Pololei, ma hope o ka hoʻokuʻu ʻia i ka hoʻomaka ʻana o Mei 2019, ma ke Kanikela hiki iā ʻoe ke ʻae i nā noi a me nā lawelawe e holo ana ma Kubernetes maoli.
Ma kēia kumu aʻo e hana mākou i kēlā me kēia pae (Hōʻoiaʻiʻo o ka manaʻo, PoC) e hōʻike ana i kēia hiʻohiʻona hou. Manaʻo ʻia e loaʻa iā ʻoe ka ʻike kumu o Kubernetes a me Hashicorp's Consul. ʻOiai hiki iā ʻoe ke hoʻohana i kekahi paepae kapuaʻi a i ʻole ka honua, ma kēia kumu aʻo e hoʻohana mākou i ka Google's Cloud Platform.
Hōʻuluʻulu manaʻo
Inā mākou e hele i , e loaʻa iā mākou kahi hiʻohiʻona wikiwiki o kāna kumu a me ka hihia hoʻohana, a me kekahi mau kikoʻī loea a me ka ʻike nui o ka loina. Manaʻo nui wau e heluhelu iā ia ma ka liʻiliʻi hoʻokahi ma mua o ka hoʻomaka ʻana, no ka mea, e wehewehe ana au i kēia manawa a me ka nau ʻana iā ia a pau.
Kiʻikuhi 1: Nānā manaʻo o ke ʻano ʻae ʻae Kanikela
E nānā kākou i loko .
ʻOiaʻiʻo, aia nā ʻike pono ma laila, akā ʻaʻohe alakaʻi pehea e hoʻohana maoli ai ia mea āpau. No laila, e like me ke kanaka noʻonoʻo, ʻimi ʻoe i ka Pūnaewele no ke alakaʻi. A laila ... hāʻule ʻoe. Ia hana. E hoʻoponopono kākou i kēia.
Ma mua o ko mākou neʻe ʻana i ka hana ʻana i kā mākou POC, e hoʻi kāua i ka ʻike nui o nā ʻano ʻae a ke Kanikela (Diagram 1) a hoʻomaʻemaʻe iā ia ma ka pōʻaiapili o Kubernetes.
kuhikuhipuʻuone
Ma kēia kumu aʻo, e hana mākou i kahi kikowaena Kanikela ma kahi mīkini ʻokoʻa e kamaʻilio me kahi hui Kubernetes me ka mea kūʻai aku ʻo Consul i hoʻokomo ʻia. A laila, hana mākou i kā mākou noi dummy i loko o ka pod a hoʻohana i kā mākou ala ʻae i hoʻonohonoho ʻia e heluhelu mai kā mākou Consul key/value store.
ʻO ke kiʻikuhi ma lalo nei e hōʻike ana i ka hoʻolālā a mākou e hana nei i kēia kumu aʻo, a me ka loiloi ma hope o ke ʻano ʻae, e wehewehe ʻia ma hope.
Kiʻikuhi 2: Kubernetes Manaʻo Manaʻo Manaʻo
ʻO kahi leka wikiwiki: ʻaʻole pono ke kikowaena Konsul e noho ma waho o ka hui Kubernetes no kēia hana. Akā ʻae, hiki iā ia ke hana i kēia ʻano a me kēlā.
No laila, i ka lawe ʻana i ke kiʻikuhi ʻike nui o ke Kanikela (Diagram 1) a me ka hoʻopili ʻana iā Kubernetes iā ia, loaʻa iā mākou ke kiʻi ma luna (Diagram 2), a penei ka loina:
- E loaʻa i kēlā me kēia pod kahi moʻokāki lawelawe i hoʻopili ʻia me kahi hōʻailona JWT i hana ʻia a ʻike ʻia e Kubernetes. Hoʻokomo ʻia kēia hōʻailona i loko o ka pod ma ke ʻano maʻamau.
- Hoʻomaka kā mākou noi a lawelawe paha i loko o ka pod i kahi kauoha komo i kā mākou mea kūʻai Consul. E komo pū ka noi komo i kā mākou hōʻailona a me ka inoa hana kūikawā ke ala ʻae (ʻano Kubernetes). Pili kēia ʻanuʻu #2 i ka ʻanuʻu 1 o ke kiʻikuhi Kanikela (Scheme 1).
