【原创】从 Pod 中访问 API的原理
本文是对以下官方文档的验证和理解
https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/
目 录:
- 1. 在master中 ~/.kube/config内容如下: 其中包括ca证书和client的证书。
- 2. 看pod中是怎么存认证信息的,用于认证的信息都来自于哪?
- 3. 补充service account的内容
1. 在master中 ~/.kube/config内容如下: 其中包括ca证书和client的证书。
root@master:~/.kube# cat config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01EZ3lNREEyTWpneE5Wb1hEVE13TURneE9EQTJNamd4TlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSlg5CmRxQzFvMHZWVzluOE5xaWZxVEFPY2NZUUpYMEx6VkxiN0ZqVThUVWVNSHViSkFqWHRFbVRwUEk3akxmWDFWL0sKczZUUHRlWWpkQksrNUhZd01NdU85NXpjNVFxNDlra2lVRnNCeTU4cTFZenYwektrQ3VFdmh5WXVSYitZZGdRawpDVnYxdzdQQnVsK3ZsdWl4bXFNRmU1RHlLWDI2L1NlM3ZUSXlhaGhzZmZLL0NZSVgydFRjaFNzMU0xT0ZvMnRHCnowWllpNk91dW9uMk1lZlJta3puL29INXVvT3FlNks0Q1RSUCtyNG9qTGdoTkxJZkZMMndpU0I1WGRHREVBSmIKMjlha3grL1l6QkpoS1BBcnJiUlNNRzJQdmFuNEZSNndxc00vUzI1MitHdXp6cFlsdjlmNHVPNGxhZy9DWTNUZgpjUTlUVmlpTGp5SmNmdkVsZCtNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCVHZjVDN2aG1zMjlhTzZmNjBnamNJY29ScFkKQ0NRTk1UUUJxMFFmSHZtZ3A5amZUdjZsd3R5ZUNmMy9MZlFiajNNWmYyRWNVd2ZVZjJPZW9Rc1AwQjJNVlVaUwpRK2M3M01uRTNPT1VOMjh3U0c1NjZkNVJKTytZNHhrQ0kvb25kTHpIMjh4Z3lsOXorbklrUzZTRmE0L08xelhMCnNkVUlpMDUveFc4K1N6MFpydDBUUXNjRkdjVEt3dC9Qd2ZXcHR1RTJaTzd2MHZ2ZEpTdFF6eXk4M1hUR0w2c0EKWFZjdWdNVTRCdzBmWC82eGIrZlhXZTU3Rkx0aXlZYTc0OHNkVFFQMVlRdXhXSEVKYUZLdy9vNzEzaThjdXNULwpJZGlySzlXSXlxb3JuTDhUOWxoZ1V5SndnTHZtTjVjKzhaZndLSXVueVpqV3BPRFZzTjR6dDFMN0hDYz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://192.168.74.140:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: default
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJR0pqMlRWeDA1MXN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TURBNE1qQXdOakk0TVRWYUZ3MHlNVEE0TWpBd05qSTRNVGRhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW13VWR5OWV1YmFxK3ZBK20KZ05jSVhoejQxcmhVVUZsVGVkdEoyL3FlZkU0MXVzTEsxV3JsSmxPdVk1eG0vVjZCRVBDNDZGQUdGblZUNWRhaApWRHVxSzdZT3JCL0FLbUVTVWJ0aktmbGtNZUdTNEVvOEZmZ2Y5cktWYzA3cVh6WWlta3pFMmlSTFgwa2p2ckpiCjNLM1VnQ3ZBYnRPdFhvRlVvYUw4bHJ3V2YxVTMxYkpUQWxOdGd5VW9qV3lFbXM3aCs4QW01T1g1YUUrSEV5eFYKM0RURjlLQmZxV0RzVFkzb3NGN0Y3QWJTNExBWWx2aWE5Qm5NUVVtc05LK2sxUzcxK09va2psUE9WcWVOWFZueApIODVtTHpZQTFBODRaT0tJelJVTWprelMrTDVWempaR2tlU0Z1alpEcWU0UUgwazlSemNNYnNmUUs1c1YvUnkxCnZpNjFWd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFIMko2OExGU05HK2dtSFZ1NjhFc3V3b3Exb0owMjdqcWs2ago3Z2hkTUd4dmFUSVprN3E1cHVNOC9yNWtDWEpmQk14NCtOSEc1ZFc0S1lrUUJGbXpUZVlSbEJaUi9KajRUMkFhCmh4SkxiOGZ0WVh3UUJmNSthSUVYOGpXZ2ppT0lmY01nZjlTa0h3QkxwOGc0bHJzVGJkalhvOGQ2djJiKzVaeS8KUFJrem1yRG9hUzF2N0kvRHllNDNPOWRzZDYvZm83NHJkbDIyT2VrWWozcFNDYnZ0Rk1wZytGRDMwV3FJUkNXcgpJVVlpSHZLeWhSSEYwN0h5QjZLNTM5Q3FDbEVaY3N5dkFxZXNBMTBpNjJ4dDBWTFErTFJpQy9oOExha00wU3dOCmlBZmFJZHFHRmJucUZobzhhTjFPTzRzRlJvWjZkOWhaSjRRR3RlVzVPL0RoWmhjZlNLRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBbXdVZHk5ZXViYXErdkErbWdOY0lYaHo0MXJoVVVGbFRlZHRKMi9xZWZFNDF1c0xLCjFXcmxKbE91WTV4bS9WNkJFUEM0NkZBR0ZuVlQ1ZGFoVkR1cUs3WU9yQi9BS21FU1VidGpLZmxrTWVHUzRFbzgKRmZnZjlyS1ZjMDdxWHpZaW1rekUyaVJMWDBranZySmIzSzNVZ0N2QWJ0T3RYb0ZVb2FMOGxyd1dmMVUzMWJKVApBbE50Z3lVb2pXeUVtczdoKzhBbTVPWDVhRStIRXl4VjNEVEY5S0JmcVdEc1RZM29zRjdGN0FiUzRMQVlsdmlhCjlCbk1RVW1zTksrazFTNzErT29ramxQT1ZxZU5YVm54SDg1bUx6WUExQTg0Wk9LSXpSVU1qa3pTK0w1VnpqWkcKa2VTRnVqWkRxZTRRSDBrOVJ6Y01ic2ZRSzVzVi9SeTF2aTYxVndJREFRQUJBb0lCQUhvM2hXOVJneGE1T0JraQpxWjRJYW5Od21nc0hWb25tY3ZhdW1jT1NDbU5zY2RYbGYyN1ZFUWF2a055OTBVRE93aWp0OElwUGxRMGR3V0NDClg3eitNVUszRFVoTTIvOU5ldGp2U05ZdDVmMmhuMSt2aDBHMjF0UnpwWG84YkhGV1I5K295TVpIT1JsTm01M2MKRnFxY2JkNERJSHIvN2o2RTdvbGs2NG1YanBFaUQyZ25LNi9hU2p1aThFd2MwbEFmWklHaG5YU2N3alBMU1NlUQpQY3pyM3B1cGlvS3JabzlPSTdOdXo4SUwwc0FNMmpPbm1VSWpCRVptWUlMNXVXbGpWdUM0QmZwYzB2UU9HWEhWCnlmRXcyR0dqWWRKLzVnOGNDVCtmZmcwMkV5T3N0ejBxSjhpQVdjRERZMmlTa1dZVExKNUNOM0kzMGpDNWJwYUwKM3Fwd1R5RUNnWUVBd3FWYXhOQXpKZzI5YnIwTTlFWnBpblpHWExZMk5tRUo1OGFDZkNKeXoyOUxlR2N1clhNZgpLWGgyWDAvRlNVKzMrT2RkTmVoSEM0NHBSTnNxOWZJbGNsN0VrM0pEWWFZUmZFL0tsWXR1aWkwbFBJUzFLL0c1CnlHbm1vK2lRYlV2eEtYYXBVZ2Z0TE02R09QRnRTTkEzTkdCSUkvbUU5Rm1MS2tlV3R2Y09iRWNDZ1lFQXkrSTEKdDFxS2Z1azVNVUp5b0lXSmhiYVF3a25kMUt5THE3M0NzTzJ5MHZHdHJlWGdtM0VNcDh1Syt3bFd3UWlvNndWVwpjNkVCWG1EV1RFZm5TYmtWTFFqcG9KMmJ4c2o4eHp3SE5nSkRqNDVUclRlVGNLdjM1R3lOUHlZbUpaQkRldDBDCjJIa0ZVQ3BRTkROeEtDT0FiaGtUSXp6SmdockpzOCtyN29GZXhuRUNnWUFEMXhsVVdyczNtL3ZKekljTjVybTgKVnBzS3h6bUlseCtINkIyNDcwRU9vS1ovaUtHZUlIQlQ5Q0Y1dmV3cGh4NGRGZ3Q3dmNweEN1djdoTXR6TU1UVwpYZEpKQ204VDVSL2hNUDNSTjRBRnorQTFNblVVbWQ5TmVmRm4rSFdwQWwrT3J0Mm1WYXV6UDV2Y1ViOFRPYkJ0Ckl4MHBRSW9EL0NSSHdFUFQ5a25kandLQmdEaWtOS1ltcWpsTjA4ekNtQlBPWllGWFVlb1lHVisvTytKUGlxb2EKcjBaNVMvWDIyaXAxQXI0UEJ5SnMyc1F3QXJXZ092OU9xSkd1dDNwanMzYkF5NGhDWkoxeGk5aHk5LzdseDE4Uwp5L0F5Nno1QkpWMzArSjVtSmV0NFRycTYxSFJxdUNLcHBIYzcraUkyZEdaaFRvbkh2NUJYaitmc1IwTUVHOURiCjhoZVJBb0dCQUpjcG1KaEVZNXBGNEgzWi9QOGU2WldBMGx6aVFQN3o2U21SalhQdE4zdW5jTWIwQVFidm1pdHEKZXpxTktoQWF6clpqZXNQRFBXUTIrVm5nd3I4bWlCMHczZHA5YkRNOEx1VkdYM1NpaUU1MkJmTjJJcFdUWUlpbgpsY216UzFpSUxqV0ZxaGpxejFGL0xDcUZHWjdGZUtuMHNueEs5MnZIOHpzamdKVE5PQVF0Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
把每个key都用base64解密:
certificate-authority-data:
root@master:~# echo LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01EZ3lNREEyTWpneE5Wb1hEVE13TURneE9EQTJNamd4TlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSlg5CmRxQzFvMHZWVzluOE5xaWZxVEFPY2NZUUpYMEx6VkxiN0ZqVThUVWVNSHViSkFqWHRFbVRwUEk3akxmWDFWL0sKczZUUHRlWWpkQksrNUhZd01NdU85NXpjNVFxNDlra2lVRnNCeTU4cTFZenYwektrQ3VFdmh5WXVSYitZZGdRawpDVnYxdzdQQnVsK3ZsdWl4bXFNRmU1RHlLWDI2L1NlM3ZUSXlhaGhzZmZLL0NZSVgydFRjaFNzMU0xT0ZvMnRHCnowWllpNk91dW9uMk1lZlJta3puL29INXVvT3FlNks0Q1RSUCtyNG9qTGdoTkxJZkZMMndpU0I1WGRHREVBSmIKMjlha3grL1l6QkpoS1BBcnJiUlNNRzJQdmFuNEZSNndxc00vUzI1MitHdXp6cFlsdjlmNHVPNGxhZy9DWTNUZgpjUTlUVmlpTGp5SmNmdkVsZCtNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCVHZjVDN2aG1zMjlhTzZmNjBnamNJY29ScFkKQ0NRTk1UUUJxMFFmSHZtZ3A5amZUdjZsd3R5ZUNmMy9MZlFiajNNWmYyRWNVd2ZVZjJPZW9Rc1AwQjJNVlVaUwpRK2M3M01uRTNPT1VOMjh3U0c1NjZkNVJKTytZNHhrQ0kvb25kTHpIMjh4Z3lsOXorbklrUzZTRmE0L08xelhMCnNkVUlpMDUveFc4K1N6MFpydDBUUXNjRkdjVEt3dC9Qd2ZXcHR1RTJaTzd2MHZ2ZEpTdFF6eXk4M1hUR0w2c0EKWFZjdWdNVTRCdzBmWC82eGIrZlhXZTU3Rkx0aXlZYTc0OHNkVFFQMVlRdXhXSEVKYUZLdy9vNzEzaThjdXNULwpJZGlySzlXSXlxb3JuTDhUOWxoZ1V5SndnTHZtTjVjKzhaZndLSXVueVpqV3BPRFZzTjR6dDFMN0hDYz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= | base64 -d
