如何访问Kubernetes集群?【Kubernetes集群X509认证方式】
2024-05-30 22:52:38
文章内容:
- Kubernetes集群服务端、客户端是如何通过kubeconfig文件完成认证以及用户信息识别的?
当搭建好Kubernetes集群后,可以通过kubectl get pod -A获取集群内所有的POD信息:
为什么通过一份kubeconfig文件,Kubernetes就能完成访问认证以及用户身份的识别?其中的原理是什么样的?
1、解密kubeconfig文件
以下是我昨天刚搭建好的Kubernetes测试集群kubeconfig文件内容:
apiVersion: v1
clusters:
- cluster:certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJek1ESXhNakUxTVRjME0xb1hEVE16TURJd09URTFNVGMwTTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS09qCk80YkxwUlpwU2hXdG5VaHhob3Z5Y2FvOXlWSDZKeUV1NmpyZTdza2VnMDgrQjRwNnVJdElaenpwbS9kWE5Hb1AKdnVIVEc0U0ZUZ1pVbk4ycHNvSEl6bi9NODZaY2hUdXVDWjM0ZTRqb3BNeUZ5UE9qNEJUdzdkZjNGZWN3Q2R5awpydERFUVlDeWJnYzNtL1IyRHlNNmhMYTJGY3VtVjFYLzBnTzN6RWN0VHB1QSs1djR6ZmJZNlNvQ1lIb01RL0djCmZjVDQzOVVKNTZ5NnNBUHA1anAyZHR5N0xvdThkS1dXaTZEY1FGNk04d3JvR2YvUnhITG1VL3hydFQwMVk4bEQKK0tYR1V0RFo3bk92YXdDQTJOdGhNNnljTS8zNHdDWisrME9DTk5pVnVoRFNaVEl6cGFuN0Rzcml1NW9KUUIyZgp6Y3l3THlSOUdCaWh4dzBTWHJVQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZCQTE5azh5alVTelFzclJJMGhiSG9sREdQVlRNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSVdwcWNraDJGY25SK0dXdlJ0TwpwSVR0ZGdwaXQ2MGIxeGxEQzVBNzdtVzNtYmNFVUo5dERoTEhFbUhQNmxRbzlZUzViL282clFwMUxObkhvR0kzCnViMFpNRGZQdU0wRExwYmgvWHF3bWc4SnQ0bzFlZXRMd1lIM1hzeHVObnFxNXdIOG1WcHFNNGFTbUhra1NVcGMKOTdDbmRUdmtNTjBKb3pvNldiTi9DZk1yL09uOTJqYmExOGxzdFpmdnRZL0FtQzNQRnhZT0VJc1ZPYkp3MHh4MQpWMlMwZnRJMHlyVXJ6NHpVcDhUWTZYS1dBSGtWNzR2QkxqYUpWYUMxWGhxZ3BsTkh2ejJod3FzbTM3OG4zbEszClJVR1FDeXQwdVVXRHgxR2E4RlhMZEc4M2VScE5TTlZmV0tzTFl6N2k2d1FXY1greHpIdFhabDd0RTBWenM0MUUKK1BNPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==server: https://192.168.56.10:6443name: kubernetes
contexts:
- context:cluster: kubernetesuser: kubernetes-adminname: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-adminuser:client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJSkRhNkYyQ2JEVjR3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpBeU1USXhOVEUzTkROYUZ3MHlOREF5TVRJeE5URTNORGxhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXRkQjlUZjB3eWlvL0p3YmYKRWdKaldCNlEzc2hiNFNpR3JKQjgyRjhJOHNEMHhYbUdDZVZDbzZzYmw3bUVVUS80Z2lzaWZqWWdmZy9zSTF4Ugp5VDVZalI4bit4Q2huUy9oSHhEQW9IaUtFR2Z2bnNkK05kclJocmV6YXlMQkwvT1lEZ0NUVDZTMzR6TWV2NnJsCm16U2tOQUNHNnlrZjNpS1hEVGtCL0ZHa3M2c3QwQzlqV3NCWjZjdGtsRm9CMTVQaWtxVkFTTHhmUlI2S25rQUcKZlRqbDNUcFJoQ0ZZN0FyRkFXc24wbzNTb3p0aExvWUVEb1dsWTJKY1dibG9VbTgvbHNsbjk0MHBiTEliMnhUdQplQTdMR3hiUEwzdlM0QkVCd0k1SDl1b1UwaFZEZ1JjTStPSXFNazd6dzFLU2FWaFJGYytBekNVQlE5S3YwandJCkpHMStRd0lEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JRUU5mWlBNbzFFczBMSzBTTklXeDZKUXhqMQpVekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBRHVObjYrU0ZVQ1YzZE9wakpwSTVtSTRtamFReVZydlFaU0o0CjFwSXpXeXBGNTg0NUhoU1hqOXllTXhERE00UGRXNm9Zc05KUi9Kb0NxU1lTT0duVGl6VDBGZ1ZYaEF4d2xVMGMKZm5TM3d1aEordUNhYkRhSzVzTHd4RWJCQmhnVi9aWDBRN0RUZGFzK0ZyMC90czhySXFOM3hDeWFKK3B4cVp6NApSRzEwNUVKQVhZK0lHY1Y0VVNzejZOVFVUZGc2QlQ2aDlJUk9tb3d1Ni9LWTdGNHFYd3pUamJzR0NNWXcrbTZ6CjVOR0tiZWxCcDRVOVMvY3JyemYvV0VuVWxaL0ZuVEhoNjd5cEwzb1BxWllzVFJHQkE1cjlSaXNSSWVvcGc3aGoKZ3JKSkhzSUxlS3BnNUFESTFtTXQxZ3V6NmtKckxKdkd6cXExMkw1azNkOEp1bTljcGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdGRCOVRmMHd5aW8vSndiZkVnSmpXQjZRM3NoYjRTaUdySkI4MkY4SThzRDB4WG1HCkNlVkNvNnNibDdtRVVRLzRnaXNpZmpZZ2ZnL3NJMXhSeVQ1WWpSOG4reENoblMvaEh4REFvSGlLRUdmdm5zZCsKTmRyUmhyZXpheUxCTC9PWURnQ1RUNlMzNHpNZXY2cmxtelNrTkFDRzZ5a2YzaUtYRFRrQi9GR2tzNnN0MEM5agpXc0JaNmN0a2xGb0IxNVBpa3FWQVNMeGZSUjZLbmtBR2ZUamwzVHBSaENGWTdBckZBV3NuMG8zU296dGhMb1lFCkRvV2xZMkpjV2Jsb1VtOC9sc2xuOTQwcGJMSWIyeFR1ZUE3TEd4YlBMM3ZTNEJFQndJNUg5dW9VMGhWRGdSY00KK09JcU1rN3p3MUtTYVZoUkZjK0F6Q1VCUTlLdjBqd0lKRzErUXdJREFRQUJBb0lCQUhHUzhxT0VOVFVrbk55WgpPMEc1d2lzcXRONm1GRmNiaEwxSmFPT1V3amM2ZCt6ZjArNWNpM3RJQ08ySGt2TThZY1dXZ202TEMxTVVTVE54Cm1SbDRXOEtVSXRwLzhpVUo0cndRTC9ST09CaTFoSWNRSVhRczQ5UWU3dkpPL0pVaXV1cU1TM2xsOFFUNVN3ejYKQ1lJaHFTMWU0dWtGZ0lXMzM5bi9zWkRYdzJZRHlsWGVycWV0T1picExiM29Lb3pxRFlVY3U1VGNDNmFQNXVZRApSdmRWcEVLejZTdUs2MG9lWStzVGQyYVQ0MFZscWhuLzd2eUE2NjBVWnRZcXAwalR2OHY1WW5QbTlUOWM3U3BLCm9RSDYwOUhabnpCRFR6UDNkNTloOGVVQjRuUzU0SzEwTnBDTlpUcTVKYmdQTjlybndERmREOGtRWTdVVE1BWXAKdXRLaFY5a0NnWUVBd05IN250RmRwU2ZlQW5KbTQzZWRGL0hsV2ZPS1lkblZoSVN2Rkh1RmVBd0lXYk15QXVXVgplWlZuMDNET1Y1aDNKL285Q3Vacmd1VmxJbkFJbVNzRnBTVGVJMFVVYmk1VFFnQVlhU0dQMjVrVDIyMTVkRnRECkpKWS9nTkQvQ2Y0NmJ5NWJteTdqZU1DRENQaWxGb20rRFhuVUpFSC9xZDF6dVJnSnQzVFdCbjhDZ1lFQThXTlMKbkl1UCs5L1lGTEUvckgyd0lLaVR1UVpOQ0Nicjk0eVh3dTlZREJJM0J4VnB4L2J6eFpBWkRONnhCSlgybUo0bApOaFhNcm5CYlQvN2hOTWpJVkVlTmF1VnRLWHhUZ1I3OXhwK3d6bC9IV2tZTWdMUU1sNmZUSk9DeVQzQ3U0UnZoCk9GRTZHekVXQldrS1hwbjJqZmNvaFcyMklTdFBZVkxUaXF0dERqMENnWUJHMDVyeWpvTXdiRUYvY3BoYWk1QlgKd0ZIM3haNmFMTkxpVjM2Y0xuY3JUbmd1d3NUbkRYL25aanI2RHVDc2ltT1NlcmU3YmtJbGxhK2RnN3VVejVuRwpQSkdnTVBxOU1pVUJCRm56SEJIa253a05POXcySW1PNlo3b3h6aE13ajRMVlhoam1Hc1lSajkxU0NVdFN5UXZYCmxWMllaK25LY243VWlZRGdNM2wrYndLQmdESjRxUUpRY0JlakV5UW9kMzdTZk93bk0xUUJqRVBERjUyWUNQZGEKWWhlTUMzTnd0OEIyMHp1Z3lJd1hWLzMwZVM0cUN1L0hHUmYwS0RPT3dIbnY3V3NwMXRqZUJiZ2g1YmZleWdNbwp5cWdzQUp2UWY3YTlidENhNTV3VFcxVWU0NEh2K1dSMEgya21GMHVrVGVXLzNYeUxqQzV4NVI0RVYwR3JOczRNCnorMmxBb0dBYjE5OXNwVTB4TS82RndId2FsNTdwZ1RkZXdVUzBvTklITG4rZkFYUnJZQ3pIaVFvNlpxbEJkTWYKcjdhVm11ZEp2MWJoamVmTU5aOUI2d1oxb2k3M0ZZL3JTd3FPd0d3UG5WYWc3MFMzV3FZZDl0UFVQQVNodFlDago1OGJzdHdWU2RXZEJuNHRMUUticFpvUG45TUd5YlNwUDlQdk8wcjlpS0hLQmVIWHdKQUE9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
文件核心内容有三部分:
- clusters:集群信息,包括集群名、
apiserver地址 - users:用户信息
- contexts:集群和用户的绑定关系
从文件内容来看,大概率认证和用户身份识别与user下的client-certificate-data和client-key-data相关。这两个key对应的value,有经验的小伙伴基本一眼就能看出来是经过base64编码的内容。
# 替换${client-certificate-data}为真实值,通过以下命令解一下base64编码
> echo "${client-certificate-data}" | base64 -D# client-certificate-data内容
-----BEGIN CERTIFICATE-----
MIIDITCCAgmgAwIBAgIIJDa6F2CbDV4wDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE
AxMKa3ViZXJuZXRlczAeFw0yMzAyMTIxNTE3NDNaFw0yNDAyMTIxNTE3NDlaMDQx
FzAVBgNVBAoTDnN5c3RlbTptYXN0ZXJzMRkwFwYDVQQDExBrdWJlcm5ldGVzLWFk
bWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtdB9Tf0wyio/Jwbf
EgJjWB6Q3shb4SiGrJB82F8I8sD0xXmGCeVCo6sbl7mEUQ/4gisifjYgfg/sI1xR
yT5YjR8n+xChnS/hHxDAoHiKEGfvnsd+NdrRhrezayLBL/OYDgCTT6S34zMev6rl
mzSkNACG6ykf3iKXDTkB/FGks6st0C9jWsBZ6ctklFoB15PikqVASLxfRR6KnkAG
fTjl3TpRhCFY7ArFAWsn0o3SozthLoYEDoWlY2JcWbloUm8/lsln940pbLIb2xTu
eA7LGxbPL3vS4BEBwI5H9uoU0hVDgRcM+OIqMk7zw1KSaVhRFc+AzCUBQ9Kv0jwI
JG1+QwIDAQABo1YwVDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQQNfZPMo1Es0LK0SNIWx6JQxj1
UzANBgkqhkiG9w0BAQsFAAOCAQEADuNn6+SFUCV3dOpjJpI5mI4mjaQyVrvQZSJ4
1pIzWypF5845HhSXj9yeMxDDM4PdW6oYsNJR/JoCqSYSOGnTizT0FgVXhAxwlU0c
fnS3wuhJ+uCabDaK5sLwxEbBBhgV/ZX0Q7DTdas+Fr0/ts8rIqN3xCyaJ+pxqZz4
RG105EJAXY+IGcV4USsz6NTUTdg6BT6h9IROmowu6/KY7F4qXwzTjbsGCMYw+m6z
5NGKbelBp4U9S/crrzf/WEnUlZ/FnTHh67ypL3oPqZYsTRGBA5r9RisRIeopg7hj
grJJHsILeKpg5ADI1mMt1guz6kJrLJvGzqq12L5k3d8Jum9cpg==
-----END CERTIFICATE-----# client-key-data内容
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAtdB9Tf0wyio/JwbfEgJjWB6Q3shb4SiGrJB82F8I8sD0xXmG
CeVCo6sbl7mEUQ/4gisifjYgfg/sI1xRyT5YjR8n+xChnS/hHxDAoHiKEGfvnsd+
NdrRhrezayLBL/OYDgCTT6S34zMev6rlmzSkNACG6ykf3iKXDTkB/FGks6st0C9j
WsBZ6ctklFoB15PikqVASLxfRR6KnkAGfTjl3TpRhCFY7ArFAWsn0o3SozthLoYE
DoWlY2JcWbloUm8/lsln940pbLIb2xTueA7LGxbPL3vS4BEBwI5H9uoU0hVDgRcM
+OIqMk7zw1KSaVhRFc+AzCUBQ9Kv0jwIJG1+QwIDAQABAoIBAHGS8qOENTUknNyZ
O0G5wisqtN6mFFcbhL1JaOOUwjc6d+zf0+5ci3tICO2HkvM8YcWWgm6LC1MUSTNx