- E hoʻouna aku kā mākou mea kūʻai Kanikela i kēia noi i kā mākou kikowaena Kanikela.
- MAGIC! ʻO kēia kahi e hōʻoia ai ke kikowaena Consul i ka ʻoiaʻiʻo o ka noi, e hōʻiliʻili i ka ʻike e pili ana i ka ʻike o ka noi a hoʻohālikelike ʻia me nā lula i koho mua ʻia. Aia ma lalo iho kekahi kiʻi e hōʻike i kēia. Kūlike kēia ʻanuʻu i nā ʻanuʻu 3, 4 a me 5 o ke kiʻi hōʻike manaʻo Kanikela (Diagram 1).
- Hoʻokumu kā mākou kikowaena Kanikela i kahi hōʻailona Kanikela me nā ʻae e like me kā mākou ʻano ʻae ʻae ʻia nā lula (a mākou i wehewehe ai) e pili ana i ka ʻike o ka mea noi. A laila e hoʻihoʻi ʻia kēlā hōʻailona. Pili kēia i ka ʻanuʻu 6 o ke kiʻikuhi Kanikela (Diagram 1).
- Hoʻouna kā mākou mea kūʻai aku i ka hōʻailona i ka noi noi a lawelawe paha.
Hiki i kā mākou palapala noi a lawelawe paha ke hoʻohana i kēia hōʻailona Kanikela e kamaʻilio me kā mākou ʻikepili Kanikela, e like me ka mea i hoʻoholo ʻia e nā pono o ka token.
Hōʻike ʻia ke kilokilo!
No ʻoukou ka poʻe hauʻoli ʻole me kahi lapiti mai ka pāpale a makemake ʻoe e ʻike pehea e hana ai ... e ʻae mai iaʻu "e hōʻike iā ʻoe i ka hohonu. lua lākeke".
E like me ka mea i ʻōlelo ʻia ma mua, ʻo kā mākou "magic" step (Figure 2: Step 4) kahi i hōʻoia ʻia ai ke kikowaena Consul i ka noi, hōʻiliʻili i ka ʻike e pili ana i ka noi, a hoʻohālikelike i nā lula pili i hoʻonohonoho mua ʻia. Kūlike kēia ʻanuʻu i nā ʻanuʻu 3, 4 a me 5 o ke kiʻi hōʻike manaʻo Kanikela (Diagram 1). Aia ma lalo kahi kiʻi (Diagram 3), ʻo ke kumu o ia mea e hōʻike maopopo i ka mea e hana maoli nei ma lalo o ka pāpale ʻano ʻae Kubernetes kikoʻī.
Kiʻi 3: Hōʻike ʻia ke kilokilo!
- Ma ke ʻano he hoʻomaka, hoʻouna kā mākou mea kūʻai aku i ke noi komo i kā mākou kikowaena Consul me ka hōʻailona moʻokāki Kubernetes a me ka inoa kikoʻī o ke ʻano ʻae i hana ʻia ma mua. Pili kēia ʻanuʻu i ka ʻanuʻu 3 ma ka wehewehe kaapuni mua.
- I kēia manawa pono ke kikowaena Consul (a i ʻole alakaʻi) e hōʻoia i ka ʻoiaʻiʻo o ka hōʻailona i loaʻa. No laila, e kūkākūkā ʻo ia i ka pūʻulu Kubernetes (ma o ka mea kūʻai aku ʻo Consul) a, me nā ʻae kūpono, e ʻike mākou inā he ʻoiaʻiʻo ka hōʻailona a no wai ia.
- Hoʻihoʻi ʻia ka noi i hoʻopaʻa ʻia i ke alakaʻi Kanikela, a nānā ke kikowaena Konula i ke ala ʻae me ka inoa i kuhikuhi ʻia mai ka noi komo (a me ke ʻano Kubernetes).
- Hoʻomaopopo ke alakaʻi kanikela i ke ʻano o ka ʻae ʻia (inā loaʻa) a heluhelu i ka pūʻulu o nā lula paʻa i hoʻopili ʻia me ia. A laila heluhelu ʻo ia i kēia mau lula a hoʻohālikelike iā lākou i nā ʻano ʻike i hōʻoia ʻia.
