这两天在梳理Kubernetes集群的安全配置,涉及到各个组件的配置,最终决定画一个图来展现,应该会更清晰。
涉及以下配置:
每个namespace都有一个default
ServiceAccount。如果Pod.Spec.serivceAccountName未设置,这默认用default
ServiceAccount。上图中的配置中,给Pod指明了一个自定义的Pod.Spec.serivceAccountName:build-rebot
,automountServiceAccountToken: true
表示自动将该ServiceAccount中的Secret定义的token,ca.crt,namespace挂载到Pod每个container内的以下对应目录:
ServiceAccount Admission Make Sure Secret Volume Mounted:
/var/run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /var/run/secrets/kubernetes.io/serviceaccount/namespace ```
- **kube-controller-manager**
```
--root-ca-file=/var/run/kubernetes/dd_ca.crt
--service-account-private-key-file=/var/run/kubernetes/dd_server.key
```
这样Pod内的应用就能通过以下两种方式访问apiserver了:
- 添加kubectl proxy container,示例见[kubectl-container](https://github.com/kubernetes/kubernetes/tree/master/examples/kubectl-container/)
- use the Go client library, and create a client using the rest.InClusterConfig() and kubernetes.NewForConfig() functions. They handle locating and authenticating to the apiserver. [example](https://github.com/kubernetes/client-go/blob/master/examples/in-cluster/main.go)
4. kube-apiserver作为client,通过TLS访问etcd对应的配置见图中蓝色线条对应的内容。
- **kube-apiserver**
```
--kubelet-https
--kubelet-certificate-authority=/var/run/kubelet/etcd-ca.crt
--kubelet-client-certificate=/var/run/kubelet/etcd-kubelet.crt
--kubelet-client-key=/var/run/kubelet/etcd-kubelet.key
```
- **etcd**
```
--client-cert-auth
--trusted-ca-file=/etc/ssl/etcd/etcd-ca.crt
--cert-file=/etc/ssl/etcd/server.crt
--key-file=/etc/ssl/etcd/server.key
```
其中token-auth-file
对应文件内容格式为:
``` token1,user1,uid1,”group1,group2,group3" token2,user2,uid2,”group1,group2" ```
basic-auth-file
对应文件内容格式为:
``` password1,user1,uid1,”group1,group2,group3" password2,user2,uid2,”group1,group2,group3" ```
AlwaysAllow
,如果有需要,后续会考虑enable RBAC
。
--authorization-mode=AlwaysAllow