mRl4W8KUItp/8iUJ4rwQL/ROOBi1hIcQIXQs49Qe7vJO/JUiuuqMS3ll8QT5Swz6
CYIhqS1e4ukFgIW339n/sZDXw2YDylXerqetOZbpLb3oKozqDYUcu5TcC6aP5uYD
RvdVpEKz6SuK60oeY+sTd2aT40Vlqhn/7vyA660UZtYqp0jTv8v5YnPm9T9c7SpK
oQH609HZnzBDTzP3d59h8eUB4nS54K10NpCNZTq5JbgPN9rnwDFdD8kQY7UTMAYp
utKhV9kCgYEAwNH7ntFdpSfeAnJm43edF/HlWfOKYdnVhISvFHuFeAwIWbMyAuWV
eZVn03DOV5h3J/o9CuZrguVlInAImSsFpSTeI0UUbi5TQgAYaSGP25kT2215dFtD
JJY/gND/Cf46by5bmy7jeMCDCPilFom+DXnUJEH/qd1zuRgJt3TWBn8CgYEA8WNS
nIuP+9/YFLE/rH2wIKiTuQZNCCbr94yXwu9YDBI3BxVpx/bzxZAZDN6xBJX2mJ4l
NhXMrnBbT/7hNMjIVEeNauVtKXxTgR79xp+wzl/HWkYMgLQMl6fTJOCyT3Cu4Rvh
OFE6GzEWBWkKXpn2jfcohW22IStPYVLTiqttDj0CgYBG05ryjoMwbEF/cphai5BX
wFH3xZ6aLNLiV36cLncrTnguwsTnDX/nZjr6DuCsimOSere7bkIlla+dg7uUz5nG
PJGgMPq9MiUBBFnzHBHknwkNO9w2ImO6Z7oxzhMwj4LVXhjmGsYRj91SCUtSyQvX
lV2YZ+nKcn7UiYDgM3l+bwKBgDJ4qQJQcBejEyQod37SfOwnM1QBjEPDF52YCPda
YheMC3Nwt8B20zugyIwXV/30eS4qCu/HGRf0KDOOwHnv7Wsp1tjeBbgh5bfeygMo
yqgsAJvQf7a9btCa55wTW1Ue44Hv+WR0H2kmF0ukTeW/3XyLjC5x5R4EV0GrNs4M
z+2lAoGAb199spU0xM/6FwHwal57pgTdewUS0oNIHLn+fAXRrYCzHiQo6ZqlBdMf
r7aVmudJv1bhjefMNZ9B6wZ1oi73FY/rSwqOwGwPnVag70S3WqYd9tPUPAShtYCj
58bstwVSdWdBn4tLQKbpZoPn9MGybSpP9PvO0r9iKHKBeHXwJAA=
-----END RSA PRIVATE KEY-----
可以将client-certificate-data和client-key-data内容存储到文件中,用openssl查看证书内容:
# client-certificate-data存储在文件client.pem中
> openssl x509 -noout -text -in client.pem# 输出内容
Certificate:Data:Version: 3 (0x2)Serial Number: 2609477643675569502 (0x2436ba17609b0d5e)Signature Algorithm: sha256WithRSAEncryptionIssuer: CN=kubernetesValidityNot Before: Feb 12 15:17:43 2023 GMTNot After : Feb 12 15:17:49 2024 GMTSubject: O=system:masters, CN=kubernetes-adminSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:b5:d0:7d:4d:fd:30:ca:2a:3f:27:06:df:12:02:63:58:1e:90:de:c8:5b:e1:28:86:ac:90:7c:d8:5f:08:f2:c0:f4:c5:79:86:09:e5:42:a3:ab:1b:97:b9:84:51:0f:f8:82:2b:22:7e:36:20:7e:0f:ec:23:5c:51:c9:3e:58:8d:1f:27:fb:10:a1:9d:2f:e1:1f:10:c0:a0:78:8a:10:67:ef:9e:c7:7e:35:da:d1:86:b7:b3:6b:22:c1:2f:f3:98:0e:00:93:4f:a4:b7:e3:33:1e:bf:aa:e5:9b:34:a4:34:00:86:eb:29:1f:de:22:97:0d:39:01:fc:51:a4:b3:ab:2d:d0:2f:63:5a:c0:59:e9:cb:64:94:5a:01:d7:93:e2:92:a5:40:48:bc:5f:45:1e:8a:9e:40:06:7d:38:e5:dd:3a:51:84:21:58:ec:0a:c5:01:6b:27:d2:8d:d2:a3:3b:61:2e:86:04:0e:85:a5:63:62:5c:59:b9:68:52:6f:3f:96:c9:67:f7:8d:29:6c:b2:1b:db:14:ee:78:0e:cb:1b:16:cf:2f:7b:d2:e0:11:01:c0:8e:47:f6:ea:14:d2:15:43:81:17:0c:f8:e2:2a:32:4e:f3:c3:52:92:69:58:51:15:cf:80:cc:25:01:43:d2:af:d2:3c:08:24:6d:7e:43Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Key