- TA-dah! E neʻe kākou i ka ʻanuʻu 5 ma ka wehewehe kaapuni mua.
E holo i ka Consul-server ma kahi mīkini virtual maʻamau
Mai kēia manawa, e hāʻawi nui wau i nā ʻōlelo aʻoaʻo e pili ana i ka hana ʻana i kēia POC, pinepine i nā helu pōkā, me ka ʻole o nā wehewehe ʻōlelo piha. Eia kekahi, e like me ka mea i hōʻike mua ʻia, e hoʻohana wau iā GCP e hana i nā ʻōnaehana āpau, akā hiki iā ʻoe ke hana i nā ʻōnaehana like ma nā wahi ʻē aʻe.
- E hoʻomaka i ka mīkini virtual (instance/server).
- E hana i lula no ka pā ahi (hui palekana ma AWS):
- Makemake au e hāʻawi i ka inoa mīkini hoʻokahi i ka lula a me ka tag pūnaewele, i kēia hihia "skywiz-consul-server-poc".
- E ʻimi i ka IP address o kāu kamepiula kūloko a hoʻohui i ka papa inoa o nā kumu IP address i hiki iā mākou ke komo i ka mea hoʻohana (UI).
- E wehe i ke awa 8500 no UI. Kaomi Hana. E hoʻololi hou mākou i kēia pā ahi [].
- Hoʻohui i ka lula pā ahi i ka laʻana. E hoʻi i ka VM dashboard ma ka Consul Server a hoʻohui i ka "skywiz-consul-server-poc" i ke kahua hōʻailona pūnaewele. Kaomi iā Save.
- E hoʻouka i ke Consul ma kahi mīkini virtual, e nānā maanei. E hoʻomanaʻo pono ʻoe i ka mana Consul ≥ 1.5 [loulou]
- E hana kākou i hoʻokahi node Consul - penei ka hoʻonohonoho.
groupadd --system consul
useradd -s /sbin/nologin --system -g consul consul
mkdir -p /var/lib/consul
chown -R consul:consul /var/lib/consul
chmod -R 775 /var/lib/consul
mkdir /etc/consul.d
chown -R consul:consul /etc/consul.d- No ke alakaʻi kikoʻī e pili ana i ka hoʻokomo ʻana i ke Kanikela a me ka hoʻonohonoho ʻana i kahi pūʻulu o 3 nodes, ʻike .
- E hana i kahi faila /etc/consul.d/agent.json penei []:
### /etc/consul.d/agent.json
{
"acl" : {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true
}
}- E hoʻomaka i kā mākou kikowaena Consul:
consul agent
-server
-ui
-client 0.0.0.0
-data-dir=/var/lib/consul
-bootstrap-expect=1
-config-dir=/etc/consul.d- Pono ʻoe e ʻike i kahi pūʻulu o ka hoʻopuka a hoʻopau me ka "... hoʻopaʻa ʻia e nā ACL."
- E ʻimi i ka helu IP waho o ke kikowaena Consul a wehe i kahi polokalamu kele pūnaewele me kēia IP address ma ke awa 8500. E hōʻoia i ka wehe ʻana o ka UI.
- E ho'āʻo e hoʻohui i ka hui kī/waiwai. Pono ke kuhihewa. ʻO kēia no ka mea ua hoʻouka mākou i ke kikowaena Consul me kahi ACL a hoʻopau i nā lula āpau.
- E hoʻi i kāu pūpū ma ke kikowaena Consul a hoʻomaka i ke kaʻina hana ma hope a i ʻole kekahi ala ʻē aʻe e holo ai a komo i kēia:
consul acl bootstrap- E huli i ka waiwai "SecretID" a hoʻi i ka UI. Ma ka ʻaoʻao ACL, e hoʻokomo i ka ID huna o ka hōʻailona āu i kope ai. E kope iā SecretID ma kahi ʻē aʻe, pono mākou ma hope.
- I kēia manawa e hoʻohui i kahi pālua kī/waiwai. No kēia POC, e hoʻohui i kēia: kī: "custom-ns/test_key", waiwai: "Aia wau i ka waihona custom-ns!"