-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIwMDgyMDA2MjgxNVoXDTMwMDgxODA2MjgxNVowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJX9
dqC1o0vVW9n8NqifqTAOccYQJX0LzVLb7FjU8TUeMHubJAjXtEmTpPI7jLfX1V/K
s6TPteYjdBK+5HYwMMuO95zc5Qq49kkiUFsBy58q1Yzv0zKkCuEvhyYuRb+YdgQk
CVv1w7PBul+vluixmqMFe5DyKX26/Se3vTIyahhsffK/CYIX2tTchSs1M1OFo2tG
z0ZYi6Ouuon2MefRmkzn/oH5uoOqe6K4CTRP+r4ojLghNLIfFL2wiSB5XdGDEAJb
29akx+/YzBJhKPArrbRSMG2Pvan4FR6wqsM/S252+GuzzpYlv9f4uO4lag/CY3Tf
cQ9TViiLjyJcfvEld+MCAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABTvcT3vhms29aO6f60gjcIcoRpY
CCQNMTQBq0QfHvmgp9jfTv6lwtyeCf3/LfQbj3MZf2EcUwfUf2OeoQsP0B2MVUZS
Q+c73MnE3OOUN28wSG566d5RJO+Y4xkCI/ondLzH28xgyl9z+nIkS6SFa4/O1zXL
sdUIi05/xW8+Sz0Zrt0TQscFGcTKwt/PwfWptuE2ZO7v0vvdJStQzyy83XTGL6sA
XVcugMU4Bw0fX/6xb+fXWe57FLtiyYa748sdTQP1YQuxWHEJaFKw/o713i8cusT/
IdirK9WIyqornL8T9lhgUyJwgLvmN5c+8ZfwKIunyZjWpODVsN4zt1L7HCc=
-----END CERTIFICATE-----
client-certificate-data: (用相同的方法看,不再赘述)
-----BEGIN CERTIFICATE-----
MIIC8jCCAdqgAwIBAgIIGJj2TVx051swDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE
AxMKa3ViZXJuZXRlczAeFw0yMDA4MjAwNjI4MTVaFw0yMTA4MjAwNjI4MTdaMDQx
FzAVBgNVBAoTDnN5c3RlbTptYXN0ZXJzMRkwFwYDVQQDExBrdWJlcm5ldGVzLWFk
bWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmwUdy9eubaq+vA+m
gNcIXhz41rhUUFlTedtJ2/qefE41usLK1WrlJlOuY5xm/V6BEPC46FAGFnVT5dah
VDuqK7YOrB/AKmESUbtjKflkMeGS4Eo8Ffgf9rKVc07qXzYimkzE2iRLX0kjvrJb
3K3UgCvAbtOtXoFUoaL8lrwWf1U31bJTAlNtgyUojWyEms7h+8Am5OX5aE+HEyxV
3DTF9KBfqWDsTY3osF7F7AbS4LAYlvia9BnMQUmsNK+k1S71+OokjlPOVqeNXVnx
H85mLzYA1A84ZOKIzRUMjkzS+L5VzjZGkeSFujZDqe4QH0k9RzcMbsfQK5sV/Ry1
vi61VwIDAQABoycwJTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
AwIwDQYJKoZIhvcNAQELBQADggEBAH2J68LFSNG+gmHVu68Esuwoq1oJ027jqk6j
