyun fist介紹
我們想要啥?
input:
{
"User": "fanux",
"Group": ["sealyun", "develop"]
}
output:
eyJhbGciOiJSUzI1NiIsImtpZCI6IkNnYzRPVEV5TlRVM0VnWm5hWFJvZFdJIn0.eyJpc3MiOiJodHRwczovL2RleC5leGFtcGxlLmNvbTo4MDgwIiwic3ViIjoiQ2djNE9URXlOVFUzRWdabmFYUm9kV0kiLCJhdWQiOiJleGFtcGxlLWFwcCIsImV4cCI6MTU1MTA5NzkwNiwiaWF0IjoxNTUwNzM3OTA2LCJlbWFpbCI6ImZodGpvYkBob3RtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJncm91cHMiOlsiZGV2Il0sIm5hbWUiOiJmYW51eCJ9.ZqKn461UW0aGtyjyqu2Dc5tiUzC-6eYLag542d3AvklUdZuw8i9XwyaUg_f1OAj0ZsEcOybOe9_PeGMaUYzU0OvlKPY-q2zbQVC-m6u6sQw6ZXx8pi0W8k4wQSJnMaOLddCfurlYufmr8kScDBQlnKapSR0F9mJzvpKkHD-XNshQKWhX3n03g7OfFgb4RuhLjKDNQnoGn7DfBNntibHlF9sPo0jC5JjqTZaGvoGmiRE4PAXwxA-RJifsWDNf_jW8lrDiY4NSO_3O081cia4N1GKht51q9W3eaNMvFDD9hje7abDdZoz9KPi2vc3zvgH7cNv0ExVHKaA0-dwAZgTx4g
結(jié)束,多簡(jiǎn)單���,別整那么多沒(méi)用的��。
所以為了實(shí)現(xiàn)上面的功能��,我們開發(fā)了 fist, fist的auth模塊把dex里最核心的token生成功能以及jwt功能實(shí)現(xiàn)了��。
sealyun fist/auth 使用教程
安裝部署
生成證書
# mkdir /etc/kubernetes/pki/fist
# cd /etc/kubernetes/pki/fist
# sh gencert.sh # 腳本內(nèi)容內(nèi)代碼
啟動(dòng)fist auth模塊
kubectl create -f deploy/fist-auth.yaml
修改k8s apiserver啟動(dòng)參數(shù)
vim /etc/kubernetes/manifests/kube-apiserver.yaml
- command:
- kube-apiserver
- --oidc-issuer-url=https://fist.sealyun.svc.cluster.local:8080
- --oidc-client-id=example-app
- --oidc-ca-file=/etc/kubernetes/pki/fist/ca.pem
- --oidc-username-claim=name
- --oidc-groups-claim=groups
獲取及使用 token
獲取token
curl https://fist.sealyun.svc.cluster.local:8080/token?user=fanux&group=sealyun,develop --cacert ca.pem
使用token
直接curl加bare token 見上文
加入到kubeconfig中:
kubectl config set-credentials --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkNnYzRPVEV5TlRVM0VnWm5hWFJvZFdJIn0.eyJpc3MiOiJodHRwczovL2RleC5leGFtcGxlLmNvbTo4MDgwIiwic3ViIjoiQ2djNE9URXlOVFUzRWdabmFYUm9kV0kiLCJhdWQiOiJleGFtcGxlLWFwcCIsImV4cCI6MTU1MTEwMDI5MywiaWF0IjoxNTUwNzQwMjkzLCJlbWFpbCI6ImZodGpvYkBob3RtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJncm91cHMiOlsiZGV2Il0sIm5hbWUiOiJmYW51eCJ9.OAK4oIYqJszm1EACYW2neXTo738RW9kXFOIN5bOT4Z2CeKAvYqyOVKCWZf04xX45jwT78mATR3uas2YvRooDXlvxaD3K43ls4KBSG-Ofp-ynqlcVTpD3sUDqyux2iieNv4N6IyCv11smrU0lIlkrQC6oyxzTGae1FrJVGc5rHNsIRZHp2WrQvw83uLn_elHgUfSlsOq0cPtVONaAQWMAMi2DX-y5GCNpn1CDvudGJihqsTciPx7bj0AOXyiOznWhV186Ybk-Rgqn8h0eBaQhFMyNpwVt6oIP5pvJQs0uoODeRv6P3I3-AjKyuCllh9KDtlCVvSP4WtMUTfHQN4BigQ kubernetes-admin
然后.kube/config 文件里的 user.client-certifacate-data 和 client-key-data就可以刪了���,再執(zhí)行kubectl會(huì):
[root@iZj6cegflzze2l7fpcqoerZ ~]# kubectl get pod
Error from server (Forbidden): pods is forbidden: User "https://dex.example.com:8080#fanux" cannot list resource "pods" in API group "" in the namespace "default"
說(shuō)明新用戶成功了
授權(quán)
[root@iZj6cegflzze2l7fpcqoerZ ~]# cat rolebind.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-secrets-global
subjects:
- kind: User
name: "https://dex.example.com:8080#fanux" # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin # 超級(jí)用戶給他
apiGroup: rbac.authorization.k8s.io
創(chuàng)建個(gè)role binding即可:
[root@iZj6cegflzze2l7fpcqoerZ ~]# kubectl --kubeconfig /etc/kubernetes/admin.conf create -f rolebind.yaml # 用管理員的kubeconfig
clusterrolebinding.rbac.authorization.k8s.io/read-secrets-global created
[root@iZj6cegflzze2l7fpcqoerZ ~]# kubectl get pod # 有權(quán)限訪問(wèn)pod了
No resources found.