Ke hoʻolaha nei i kahi pūʻulu Kubernetes no kā mākou noi me ka mea kūʻai aku ʻo Consul ma ke ʻano he Daemonset
- E hana i kahi hui K8s (Kubernetes). E hana mākou iā ia ma ka ʻāpana like me ke kikowaena no ke komo wikiwiki ʻana, a no laila hiki iā mākou ke hoʻohana i ka subnet like e hoʻopili maʻalahi me nā helu IP kūloko. E kapa mākou iā ia "skywiz-app-with-consul-client-poc".
- E like me ka ʻaoʻao ʻaoʻao, eia kahi aʻo maikaʻi aʻu i ʻike ai i ka wā e hoʻonohonoho ana i kahi puʻupuʻu POC Consul me Consul Connect.
- E hoʻohana pū mākou i ka pakuhi helm Hashicorp me kahi faila waiwai lōʻihi.
- E hoʻouka a hoʻonohonoho i ka Helm. Nā ʻanuʻu hoʻonohonoho:
kubectl create serviceaccount tiller --namespace kube-system
kubectl create clusterrolebinding tiller-admin-binding
--clusterrole=cluster-admin --serviceaccount=kube-system:tiller
./helm init --service-account=tiller
./helm update- palapala hoʻokele:
- E hoʻohana i kēia waihona waiwai (e hoʻomaopopo ua hoʻopau wau i ka hapa nui):
### poc-helm-consul-values.yaml
global:
enabled: false
image: "consul:latest"
# Expose the Consul UI through this LoadBalancer
ui:
enabled: false
# Allow Consul to inject the Connect proxy into Kubernetes containers
connectInject:
enabled: false
# Configure a Consul client on Kubernetes nodes. GRPC listener is required for Connect.
client:
enabled: true
join: ["<PRIVATE_IP_CONSUL_SERVER>"]
extraConfig: |
{
"acl" : {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true
}
}
# Minimal Consul configuration. Not suitable for production.
server:
enabled: false
# Sync Kubernetes and Consul services
syncCatalog:
enabled: false- E hoʻohana i ka pakuhi hoʻokele:
./helm install -f poc-helm-consul-values.yaml ./consul-helm - name skywiz-app-with-consul-client-poc- Ke hoʻāʻo ʻo ia e holo, pono ia i nā ʻae no ke kikowaena Consul, no laila e hoʻohui mākou iā lākou.
- E nānā i ka "Pod Address Range" aia ma ka cluster dashboard a e nānā hou i kā mākou "skywiz-consul-server-poc" rule firewall.
- E hoʻohui i ka laulā helu no ka pod i ka papa inoa o nā helu IP a wehe i nā awa 8301 a me 8300.
- E hele i ka Consul UI a ma hope o kekahi mau minuke e ʻike ʻoe i kā mākou pūʻulu i ka ʻaoʻao nodes.
Ka hoʻonohonoho ʻana i kahi ala ʻae ʻia ma o ka hoʻohui ʻana i ke Kanikela me Kubernetes
- E hoʻi i ka pūpū kikowaena Consul a hoʻokuʻu aku i ka hōʻailona āu i mālama ai ma mua:
export CONSUL_HTTP_TOKEN=<SecretID>- Pono mākou i ka ʻike mai kā mākou pūʻulu Kubernetes no ka hana ʻana i kahi laʻana o ke ʻano o ka hōʻoia:
- kubernetes-host
kubectl get endpoints | grep kubernetes- kubernetes-service-account-jwt
kubectl get sa <helm_deployment_name>-consul-client -o yaml | grep "- name:"
kubectl get secret <secret_name_from_prev_command> -o yaml | grep token:- Hoʻopili ʻia ka hōʻailona base64, no laila e hoʻokaʻawale iā ia me ka hoʻohana ʻana i kāu mea punahele punahele []
- kubernetes-ca-cert
kubectl get secret <secret_name_from_prev_command> -o yaml | grep ca.crt:- E lawe i ka palapala "ca.crt" (ma hope o ka decoding base64) a kākau i loko o ka faila "ca.crt".