7ghdMGxvaTIZk7q5puM8/r5kCXJfBMx4+NHG5dW4KYkQBFmzTeYRlBZR/Jj4T2Aa
hxJLb8ftYXwQBf5+aIEX8jWgjiOIfcMgf9SkHwBLp8g4lrsTbdjXo8d6v2b+5Zy/
PRkzmrDoaS1v7I/Dye43O9dsd6/fo74rdl22OekYj3pSCbvtFMpg+FD30WqIRCWr
IUYiHvKyhRHF07HyB6K539CqClEZcsyvAqesA10i62xt0VLQ+LRiC/h8LakM0SwN
iAfaIdqGFbnqFho8aN1OO4sFRoZ6d9hZJ4QGteW5O/DhZhcfSKE=
-----END CERTIFICATE-----
client-key-data:
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAmwUdy9eubaq+vA+mgNcIXhz41rhUUFlTedtJ2/qefE41usLK
1WrlJlOuY5xm/V6BEPC46FAGFnVT5dahVDuqK7YOrB/AKmESUbtjKflkMeGS4Eo8
Ffgf9rKVc07qXzYimkzE2iRLX0kjvrJb3K3UgCvAbtOtXoFUoaL8lrwWf1U31bJT
AlNtgyUojWyEms7h+8Am5OX5aE+HEyxV3DTF9KBfqWDsTY3osF7F7AbS4LAYlvia
9BnMQUmsNK+k1S71+OokjlPOVqeNXVnxH85mLzYA1A84ZOKIzRUMjkzS+L5VzjZG
keSFujZDqe4QH0k9RzcMbsfQK5sV/Ry1vi61VwIDAQABAoIBAHo3hW9Rgxa5OBki
qZ4IanNwmgsHVonmcvaumcOSCmNscdXlf27VEQavkNy90UDOwijt8IpPlQ0dwWCC
X7z+MUK3DUhM2/9NetjvSNYt5f2hn1+vh0G21tRzpXo8bHFWR9+oyMZHORlNm53c
Fqqcbd4DIHr/7j6E7olk64mXjpEiD2gnK6/aSjui8Ewc0lAfZIGhnXScwjPLSSeQ
Pczr3pupioKrZo9OI7Nuz8IL0sAM2jOnmUIjBEZmYIL5uWljVuC4Bfpc0vQOGXHV
yfEw2GGjYdJ/5g8cCT+ffg02EyOstz0qJ8iAWcDDY2iSkWYTLJ5CN3I30jC5bpaL
3qpwTyECgYEAwqVaxNAzJg29br0M9EZpinZGXLY2NmEJ58aCfCJyz29LeGcurXMf
KXh2X0/FSU+3+OddNehHC44pRNsq9fIlcl7Ek3JDYaYRfE/KlYtuii0lPIS1K/G5
yGnmo+iQbUvxKXapUgftLM6GOPFtSNA3NGBII/mE9FmLKkeWtvcObEcCgYEAy+I1
t1qKfuk5MUJyoIWJhbaQwknd1KyLq73CsO2y0vGtreXgm3EMp8uK+wlWwQio6wVW
c6EBXmDWTEfnSbkVLQjpoJ2bxsj8xzwHNgJDj45TrTeTcKv35GyNPyYmJZBDet0C
2HkFUCpQNDNxKCOAbhkTIzzJghrJs8+r7oFexnECgYAD1xlUWrs3m/vJzIcN5rm8
VpsKxzmIlx+H6B2470EOoKZ/iKGeIHBT9CF5vewphx4dFgt7vcpxCuv7hMtzMMTW
XdJJCm8T5R/hMP3RN4AFz+A1MnUUmd9NefFn+HWpAl+Ort2mVauzP5vcUb8TObBt
Ix0pQIoD/CRHwEPT9kndjwKBgDikNKYmqjlN08zCmBPOZYFXUeoYGV+/O+JPiqoa
r0Z5S/X22ip1Ar4PByJs2sQwArWgOv9OqJGut3pjs3bAy4hCZJ1xi9hy9/7lx18S
y/Ay6z5BJV30+J5mJet4Trq61HRquCKppHc7+iI2dGZhTonHv5BXj+fsR0MEG9Db
8heRAoGBAJcpmJhEY5pF4H3Z/P8e6ZWA0lziQP7z6SmRjXPtN3uncMb0AQbvmitq
ezqNKhAazrZjesPDPWQ2+Vngwr8miB0w3dp9bDM8LuVGX3SiiE52BfN2IpWTYIin
lcmzS1iILjWFqhjqz1F/LCqFGZ7FeKn0snxK92vH8zsjgJTNOAQt
