Kusiyana kwakukulu pakati pa mitundu iyi ndikuti pa Akaunti Yautumiki pali zinthu zapadera mu Kubernetes API (zimatchedwa - ServiceAccounts), zomwe zimamangiriridwa ku malo a mayina ndi seti ya data yovomerezeka yosungidwa mumagulu muzinthu zamtundu wa Zinsinsi. Ogwiritsa ntchito oterowo (Maakaunti a Utumiki) amapangidwa kuti aziwongolera ufulu wofikira ku Kubernetes API wa njira zomwe zikuyenda mugulu la Kubernetes.
Ogwiritsa Ntchito Wamba alibe zolemba mu Kubernetes API: ziyenera kuyendetsedwa ndi njira zakunja. Amapangidwira anthu kapena njira zomwe zikukhala kunja kwa gululo.
Pempho lililonse la API limalumikizidwa ndi Akaunti ya Utumiki, Wogwiritsa, kapena imatengedwa kuti ndi yosadziwika.
zizindikiro za akaunti yautumiki - zamaakaunti a Service;
X509 - kwa Ogwiritsa.
Funso lokhudza kuyang'anira ServiceAccounts ndilopitirira malire a nkhaniyi, koma kwa iwo omwe akufuna kudziwa zambiri za nkhaniyi, ndikupangira kuyamba ndi masamba ovomerezeka. Tiona mwatsatanetsatane nkhani ya momwe ziphaso za X509 zimagwirira ntchito.
Zikalata za ogwiritsa ntchito (X.509)
Njira yapamwamba yogwirira ntchito ndi satifiketi imaphatikizapo:
pokonza pempho la satifiketi pogwiritsa ntchito makiyi a Kubernetes cluster CA, kupeza satifiketi yogwiritsa ntchito (kuti mupeze satifiketi, muyenera kugwiritsa ntchito akaunti yomwe ili ndi kiyi ya Kubernetes cluster CA, yomwe mwachisawawa imakhala /etc/kubernetes/pki/ca.key):
Kuti zikhale zosavuta kusamutsa kasinthidwe pakati pa maakaunti ndi ma seva, ndikofunikira kusintha makiyi otsatirawa:
certificate-authority
client-certificate
client-key
Kuti muchite izi, mutha kuyika mafayilo omwe atchulidwa mwa iwo pogwiritsa ntchito base64 ndikulembetsa nawo mu config, ndikuwonjezera suffix ku dzina la makiyi. -data,ndi. atalandira certificate-authority-data ndi zina zotero.
Satifiketi yokhala ndi kubeadm
Ndi kumasulidwa Kubernetes 1.15 kugwira ntchito ndi satifiketi kwakhala kosavuta chifukwa cha mtundu wa alpha wa chithandizo chake kubeadm utility. Mwachitsanzo, izi ndi zomwe kupanga fayilo yosinthira yokhala ndi makiyi ogwiritsa ntchito zitha kuwoneka ngati:
kubeadm alpha kubeconfig user --client-name=mynewuser --apiserver-advertise-address 192.168.100.200
Asanatuluke 1.6, Kubernetes adagwiritsa ntchito mtundu wovomerezeka wotchedwa ABAC (Kuwongolera kogwirizana ndi mawonekedwe). Tsatanetsatane wa izo angapezeke mu zolemba zovomerezeka. Njirayi pakadali pano imatengedwa ngati cholowa, koma mutha kuyigwiritsabe ntchito limodzi ndi mitundu ina yotsimikizira.
Njira yamakono (komanso yosinthika) yogawa ufulu wofikira kumagulu imatchedwa Mtengo wa RBAC (Udindo wofikira pantchito). Zanenedwa kukhala zokhazikika kuyambira mtundu Kubernetes 1.8. RBAC imagwiritsa ntchito chitsanzo chaufulu momwe chirichonse chomwe sichiloledwa mwatsatanetsatane ndi choletsedwa. Kuti muyambitse RBAC, muyenera kuyambitsa Kubernetes api-server ndi parameter --authorization-mode=RBAC. Zosinthazo zimayikidwa mu chiwonetsero ndi kasinthidwe ka api-server, komwe mwachisawawa kumakhala panjira. /etc/kubernetes/manifests/kube-apiserver.yaml, mu gawo command. Komabe, RBAC idayatsidwa kale mwachisawawa, ndiye kuti simuyenera kuda nkhawa nazo: mutha kutsimikizira izi ndi mtengo wake. authorization-mode (mu zomwe zatchulidwa kale kube-apiserver.yaml). Mwa njira, pakati pa matanthauzo ake pakhoza kukhala mitundu ina ya chilolezo (node, webhook, always allow), koma tisiya kulingalira kwawo kunja kwa nkhaniyo.
Mwa njira, tasindikiza kale nkhani ndikulongosola mwatsatanetsatane za mfundo ndi mawonekedwe ogwirira ntchito ndi RBAC, kupitilira apo ndidzipatula ku mndandanda wachidule wazoyambira ndi zitsanzo.
Magulu otsatirawa a API amagwiritsidwa ntchito kuwongolera mwayi wopezeka ku Kubernetes kudzera pa RBAC:
Role ΠΈ ClusterRole - maudindo ofotokozera ufulu wofikira:
Role amakulolani kufotokoza maufulu mkati mwa dzina;
ClusterRole - m'gululi, kuphatikiza zinthu zamagulu enaake monga ma node, ma urls osagwiritsa ntchito (ie osakhudzana ndi zothandizira za Kubernetes - mwachitsanzo, /version, /logs, /api*);
RoleBinding ΠΈ ClusterRoleBinding - amagwiritsidwa ntchito pomanga Role ΠΈ ClusterRole kwa wosuta, gulu la ogwiritsa ntchito kapena ServiceAccount.
Mabungwe a Role ndi RoleBinding ali ndi malire ndi namespace, i.e. ziyenera kukhala mkati mwa malo omwewo. Komabe, RoleBinding imatha kutchula ClusterRole, yomwe imakupatsani mwayi wopanga zilolezo zamtundu uliwonse ndikuwongolera mwayi wogwiritsa ntchito.
Maudindo amafotokoza za ufulu pogwiritsa ntchito malamulo omwe ali ndi:
Magulu a API - onani zolemba zovomerezeka ndi apiGroups ndi zotuluka kubectl api-resources;
zothandizira (Chuma: pod, namespace, deployment ndi zina zotero.);
Kuphatikiza pa magawo atatu ofunikirawa, pali zosintha zambiri zowonjezera zokhudzana ndi kuwunika: kuchokera ku kuzungulira kwa chipika kupita ku mafotokozedwe a webhook. Chitsanzo cha magawo a chipika chozungulira:
--audit-log-maxbackup=10
--audit-log-maxsize=100
--audit-log-maxage=7
Koma sitingaganizire za iwo mwatsatanetsatane - mutha kupeza tsatanetsatane kube-apiserver zolemba.
Monga tafotokozera kale, magawo onse amayikidwa mu chiwonetsero ndi kasinthidwe ka api-server (mwachisawawa /etc/kubernetes/manifests/kube-apiserver.yaml), mu gawo command. