Kubernetes apiserver Authentication
https://kubernetes.io/docs/reference/access-authn-authz/authentication/
Table of Contents
- X509 Client Certs - TODO
- Static Token File
- Bootstrap Token
- ServiceAccount Token
- OpenID Connect Token - TODO
- Webhook Token Authentication - TODO
- Authenticating Proxy - TODO
X509 Client Certs
//TODO
Static Token File
- create a static token file (using
uuidgen
openssl
)
# The static-token file is: Must be located in /etc/kubernetes/pki/ directory
$ sudo bash -c 'cat > /etc/kubernetes/pki/static-token.csv <<EOF
$(openssl rand -base64 32),token-user,$(uuidgen),"system:masters"
EOF'
$ cat /etc/kubernetes/pki/static-token.csv
c7cLEdumD3eVl/W2qQ5RAWQzhaWb7N5R9Bkl65hAk/4=,token-user,d70723d7-2272-4e44-a464-9a1fd6bcd13f,"system:masters"
--token-auth-file=
옵션 지정
$ sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.30.20.139:6443
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --token-auth-file=/etc/kubernetes/pki/static-token.csv
- verify
$ curl -i -k -H "Authorization: Bearer $(cat /etc/kubernetes/pki/static-token.csv | awk -F ',' 'FNR==1 {print $1}')" https://192.168.77.61:6443/api/v1/namespaces
HTTP/2 200
audit-id: 2982120c-0c8b-46bf-a4c3-0257b9dc5ba3
cache-control: no-cache, private
content-type: application/json
...
Bootstrap Token
bootstrap.kubernetes.io/token https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/
개요
- API 서버에서 다음 플래그를 사용하여 부트스트랩 토큰 인증자를 활성화할 수 있다.
# /etc/kubernetes/manifests/kube-apiserver.yaml
--enable-bootstrap-token-auth
- 활성화되면 부트스트랩 토큰을 API 서버에 대한 요청을 인증하기 위한 전달자 토큰 자격 증명으로 사용할 수 있다.
Authorization: Bearer 07401b.f395accd246ae52d
사용방법
- bootstarp token 생성
$ kubeadm token create $(kubeadm token generate)
- bootstarp token secret 에서 TOKEN_ID, TOKEN_SECRET 조회
$ SECRET=$(kubectl get secret -n kube-system | grep bootstrap.kubernetes.io/token | awk 'FNR==1 { print $1 }')
$ TOKEN_ID=$(kubectl get secret ${SECRET} -n kube-system -o jsonpath='{.data.token-id}' | base64 --decode)
$ TOKEN_SECRET=$(kubectl get secret ${SECRET} -n kube-system -o jsonpath='{.data.token-secret}' | base64 --decode)
- bootstarp token
cluster-admin
권한 부여토큰은 사용자 이름 system:bootstrap:
로 인증되며 system:bootstrappers 그룹의 구성원
$ kubectl create clusterrolebinding bootstrap-token-binding --clusterrole=cluster-admin --user=system:bootstrap:${TOKEN_ID}
- 검증
$ curl -i -k -H "Authorization: Bearer ${TOKEN_ID}.${TOKEN_SECRET}" https://192.168.77.61:6443/api/v1/namespaces
$ curl -i -k -H "Authorization: Bearer ${TOKEN_ID}.${TOKEN_SECRET}" https://192.168.77.61:6443/apis/metrics.k8s.io/v1beta1/namespaces/default/pods
ServiceAccount Token
kubernetes.io/service-account-token
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens
- create a serviceaccount and rolebinding
$ kubectl create serviceaccount admin-sa -n kube-public
$ kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: admin-sa-secret
namespace: kube-public
annotations:
kubernetes.io/service-account.name: admin-sa
type: kubernetes.io/service-account-token
EOF
$ kubectl create clusterrolebinding admin-token-binding --clusterrole=cluster-admin --serviceaccount=kube-public:admin-sa
- access to the cluster using
kubectl
(--token
option)
$ kubectl get nodes --token="$(kubectl get secret admin-sa-secret -n kube-public -o jsonpath='{.data.token}' | base64 --decode)"
- access to the cluster using
kubectl
(current kubeconfig file)
$ kubectl config set-credentials token-user --token="$(kubectl get secret admin-sa-secret -n kube-public -o jsonpath='{.data.token}' | base64 --decode)"