-----END RSA PRIVATE KEY-----
2. 看pod中是怎么存认证信息的,用于认证的信息都来自于哪?
2.1 登陆一个pod
进入/var/run/secrets/kubernetes.io/serviceaccount目录
root@master:~# kubectl exec -it shell-demo -- /bin/bash
root@node01:/var/run/secrets/kubernetes.io/serviceaccount# pwd
/var/run/secrets/kubernetes.io/serviceaccount
root@node01:/var/run/secrets/kubernetes.io/serviceaccount# ls
ca.crt namespace token
2.2 查看ca.crt
通过比较,pod中的ca.crt的内容与master config中的第一部分,也就是certificate-authority-data是一样的。
root@node01:/var/run/secrets/kubernetes.io/serviceaccount# cat ca.crt
-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIwMDgyMDA2MjgxNVoXDTMwMDgxODA2MjgxNVowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJX9
dqC1o0vVW9n8NqifqTAOccYQJX0LzVLb7FjU8TUeMHubJAjXtEmTpPI7jLfX1V/K
s6TPteYjdBK+5HYwMMuO95zc5Qq49kkiUFsBy58q1Yzv0zKkCuEvhyYuRb+YdgQk
CVv1w7PBul+vluixmqMFe5DyKX26/Se3vTIyahhsffK/CYIX2tTchSs1M1OFo2tG
z0ZYi6Ouuon2MefRmkzn/oH5uoOqe6K4CTRP+r4ojLghNLIfFL2wiSB5XdGDEAJb
29akx+/YzBJhKPArrbRSMG2Pvan4FR6wqsM/S252+GuzzpYlv9f4uO4lag/CY3Tf
cQ9TViiLjyJcfvEld+MCAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABTvcT3vhms29aO6f60gjcIcoRpY
CCQNMTQBq0QfHvmgp9jfTv6lwtyeCf3/LfQbj3MZf2EcUwfUf2OeoQsP0B2MVUZS
Q+c73MnE3OOUN28wSG566d5RJO+Y4xkCI/ondLzH28xgyl9z+nIkS6SFa4/O1zXL
sdUIi05/xW8+Sz0Zrt0TQscFGcTKwt/PwfWptuE2ZO7v0vvdJStQzyy83XTGL6sA
XVcugMU4Bw0fX/6xb+fXWe57FLtiyYa748sdTQP1YQuxWHEJaFKw/o713i8cusT/
IdirK9WIyqornL8T9lhgUyJwgLvmN5c+8ZfwKIunyZjWpODVsN4zt1L7HCc=
-----END CERTIFICATE-----
2.3 查看namespace
用于标识当前的pod是哪个namespace的
root@node01:/var/run/secrets/kubernetes.io/serviceaccount# cat namespace
default
2.4 查看token
通过比较,pod里的token与default namespace下的default service account的secret内容一致。
(1) pod中的token内容,这部分也是经过base64加密的。
root@node01:/var/run/secrets/kubernetes.io/serviceaccount# cat token