原理介紹
jwt原理
https://fist.sealyun.cluster.local:8080
k8s jwt server
| /.well-known/openid-configuration |
|------------------------------------------------>| k8s通過(guò)此url發(fā)現(xiàn)一些信息,最重要的就是用于校驗(yàn)token公鑰的地址
| discover info |
|<------------------------------------------------|
| /keys |
|------------------------------------------------>| 上一步拿到地址���,這一步獲取到公鑰
| public keys |
|<------------------------------------------------|
| |
discoer info 是個(gè)json:
{
"issuer": "https://accounts.google.com",
"authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"token_endpoint": "https://oauth2.googleapis.com/token",
"userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
"revocation_endpoint": "https://oauth2.googleapis.com/revoke",
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"
],
...
public keys也是個(gè)json 類似:
{
"keys": [
{
"e": "AQAB",
"kty": "RSA",
"alg": "RS256",
"n": "3MdFK4pXPvehMipDL_COfqn6o9soHgSaq_V1o8U_5gTZ-j9DxO9PV7BVncXBgHFctnp3JQ1QTDF7txeHeuLOS4KziRw5r4ohaj2WoOTqXh7lqVMR2YDAcBK46asS177NpkQ1CqHIsy3kNfqhXLwTaKfdlwdA_XUfRbKORWbq0kDxV35egx35nHl5qJ6aP6fcpsnnPvHf7KWO0zkdvwuR-IX79HjqUAEg5UERd5FK4y06PRbxuXHjAgVhHu_sk4reNXNp1HRuTYtQ26DFbVaIjsWb8-nQC8-7FkTjlw9FteAwLVGOm9sTLFp73jAf0pWLh7sJ02pBxZKjsxLO1Lvg7w",
"use": "sig",
"kid": "7c309e3a1c1999cb0404ab7125ee40b7cdbcaf7d"
},
{
"alg": "RS256",
"n": "2K7epoJWl_B68lRUi1txaa0kEuIK4WHiHpi1yC4kPyu48d046yLlrwuvbQMbog2YTOZdVoG1D4zlWKHuVY00O80U1ocFmBl3fKVrUMakvHru0C0mAcEUQo7ItyEX7rpOVYtxlrVk6G8PY4EK61EB-Xe35P0zb2AMZn7Tvm9-tLcccqYlrYBO4SWOwd5uBSqc_WcNJXgnQ-9sYEZ0JUMhKZelEMrpX72hslmduiz-LMsXCnbS7jDGcUuSjHXVLM9tb1SQynx5Xz9xyGeN4rQLnFIKvgwpiqnvLpbMo6grhJwrz67d1X6MwpKtAcqZ2V2v4rQsjbblNH7GzF8ZsfOaqw",
"use": "sig",
"kid": "7d680d8c70d44e947133cbd499ebc1a61c3d5abc",
"e": "AQAB",
"kty": "RSA"
}
]
}
所以fist只需要實(shí)現(xiàn)這兩個(gè)url 和 用私鑰匙加密用戶信息生成token即可���。
創(chuàng)建密鑰對(duì):
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
log.Fatalf("gen rsa key: %v", err)
}
priv = jose.JSONWebKey{
Key: key,
KeyID: "Cgc4OTEyNTU3EgZnaXRodWI",
Algorithm: "RS256",
Use: "sig",
}
pub = jose.JSONWebKey{
Key: key.Public(),
KeyID: "Cgc4OTEyNTU3EgZnaXRodWI",
Algorithm: "RS256",
Use: "sig",
}
私鑰加密:
tok := idTokenClaims{
Issuer: "https://dex.example.com:8080",
Subject: "Cgc4OTEyNTU3EgZnaXRodWI",
Audience: "example-app",
Expiry: time.Now().Add(time.Hour * 100).Unix(),
IssuedAt: time.Now().Unix(),
Email: "[email protected]",
EmailVerified: &ev,
Groups: []string{"dev"},
Name: "fanux",
}
payload, err := json.Marshal(&tok)
if err != nil {
return
}
var idToken string
if idToken, err = signPayload(&Priv, signingAlg, payload); err != nil {
return
總結(jié)
fist核心代碼已經(jīng)可用,不過(guò)為了更方便使用還需要進(jìn)一步梳理�,敬請(qǐng)期待。 鑒權(quán)僅是其其中一個(gè)功能�,fist定位是一個(gè)極簡(jiǎn)的k8s管理平臺(tái)。
探討可加QQ群:98488045
公眾號(hào):