Usage: criticalDigital Signature, Key EnciphermentX509v3 Extended Key Usage:TLS Web Client AuthenticationX509v3 Basic Constraints: criticalCA:FALSEX509v3 Authority Key Identifier:keyid:10:35:F6:4F:32:8D:44:B3:42:CA:D1:23:48:5B:1E:89:43:18:F5:53Signature Algorithm: sha256WithRSAEncryption0e:e3:67:eb:e4:85:50:25:77:74:ea:63:26:92:39:98:8e:26:8d:a4:32:56:bb:d0:65:22:78:d6:92:33:5b:2a:45:e7:ce:39:1e:14:97:8f:dc:9e:33:10:c3:33:83:dd:5b:aa:18:b0:d2:51:fc:9a:02:a9:26:12:38:69:d3:8b:34:f4:16:05:57:84:0c:70:95:4d:1c:7e:74:b7:c2:e8:49:fa:e0:9a:6c:36:8a:e6:c2:f0:c4:46:c1:06:18:15:fd:95:f4:43:b0:d3:75:ab:3e:16:bd:3f:b6:cf:2b:22:a3:77:c4:2c:9a:27:ea:71:a9:9c:f8:44:6d:74:e4:42:40:5d:8f:88:19:c5:78:51:2b:33:e8:d4:d4:4d:d8:3a:05:3e:a1:f4:84:4e:9a:8c:2e:eb:f2:98:ec:5e:2a:5f:0c:d3:8d:bb:06:08:c6:30:fa:6e:b3:e4:d1:8a:6d:e9:41:a7:85:3d:4b:f7:2b:af:37:ff:58:49:d4:95:9f:c5:9d:31:e1:eb:bc:a9:2f:7a:0f:a9:96:2c:4d:11:81:03:9a:fd:46:2b:11:21:ea:29:83:b8:63:82:b2:49:1e:c2:0b:78:aa:60:e4:00:c8:d6:63:2d:d6:0b:b3:ea:42:6b:2c:9b:c6:ce:aa:b5:d8:be:64:dd:df:09:ba:6f:5c:a6
可以看到证书由Issuer: CN=kubernetes签发,颁发给Subject: O=system:masters, CN=kubernetes-admin。到这里基本可以猜测出client-certificate-data和client-key-data是服务端颁发给客户端的证书和私钥,使用openssl进一步验证一下猜测:
# 验证`client-certificate-data`和`client-key-data`是否公私钥匹配
# 获取公钥
> openssl rsa -pubout -in client.key
# 输出
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtdB9Tf0wyio/JwbfEgJj
WB6Q3shb4SiGrJB82F8I8sD0xXmGCeVCo6sbl7mEUQ/4gisifjYgfg/sI1xRyT5Y
jR8n+xChnS/hHxDAoHiKEGfvnsd+NdrRhrezayLBL/OYDgCTT6S34zMev6rlmzSk
NACG6ykf3iKXDTkB/FGks6st0C9jWsBZ6ctklFoB15PikqVASLxfRR6KnkAGfTjl
3TpRhCFY7ArFAWsn0o3SozthLoYEDoWlY2JcWbloUm8/lsln940pbLIb2xTueA7L
GxbPL3vS4BEBwI5H9uoU0hVDgRcM+OIqMk7zw1KSaVhRFc+AzCUBQ9Kv0jwIJG1+
QwIDAQAB
-----END PUBLIC KEY-----# 从证书中提取公钥
> openssl x509 -pubkey -noout -in client.pem
# 输出
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtdB9Tf0wyio/JwbfEgJj
WB6Q3shb4SiGrJB82F8I8sD0xXmGCeVCo6sbl7mEUQ/4gisifjYgfg/sI1xRyT5Y
jR8n+xChnS/hHxDAoHiKEGfvnsd+NdrRhrezayLBL/OYDgCTT6S34zMev6rlmzSk
NACG6ykf3iKXDTkB/FGks6st0C9jWsBZ6ctklFoB15PikqVASLxfRR6KnkAGfTjl
3TpRhCFY7ArFAWsn0o3SozthLoYEDoWlY2JcWbloUm8/lsln940pbLIb2xTueA7L
GxbPL3vS4BEBwI5H9uoU0hVDgRcM+OIqMk7zw1KSaVhRFc+AzCUBQ9Kv0jwIJG1+
QwIDAQAB
-----END PUBLIC KEY-----
公钥一致,由此可以得出一个结论:在kubeconfig文件的user配置中,包含了Kubernetes集群颁发给用户的证书以及对应私钥。那有了这个信息,Kubernetes集群是如何做认证的?