eyJhbGciOiJSUzI1NiIsImtpZCI6InFCWGh4S21ENnBISjJTWFJyM1p0bFVFRHZybDJ2cm9pcmZVRVR3M0VudTgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tcWhkZDYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjBkMTZhMjExLWE5MWItNGVlYi1iNDg5LWRiOGRmZDgwMTY5YyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.qvOrWsz4PT2YeO2GNPnqo6xWAjPSVLstLieOyeJwTiYzlwVQ5SBCLwFWmT2HHFR3SHfvXi82ZF6KIfeV4tiGvLtNFF8odjrLiJg4Ow0_eb2PfIubFQchZaT_Uq6SMGS4srueE0UWjZrXchKoideWaVzfIzxXk19dSZohBIbNEltYq8XxsscymyaAtWmVMvMqT4q7yckhFP9Vi6-CiYoHRZf-xkjkLMQsxvsQ8dlnrSkjWwK0Bg7JLrBkT5QA7R7k0PwqprYsQnzlMjncgLBIH9667CpHrP27Dmve7RYfjWRA30K11ijc7ZQLAN0BdKPd7N1qAcz72zantnas0e6qEQ
(2)查看default namespace下的default service account名称
root@master:~/.kube# kubectl get sa default -n default -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2020-08-20T06:28:52Z"
name: default
namespace: default
resourceVersion: "366"
selfLink: /api/v1/namespaces/default/serviceaccounts/default
uid: 0d16a211-a91b-4eeb-b489-db8dfd80169c
secrets:
- name: default-token-qhdd6
查看对应的Secret的内容,这里secret名是default-token-qhdd6
在default的namespace下只有default-token-qhdd6这一个secret
root@master:~/.kube# kubectl get secret
NAME TYPE DATA AGE
default-token-qhdd6 kubernetes.io/service-account-token 3 50d
Sercet的内容是经过base64加密的。
root@master:~/.kube# kubectl describe secret default-token-qhdd6
Name: default-token-qhdd6
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: 0d16a211-a91b-4eeb-b489-db8dfd80169c
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6InFCWGh4S21ENnBISjJTWFJyM1p0bFVFRHZybDJ2cm9pcmZVRVR3M0VudTgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tcWhkZDYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjBkMTZhMjExLWE5MWItNGVlYi1iNDg5LWRiOGRmZDgwMTY5YyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.qvOrWsz4PT2YeO2GNPnqo6xWAjPSVLstLieOyeJwTiYzlwVQ5SBCLwFWmT2HHFR3SHfvXi82ZF6KIfeV4tiGvLtNFF8odjrLiJg4Ow0_eb2PfIubFQchZaT_Uq6SMGS4srueE0UWjZrXchKoideWaVzfIzxXk19dSZohBIbNEltYq8XxsscymyaAtWmVMvMqT4q7yckhFP9Vi6-CiYoHRZf-xkjkLMQsxvsQ8dlnrSkjWwK0Bg7JLrBkT5QA7R7k0PwqprYsQnzlMjncgLBIH9667CpHrP27Dmve7RYfjWRA30K11ijc7ZQLAN0BdKPd7N1qAcz72zantnas0e6qEQ
总结下来,service account是用于pod找api的,其中ca.crt认证了api的节点,namespace和token指定了用哪个Service account来连哪个namespace. 以此就可以最准确的标识哪个pod运行在哪个namespace,用哪个帐号进行授权。
