《Kubernetes权威指南》学习笔记第四篇-token认证和HTTPbase认证

背景

本文基于二进制部署的kubernetes集群

HTTPbase认证

因为当时学习的时候部署的是v1.19版本,已经取消对HTTPbase的支持了,这里简单配置做个记录
配置kube-apiserver配置文件
cat /etc/kubernetes/apiserver

KUBE_API_ARGS="--etcd-servers=http://127.0.0.1:2379 --insecure-bind-address=0.0.0.0 --basic-auth-file=/etc/kubernetes/basic_auth_file --secure-port=6443 --service-cluster-ip-range=169.169.0.0/16 --service-node-port-range=1-65535 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota --logtostderr=false --log-dir=/var/log/kubernetes --v=0"

cat /etc/kubernetes/basic_auth_file

admin,admin,1
system,system,1

验证
kubectl --server=https://192.168.0.158:6443 --username=admin --password=admin --insecure-skip-tls-verify=true get nodes

token认证

cat /etc/kubernetes/apiserver

KUBE_API_ARGS="--etcd-servers=http://127.0.0.1:2379 --insecure-bind-address=0.0.0.0 --token-auth-file=/etc/kubernetes/token_auth_file --secure-port=6443 --service-cluster-ip-range=169.169.0.0/16 --service-node-port-range=1-65535 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota --logtostderr=false --log-dir=/var/log/kubernetes --v=0"

cat /etc/kubernetes/token_auth_file

admin,admin,1
system,system,2

验证
curl -k --header "Authorization:Bearer admin" https://192.168.0.158:6443/version
返回

{
"major": "1",
"minor": "19",
"gitVersion": "v1.19.0",
"gitCommit": "e19964183377d0ec2052d1f1fa930c4d7575bd50",
"gitTreeState": "clean",
"buildDate": "2020-08-26T14:23:04Z",
"goVersion": "go1.15",
"compiler": "gc",
"platform": "linux/amd64"

netstat -ntlp|grep 8080
netstat -ntlp|grep 6443

[root@node158 kubernetes]# netstat -ntlp|grep 8080
tcp6 0 0 :::8080 :::* LISTEN 3238/kube-apiserver
[root@node158 kubernetes]# netstat -ntlp|grep 6443
tcp6 0 0 :::6443 :::* LISTEN 3238/kube-apiserver

kubectl get nodes

NAME STATUS ROLES AGE VERSION
192.168.0.159 Ready 6d17h v1.19.0
192.168.0.160 Ready 6d17h v1.19.0

这说明这种配置方式实现了使用简单认证模式来访问kube-apiserver,但是其他客户端智能通过配置成数字双向认证或者非安全模式与api server通信,但是kubectl既可以配置成简单认证也可以配置城双向认证与apiserver通信