$ kubectl config set-context token-cluster --cluster=$(kubectl config get-clusters | awk 'FNR==2 {print $1}') --user=token-user
$ kubectl config use-context token-cluster --cluster=$(kubectl config get-clusters | awk 'FNR==2 {print $1}') --user=token-user
$ kubectl get nodes
- access to the cluster using
kubectl
(external kubeconfig file)
$ echo -e "apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: $(kubectl get secret admin-sa-secret -n kube-public -o jsonpath='{.data.ca\.crt}')
server: $(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$(kubectl config view -o jsonpath="{.contexts[?(@.name==\"$(kubectl config current-context)\")].context.cluster}")\")].cluster.server}")
name: admin-cluster
contexts:
- context:
cluster: admin-cluster
user: admin-user
name: admin
current-context: admin
users:
- name: admin-user
user:
token: $(kubectl get secret admin-sa-secret -n kube-public -o jsonpath='{.data.token}' | base64 --decode)
" > kubeconfig-token.yaml
$ kubectl get nodes --kubeconfig="$(pwd)/kubeconfig-token.yaml"
- clean-up
$ kubectl delete serviceaccount admin-sa -n kube-public
$ kubectl delete clusterrolebinding admin-token-binding
$ kubectl delete secret admin-sa-secret -n kube-public
$ rm kubeconfig-token.yaml
OpenID Connect Token
//TODO
- OIDC Authenticator
# Option 1 - OIDC Authenticator
kubectl config set-credentials mmosley \
--auth-provider=oidc \
--auth-provider-arg=idp-issuer-url=https://oidcidp.tremolo.lan:8443/auth/idp/OidcIdP \
--auth-provider-arg=client-id=kubernetes \
--auth-provider-arg=client-secret=1db158f6-177d-4d9c-8a8b-d36869918ec5 \
--auth-provider-arg=refresh-token=q1bKLFOyUiosTfawzA93TzZIDzH2TNa2SMm0zEiPKTUwME6BkEo6Sql5yUWVBSWpKUGphaWpxSVAfekBOZbBhaEW+VlFUeVRGcluyVF5JT4+haZmPsluFoFu5XkpXk5BXqHega4GAXlF+ma+vmYpFcHe5eZR+slBFpZKtQA= \
--auth-provider-arg=idp-certificate-authority=/root/ca.pem \
--auth-provider-arg=id-token=eyJraWQiOiJDTj1vaWRjaWRwLnRyZW1vbG8ubGFuLCBPVT1EZW1vLCBPPVRybWVvbG8gU2VjdXJpdHksIEw9QXJsaW5ndG9uLCBTVD1WaXJnaW5pYSwgQz1VUy1DTj1rdWJlLWNhLTEyMDIxNDc5MjEwMzYwNzMyMTUyIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL29pZGNpZHAudHJlbW9sby5sYW46ODQ0My9hdXRoL2lkcC9PaWRjSWRQIiwiYXVkIjoia3ViZXJuZXRlcyIsImV4cCI6MTQ4MzU0OTUxMSwianRpIjoiMm96US15TXdFcHV4WDlHZUhQdy1hZyIsImlhdCI6MTQ4MzU0OTQ1MSwibmJmIjoxNDgzNTQ5MzMxLCJzdWIiOiI0YWViMzdiYS1iNjQ1LTQ4ZmQtYWIzMC0xYTAxZWU0MWUyMTgifQ.w6p4J_6qQ1HzTG9nrEOrubxIMb9K5hzcMPxc9IxPx2K4xO9l-oFiUw93daH3m5pluP6K7eOE6txBuRVfEcpJSwlelsOsW8gb8VJcnzMS9EnZpeA0tW_p-mnkFc3VcfyXuhe5R3G7aa5d8uHv70yJ9Y3-UhjiN9EhpMdfPAoEB9fYKKkJRzF7utTTIPGrSaSU6d2pcpfYKaxIwePzEkT4DfcQthoZdy9ucNvvLoi1DIC-UocFD8HLs8LYKEqSxQvOcvnThbObJ9af71EwmuE21fO5KzMW20KtAeget1gnldOosPtz1G5EwvaQ401-RPQzPGMVBld0_zMCAwZttJ4knw
# Option 2 - Use the --token Option
kubectl --token=eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL21sYi50cmVtb2xvLmxhbjo4MDQzL2F1dGgvaWRwL29pZGMiLCJhdWQiOiJrdWJlcm5ldGVzIiwiZXhwIjoxNDc0NTk2NjY5LCJqdGkiOiI2RDUzNXoxUEpFNjJOR3QxaWVyYm9RIiwiaWF0IjoxNDc0NTk2MzY5LCJuYmYiOjE0NzQ1OTYyNDksInN1YiI6Im13aW5kdSIsInVzZXJfcm9sZSI6WyJ1c2VycyIsIm5ldy1uYW1lc3BhY2Utdmlld2VyIl0sImVtYWlsIjoibXdpbmR1QG5vbW9yZWplZGkuY29tIn0.f2As579n9VNoaKzoF-dOQGmXkFKf1FMyNV0-va_B63jn-_n9LGSCca_6IVMP8pO-Zb4KvRqGyTP0r3HkHxYy5c81AnIh8ijarruczl-TK_yF5akjSTHFZD-0gRzlevBDiH8Q79NAr-ky0P4iIXS8lY9Vnjch5MF74Zx0c3alKJHJUnnpjIACByfF2SCaYzbWFMUNat-K1PaUk5-ujMBG7yYnr95xD-63n8CO8teGUAAEMx6zRjzfhnhbzX-ajwZLGwGUBT4WqjMs70-6a7_8gZmLZb2az1cZynkFRj2BaCkVT3A2RrjeEwZEtGXlMqKJ1_I2ulrOVsYx01_yD35-rw get nodes
Webhook Token Authentication
//TODO
Authenticating Proxy
//TODO
posted at 2023/01/04 14:41