- I kēia manawa, e hoʻololi koke i ke ʻano o ka auth, e hoʻololi i nā mea waiho me nā waiwai āu i loaʻa ai.
consul acl auth-method create
-type "kubernetes"
-name "auth-method-skywiz-consul-poc"
-description "This is an auth method using kubernetes for the cluster skywiz-app-with-consul-client-poc"
-kubernetes-host "<k8s_endpoint_retrieved earlier>"
[email protected]
-kubernetes-service-account-
jwt="<decoded_token_retrieved_earlier>"- A laila pono mākou e hana i kahi lula a hoʻopili i ke kuleana hou. No kēia ʻāpana hiki iā ʻoe ke hoʻohana i ka Consul UI, akā e hoʻohana mākou i ka laina kauoha.
- Kākau i lula
### kv-custom-ns-policy.hcl
key_prefix "custom-ns/" {
policy = "write"
}- E noi i ka lula
consul acl policy create
-name kv-custom-ns-policy
-description "This is an example policy for kv at custom-ns/"
-rules @kv-custom-ns-policy.hcl- E ʻimi i ka ID o ke kānāwai āu i hana ai mai ka hoʻopuka.
- E hana i kahi kuleana me kahi lula hou.
consul acl role create
-name "custom-ns-role"
-description "This is an example role for custom-ns namespace"
-policy-id <policy_id>- I kēia manawa, e hoʻopili mākou i kā mākou kuleana hou me ka laʻana o ke ʻano aut. E hoʻomaopopo i ka hae "koho" e hoʻoholo inā loaʻa kēia kuleana i kā mākou noi komo. E nānā maanei no nā koho koho ʻē aʻe:
consul acl binding-rule create
-method=auth-method-skywiz-consul-poc
-bind-type=role
-bind-name='custom-ns-role'
-selector='serviceaccount.namespace=="custom-ns"'ʻO nā hoʻonohonoho hope
Nā kuleana komo
- E hana i nā kuleana komo. Pono mākou e hāʻawi i ke Kanikela ʻae e hōʻoia a ʻike i ka ʻike o ka hōʻailona moʻokāki lawelawe K8s.
- E kākau i kēia i ka faila :
###skywiz-poc-consul-server_rbac.yaml
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: review-tokens
namespace: default
subjects:
- kind: ServiceAccount
name: skywiz-app-with-consul-client-poc-consul-client
namespace: default
roleRef:
kind: ClusterRole
name: system:auth-delegator
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service-account-getter
namespace: default
rules:
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: get-service-accounts
namespace: default
subjects:
- kind: ServiceAccount
name: skywiz-app-with-consul-client-poc-consul-client
namespace: default
roleRef:
kind: ClusterRole
name: service-account-getter
apiGroup: rbac.authorization.k8s.io- E hana kākou i nā kuleana komo
kubectl create -f skywiz-poc-consul-server_rbac.yamlHoʻopili ʻana i ka mea kūʻai aku ke Kanikela
- E like me ka mea i hoikeia Nui nā koho no ka hoʻopili ʻana i ka daemonset, akā e neʻe mākou i ka hopena maʻalahi:
- E noi i kēia faila [].
### poc-consul-client-ds-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: consul-ds-client
spec:
selector:
app: consul
chart: consul-helm
component: client
hasDNS: "true"
release: skywiz-app-with-consul-client-poc
ports:
- protocol: TCP
port: 80
targetPort: 8500- A laila e hoʻohana i kēia kauoha i kūkulu ʻia e hana i kahi configmap []. E ʻoluʻolu e pili ana mākou i ka inoa o kā mākou lawelawe, e hoʻololi inā pono.
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
labels:
addonmanager.kubernetes.io/mode: EnsureExists
name: kube-dns
namespace: kube-system
data:
stubDomains: |
{"consul": ["$(kubectl get svc consul-ds-client -o jsonpath='{.spec.clusterIP}')"]}
EOFKe ho'āʻo nei i ke ʻano o ka ʻoiaʻiʻo
I kēia manawa e ʻike kākou i ka hana kilokilo!
- E hana i kekahi mau waihona kī hou me ke kī kiʻekiʻe kiʻekiʻe (ʻo ia hoʻi. /sample_key) a me kahi waiwai o kāu koho. E hana i nā kulekele a me nā kuleana kūpono no nā ala nui hou. E hana mākou i nā paʻa ma hope.