2、双向TLS认证
2.1、单向TLS
当我们访问https协议的网站时:
- 第一步需要获取到网站证书,校验证书有效性
- 第二步生成随机值,并用证书中的公钥加密随机值,发送给服务端
- 第三步服务端使用私钥解密随机值,随后使用随机值进行对称加密通信
Kubernetes客户端与服务端通信也是经过TLS加密的,过程中也需要验证证书有效性(非必需)。一般像我这种本地搭建的Kubernetes测试集群肯定不会使用权威CA颁发的证书,所以为了能让证书校验通过,需要一并提供签发证书的CA证书,也就是kubeconfig文件中cluster下的certificate-authority-data:
> echo "${certificate-authority-data}" | base64 -D# 输出
-----BEGIN CERTIFICATE-----
MIIC/jCCAeagAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIzMDIxMjE1MTc0M1oXDTMzMDIwOTE1MTc0M1owFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKOj
O4bLpRZpShWtnUhxhovycao9yVH6JyEu6jre7skeg08+B4p6uItIZzzpm/dXNGoP
vuHTG4SFTgZUnN2psoHIzn/M86ZchTuuCZ34e4jopMyFyPOj4BTw7df3FecwCdyk
rtDEQYCybgc3m/R2DyM6hLa2FcumV1X/0gO3zEctTpuA+5v4zfbY6SoCYHoMQ/Gc
fcT439UJ56y6sAPp5jp2dty7Lou8dKWWi6DcQF6M8wroGf/RxHLmU/xrtT01Y8lD
+KXGUtDZ7nOvawCA2NthM6ycM/34wCZ++0OCNNiVuhDSZTIzpan7Dsriu5oJQB2f
zcywLyR9GBihxw0SXrUCAwEAAaNZMFcwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFBA19k8yjUSzQsrRI0hbHolDGPVTMBUGA1UdEQQO
MAyCCmt1YmVybmV0ZXMwDQYJKoZIhvcNAQELBQADggEBAIWpqckh2FcnR+GWvRtO
pITtdgpit60b1xlDC5A77mW3mbcEUJ9tDhLHEmHP6lQo9YS5b/o6rQp1LNnHoGI3
ub0ZMDfPuM0DLpbh/Xqwmg8Jt4o1eetLwYH3XsxuNnqq5wH8mVpqM4aSmHkkSUpc
97CndTvkMN0Jozo6WbN/CfMr/On92jba18lstZfvtY/AmC3PFxYOEIsVObJw0xx1
V2S0ftI0yrUrz4zUp8TY6XKWAHkV74vBLjaJVaC1XhqgplNHvz2hwqsm378n3lK3
RUGQCyt0uUWDx1Ga8FXLdG83eRpNSNVfWKsLYz7i6wQWcX+xzHtXZl7tE0Vzs41E
+PM=
-----END CERTIFICATE-----
为了验证猜测,登录到Kubernetes集群Master节点上,查看apiserver的启动参数:
# 查看apiserver进程
> ps aux | grep apiserverroot 1868 2.9 3.7 1049828 299988 ? Ssl 2月13 2:44 kube-apiserver --advertise-address=192.168.56.10 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/12 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
三个相关参数:
--client-ca-file=/etc/kubernetes/pki/ca.crt是签发apiserver证书的ca证书--tls-cert-file=/etc/kubernetes/pki/apiserver.crtapiserver证书--tls-private-key-file=/etc/kubernetes/pki/apiserver.keyapiserver私钥
查看/etc/kubernetes/pki/ca.crt内容,文件内容与kubeconfig中的certificate-authority-data一致:
> cat /etc/kubernetes/pki/ca.crt
# 输出
-----BEGIN CERTIFICATE-----
MIIC/jCCAeagAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIzMDIxMjE1MTc0M1oXDTMzMDIwOTE1MTc0M1owFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKOj
O4bLpRZpShWtnUhxhovycao9yVH6JyEu6jre7skeg08+B4p6uItIZzzpm/dXNGoP
vuHTG4SFTgZUnN2psoHIzn/M86ZchTuuCZ34e4jopMyFyPOj4BTw7df3FecwCdyk
rtDEQYCybgc3m/R2DyM6hLa2FcumV1X/0gO3zEctTpuA+5v4zfbY6SoCYHoMQ/Gc
fcT439UJ56y6sAPp5jp2dty7Lou8dKWWi6DcQF6M8wroGf/RxHLmU/xrtT01Y8lD
+KXGUtDZ7nOvawCA2NthM6ycM/34wCZ++0OCNNiVuhDSZTIzpan7Dsriu5oJQB2f
zcywLyR9GBihxw0SXrUCAwEAAaNZMFcwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFBA19k8yjUSzQsrRI0hbHolDGPVTMBUGA1UdEQQO
MAyCCmt1YmVybmV0ZXMwDQYJKoZIhvcNAQELBQADggEBAIWpqckh2FcnR+GWvRtO
pITtdgpit60b1xlDC5A77mW3mbcEUJ9tDhLHEmHP6lQo9YS5b/o6rQp1LNnHoGI3
ub0ZMDfPuM0DLpbh/Xqwmg8Jt4o1eetLwYH3XsxuNnqq5wH8mVpqM4aSmHkkSUpc
97CndTvkMN0Jozo6WbN/CfMr/On92jba18lstZfvtY/AmC3PFxYOEIsVObJw0xx1
V2S0ftI0yrUrz4zUp8TY6XKWAHkV74vBLjaJVaC1XhqgplNHvz2hwqsm378n3lK3
RUGQCyt0uUWDx1Ga8FXLdG83eRpNSNVfWKsLYz7i6wQWcX+xzHtXZl7tE0Vzs41E
+PM=
-----END CERTIFICATE-----
到此可知,客户端为了与apiserver进行加密通信,过程中需要下载apiserver的证书(--tls-cert-file),并对证书的有效性进行校验(使用kubeconfig中的certificate-authority-data),然后才能进行加密通信。那双向TLS又是什么?
