Kubernetes API访问集群通过Token反代

生成Token

 

head -c 16 /dev/urandom | od -An -t x | tr -d ' '

 

添加用户与token

kubectl config set-credentials superroot --token=上面命令结果

 

把token放入证书目录下，文件名一定不能错不然会导致apiserver检测token文件不存在而启动失败

vim /etc/kubernetes/pki/token_auth

token,superroot,1001

 

编辑api-server配置文件添加，如下：

意思就是同时支持token访问，除证书外

--token-auth-file=/etc/kubernetes/pki/token_auth

 

结合RBAC使用切记RBAC权限不足一定是RBAC有问题

 

umask 077;openssl genrsa -out dev.key 2048

openssl req -new -key dev.key -out dev.csr -subj "/CN=dev"

openssl x509 -req -in dev.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out dev.crt -days 3650

openssl x509 -noout -subject -in client.crt  //查看证书信息使用，这个"/CN=dev"就是用户名。很重要


kubectl config set-cluster kubernetes-cluster --server=https://10.0.24.10:6443 --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --kubeconfig=/home/dev/.kube/config

kubectl config --kubeconfig=/home/dev/.kube/config set-credentials dev --client-certificate=/home/dev/dev/dev.crt --client-key=/home/dev/dev/dev.key

kubectl config set-context dev --cluster=kubernetes-cluster --user=dev --kubeconfig=/home/dev/.kube/config

 

创建ClusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  name: dev
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

 

创建ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  name: dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dev
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev

 

代理请看另一篇博客（内涵简单go源码）