Hoʻāʻo hoʻokolo inoa maʻamau:
- E hana mākou i kā mākou inoa ponoʻī:
kubectl create namespace custom-ns- E hana mākou i kahi pod ma kā mākou inoa inoa hou. Kākau i ka hoʻonohonoho no ka pod.
###poc-ubuntu-custom-ns.yaml
apiVersion: v1
kind: Pod
metadata:
name: poc-ubuntu-custom-ns
namespace: custom-ns
spec:
containers:
- name: poc-ubuntu-custom-ns
image: ubuntu
command: ["/bin/bash", "-ec", "sleep infinity"]
restartPolicy: Never- E hana ma lalo o:
kubectl create -f poc-ubuntu-custom-ns.yaml- Ke holo ka ipu, e hele i laila a hoʻokomo i ka curl.
kubectl exec poc-ubuntu-custom-ns -n custom-ns -it /bin/bash
apt-get update && apt-get install curl -y- I kēia manawa e hoʻouna mākou i kahi noi komo i ke Kanikela me ka hoʻohana ʻana i ke ala ʻae a mākou i hana mua ai [].
- No ka nānā ʻana i ka hōʻailona i hoʻokomo ʻia mai kāu moʻokāki lawelawe:
cat /run/secrets/kubernetes.io/serviceaccount/token- E kākau i kēia i kahi faila i loko o ka ipu:
### payload.json
{
"AuthMethod": "auth-method-test",
"BearerToken": "<jwt_token>"
}- E komo!
curl
--request POST
--data @payload.json
consul-ds-client.default.svc.cluster.local/v1/acl/login- No ka hoʻopau ʻana i nā ʻanuʻu i luna ma ka laina hoʻokahi (no ka mea, e holo ana mākou i nā hoʻokolohua he nui), hiki iā ʻoe ke hana i kēia:
echo "{
"AuthMethod": "auth-method-skywiz-consul-poc",
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)"
}"
| curl
--request POST
--data @-
consul-ds-client.default.svc.cluster.local/v1/acl/login- Hana! Ma ka liʻiliʻi e pono ai. I kēia manawa e lawe i ka SecretID a hoʻāʻo e komo i ke kī / waiwai e pono ai mākou e komo.
curl
consul-ds-client.default.svc.cluster.local/v1/kv/custom-ns/test_key --header “X-Consul-Token: <SecretID_from_prev_response>”- Hiki iā ʻoe ke hoʻololi i ka "Value" base64 a ʻike e pili ana i ka waiwai ma custom-ns/test_key i ka UI. Inā hoʻohana ʻoe i ka waiwai like ma luna o kēia kumu aʻo, ʻo IkknbSBpbiB0aGUgY3VzdG9tLW5zIGZvbGRlciEi kāu waiwai i hoʻopili ʻia.
Hoʻāʻo moʻokāki moʻokāki mea hoʻohana:
- E hana i kahi ServiceAccount me ka hoʻohana ʻana i kēia kauoha [].
kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: custom-sa
EOF- E hana i kahi faila hoʻonohonoho hou no ka pod. E ʻoluʻolu, ua hoʻokomo wau i ka hoʻonohonoho curl e mālama i ka hana :)
###poc-ubuntu-custom-sa.yaml
apiVersion: v1
kind: Pod
metadata:
name: poc-ubuntu-custom-sa
namespace: default
spec:
serviceAccountName: custom-sa
containers:
- name: poc-ubuntu-custom-sa
image: ubuntu
command: ["/bin/bash","-ec"]
args: ["apt-get update && apt-get install curl -y; sleep infinity"]
restartPolicy: Never- Ma hope o kēlā, e holo i kahi pūpū i loko o ka pahu.
kubectl exec -it poc-ubuntu-custom-sa /bin/bash- E komo!
echo "{
"AuthMethod": "auth-method-skywiz-consul-poc",
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)"
}"
| curl
--request POST
--data @-
consul-ds-client.default.svc.cluster.local/v1/acl/login- ʻAʻole ʻae ʻia. ʻAe, poina mākou e hoʻohui i nā lula hou e pili ana me nā ʻae kūpono, e hana kāua i kēia manawa.
E hana hou i nā ʻanuʻu mua ma luna:
a) E hana i kahi kulekele like no ka prefix "custom-sa/".
b) E hana i kahi kuleana, e kapa iā ia "custom-sa-role"
c) Hoʻopili i ke kulekele i ke kuleana.