2.2、双向TLS
Kubernetes集群通信与https协议访问网站相比,除了通信加密需求,还需要让服务端能够判断当前用户是否能操作集群资源。Kubernetes集群中并没有维护“用户”这种资源,“用户”的信息是在签发证书时,放到证书Subject: O=system:masters, CN=kubernetes-admin信息中,以 kubeconfig文件的方式交付给用户。
从apiserver的代码中可以看到,如果配置了--client-ca-file,那在握手过程中会要求客户端提供证书
if s.ClientCA != nil {// Populate PeerCertificates in requests, but don't reject connections without certificates// This allows certificates to be validated by authenticators, while still allowing other auth typestlsConfig.ClientAuth = tls.RequestClientCert
}
相应的查看kubernetes java客户端代码可以看到,客户端创建OkHttp Client时,读取了kubeconfig中的用户证书、私钥以及ca证书,用于TLS握手连接:
private void applySslSettings() {try {TrustManager[] trustManagers;HostnameVerifier hostnameVerifier;//客户端在初始化时,可以选择不校验证书,这里直接看校验证书的else逻辑if (!verifyingSsl) {...} else {TrustManagerFactory trustManagerFactory =TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());//kubeconfig中配置了ca证书,所以会走else逻辑if (sslCaCert == null) {...} else {char[] password = null; // Any password will work.CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");Collection<? extends Certificate> certificates =certificateFactory.generateCertificates(sslCaCert);if (certificates.isEmpty()) {throw new IllegalArgumentException("expected non-empty set of trusted certificates");}//创建了trustKeyStore,即客户端信任的证书仓库KeyStore caKeyStore = newEmptyKeyStore(password);int index = 0;//这里把ca证书加入trustKeyStorefor (Certificate certificate : certificates) {String certificateAlias = "ca" + Integer.toString(index++);caKeyStore.setCertificateEntry(certificateAlias, certificate);}trustManagerFactory.init(caKeyStore);}trustManagers = trustManagerFactory.getTrustManagers();hostnameVerifier = OkHostnameVerifier.INSTANCE;}SSLContext sslContext = SSLContext.getInstance("TLS");//这一步是关键,keyManagers中包含user下的证书和私钥;trustManagers中包含ca证书sslContext.init(keyManagers, trustManagers, new SecureRandom());httpClient =httpClient.newBuilder()//初始化okhttp客户端时,带上对应的SocketFactory.sslSocketFactory(sslContext.getSocketFactory(), (X509TrustManager) trustManagers[0]).hostnameVerifier(hostnameVerifier).build();} catch (GeneralSecurityException e) {throw new RuntimeException(e);}
}
3、如何为新用户创建kubeconfig
了解kubeconfig文件与TLS双向通信的原理后,大致可以猜测出为新用户生成kubeconfig的步骤。
# 假设新用户叫yingzong3726
# 1、生成私钥
> openssl genrsa -out yingzong3726.key 2048# 2、生成证书请求文件yingzong3726.csr
> openssl req -new -out yingzong3726.csr -key yingzong3726.key# 3、生成有效期是365天的证书,并用apiserver的ca私钥签名
> openssl x509 -req -in yingzong3726.csr -out yingzong3726.crt -signkey yingzong3726.key -CA ca.crt -CAkey ca.key -CAcreateserial -days 365
# 命令执行输出
Signature ok
subject=/C=XX/L=Default City/O=kubernetes-test/CN=yingzong3726
Getting Private key
Getting CA Private Key# 4、替换原有kubeconfig文件中user下的`client-certificate-data`和`client-key-data`
# 再次访问kubernetes集群
> kubectl get nodes
# 可以看到服务端已经识别出了新用户yingzong3726,只是用户还没有被授予权限
Error from server (Forbidden): nodes is forbidden: User "yingzong3726" cannot list resource "nodes" in API group "" at the cluster scope
到这里一个新的kubeconfig文件已经创建完成,可以交付给新用户了。如何给新用户授权可以关注后续的文章。
如何访问Kubernetes集群?【Kubernetes集群X509认证方式】相关推荐
- 16、Kubernetes搭建高可用集群
文章目录 前言 一.高可用集群 1.1 高可用集群技术细节 二.部署高可用集群 2.1 准备环境 2.2 所有master节点部署keepalived 2.2.1 安装相关包和keepalived 2 ...
