전공공부
Authentication 본문
Accounts
우선 쿠버네티스는 유저 계정을 관리하지 않고 외부 소스에 의존합니다.
(세부정보가 있는 파일이나 LDAP 같은 타사 ID 서비스가 대신 이행..)
그래서, 사용자를 만들거나 볼 수 없습니다.
하지만, ServiceAccount를 제작하여 sa를 볼 수는 있습니다.
User들의 액세스는 api 서버에의해서 관리되어짐 ( kubectl, curl 요청에 의한 외부 접속)
api 서버는 auth 인증 후 Service Account를 체크합니다.
-> 그래서 auth 인증은 어떻게 할까요?
PW File 또는 Token File 또는 인증서나 ID Service를 사용해서 진행 할 수 있습니다.
Auth Mechanisms - Basic
아래의 예시는 Static 파일을 만들어서 Authentication을 진행하는 모습입니다.
Follow the below instructions to configure basic authentication in a kubeadm setup.
Create a file with user details locally at /tmp/users/user-details.csv
# User File Contents
password123,user1,u0001
password123,user2,u0002
password123,user3,u0003
password123,user4,u0004
password123,user5,u0005
Edit the kube-apiserver static pod configured by kubeadm to pass in the user details.
The file is located at /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
<content-hidden>
image: k8s.gcr.io/kube-apiserver-amd64:v1.11.3
name: kube-apiserver
volumeMounts:
- mountPath: /tmp/users
name: usr-details
readOnly: true
volumes:
- hostPath:
path: /tmp/users
type: DirectoryOrCreate
name: usr-details
Modify the kube-apiserver startup options to include the basic-auth file
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --authorization-mode=Node,RBAC
<content-hidden>
- --basic-auth-file=/tmp/users/user-details.csvCreate the necessary roles and role bindings for these users:
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
# This role binding allows "jane" to read pods in the "default" namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: user1 # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role #this must be Role or ClusterRole
name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
Once created, you may authenticate into the kube-api server using the users credentials
curl -v -k https://localhost:6443/api/v1/pods -u "user1:password123"
'Study > K8S' 카테고리의 다른 글
| Authorization (0) | 2023.04.09 |
|---|---|
| KubeConfig (0) | 2023.04.09 |
| Docker로 이미지 만들기 (0) | 2023.04.02 |
| Volumes & Persistent Volumes & Persistent Volumes Claim (0) | 2023.04.02 |
| Traffic (0) | 2023.04.02 |