- E hana i kahi Rule-Binding (hiki wale mai cli/api). E nānā i ke ʻano like ʻole o ka hae koho.
consul acl binding-rule create
-method=auth-method-skywiz-consul-poc
-bind-type=role
-bind-name='custom-sa-role'
-selector='serviceaccount.name=="custom-sa"'- E komo hou mai ka pahu "poc-ubuntu-custom-sa". Pōmaikaʻi!
- E nānā i ko mākou komo ʻana i ke ala maʻamau-sa/ kī.
curl
consul-ds-client.default.svc.cluster.local/v1/kv/custom-sa/test_key --header “X-Consul-Token: <SecretID>”- Hiki iā ʻoe ke hōʻoia ʻaʻole hāʻawi kēia hōʻailona i ke komo ʻana i kv ma "custom-ns/". E hana hou i ke kauoha i luna ma hope o ka hoʻololi ʻana i ka "custom-sa" me ka prefix "custom-ns".
ʻAʻole ʻae ʻia.
Laʻana overlay:
- Pono e hoʻomaopopo ʻia e hoʻohui ʻia nā palapala palapala paʻa kānāwai āpau i ka hōʻailona me kēia mau kuleana.
- ʻO kā mākou pahu "poc-ubuntu-custom-sa" aia i loko o ka inoa inoa paʻamau - no laila e hoʻohana mākou iā ia no kahi paʻa kānāwai ʻē aʻe.
- E hana hou i nā hana mua:
a) E hana i kahi Kulekele like no ka prefix kī "default/".
b) E hana i kahi Role, kapa iā ia "default-ns-role"
c) Hoʻopili i ke kulekele i ke kuleana. - E hana i kahi Rule-Binding (hiki wale mai cli/api)
consul acl binding-rule create
-method=auth-method-skywiz-consul-poc
-bind-type=role
-bind-name='default-ns-role'
-selector='serviceaccount.namespace=="default"'- E hoʻi i kā mākou pahu "poc-ubuntu-custom-sa" a hoʻāʻo e komo i ke ala "paʻamau /" kv.
- ʻAʻole ʻae ʻia.
Hiki iā ʻoe ke nānā i nā hōʻoia i kuhikuhi ʻia no kēlā me kēia hōʻailona ma ka UI ma lalo o ACL > Token. E like me kāu e ʻike ai, hoʻokahi wale nō "custom-sa-role" kā mākou hōʻailona i kēia manawa. ʻO ka hōʻailona a mākou e hoʻohana nei i hana ʻia i ka wā a mākou i komo ai a hoʻokahi wale nō kānāwai paʻa i pili i kēlā manawa. Pono mākou e komo hou a hoʻohana i ka hōʻailona hou. - E hōʻoia hiki iā ʻoe ke heluhelu mai nā ala "custom-sa/" a me "default/" kv.
Oka!
ʻO kēia no ka mea pili kā mākou "poc-ubuntu-custom-sa" i nā paʻa kānāwai "custom-sa" a me "default-ns".
hopena
TTL hōʻailona mgmt?
I ka manawa o kēia kākau ʻana, ʻaʻohe ala hoʻohui e hoʻoholo ai i ka TTL no nā hōʻailona i hana ʻia e kēia ʻano ʻae. He manawa maikaʻi loa ia e hāʻawi i ka automation palekana o ka ʻae ʻana o ke Kanikela.
Aia kahi koho e hana lima i kahi hōʻailona me TTL:
Manawa Hoʻopau - Ka manawa e hoʻopau ʻia ai kēia hōʻailona. (Koho; hoʻohui ʻia ma ke Kanikela 1.5.0)- Loaʻa wale no ka hana lima/hōʻano hou
Manaʻolana i ka wā e hiki mai ana e hiki iā mākou ke hoʻomalu i ka hana ʻana o nā hōʻailona (no kēlā me kēia lula a i ʻole ke ala ʻae) a hoʻohui iā TTL.
A hiki i kēlā manawa, manaʻo ʻia ʻoe e hoʻohana i kahi hopena logout i kāu loiloi.
E heluhelu pū i nā ʻatikala ʻē aʻe ma kā mākou blog:
Source: www.habr.com