- CentOS 7.4搭建Kubernetes 1.8.5集群
环境介绍 角色 操作系统 IP 主机名 Docker版本 master,node CentOS 7.4 192.168.0.210 node210 17.11.0-ce node CentOS 7.4 ...
- 容器编排技术 -- Kubernetes 重新配置活动集群中节点的 Kubelet
容器编排技术 -- Kubernetes 重新配置活动集群中节点的 Kubelet 1 Before you begin 2 重新配置集群活动节点上的 Kubelet 2.1 基本工作流程概览 2.2 ...
- 容器编排技术 -- Kubernetes从零开始搭建自定义集群
容器编排技术 -- Kubernetes从零开始搭建自定义集群 1 设计和准备 1.1 学习 1.2 Cloud Provider 1.3 节点 1.4 网络 1.4.1 网络连接 1.4.2 网络策 ...
- 使用Kubeadm搭建Kubernetes(1.12.2)集群
Kubeadm是Kubernetes官方提供的用于快速安装Kubernetes集群的工具,伴随Kubernetes每个版本的发布都会同步更新,在2018年将进入GA状态,说明离生产环境中使用的距离越来 ...
- Kubernetes集群安全:Api Server认证
全栈工程师开发手册 (作者:栾鹏) 架构系列文章 kube api serverd 启动参数解析 https://kubernetes.io/docs/reference/command-line-t ...
- 使用国内的镜像源搭建 kubernetes(k8s)集群
概述 老话说的好:努力学习,提高自己,让自己知道的比别人多,了解的别人多. 言归正传,之前我们聊了 Docker,随着业务的不断扩大,Docker 容器不断增多,物理机也不断增多,此时我们会发现,登录 ...
- kubernetes 入门实践-搭建集群
ㅤㅤㅤ ㅤㅤㅤ ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ(一个人的真正伟大之处就在于他能够认识到自己的渺小 -- 保罗) ㅤㅤㅤ ㅤㅤㅤ ㅤㅤㅤㅤㅤㅤㅤㅤㅤ 上一篇:kubernetes 入门实践-核心概念 下 ...
- CentOS7 使用二进制部署 Kubernetes 1.15-1.17集群(均通用,已经尝试,细心)
转载地址:https://blog.csdn.net/qq_37950254/article/details/95204011 <link rel="stylesheet" ...
最新文章
- C#实现winform仿div+css半透明遮罩效果
- 多软件启动器 v1.0
- 鸿蒙历程和路标图,华为鸿蒙OS:为生态而生,亦为生态所累
- php 怎样让 键 值 反转,PHP 控制和反转
- mysql基础之帮助信息
- 联发科被动“卡位”内地集成电路市场 剑指老对手展讯
- 自主招生计算机网测,自主招生考试中,笔试和机试有什么区别?
- 数据可视化工具在医疗领域的应用
- linux学习第十三天 (Linux就该这么学)找到一本不错的Linux电子书
- Twitter数据获取
- 加壳与脱壳知识点(持续更新)
- 使用SQLite打开本地.db文件
- uni-app背景图片全屏
- pc构件生产线及设备_PC构件生产线全套设备清单
- 计算机如何添加新用户,Win10创建新用户图文教程 Win10怎么新建账户
- 程序员进阶架构师、技术总监、CTO,需要掌握哪些核心技能
- css+js 实现炫酷的魔方旋转
- ZooKeeper知识点整理
- 图解法求最优解的例题_简单的线性规划求最优解
- 《天空之城》助Twitter刷新纪录,新架构功不可没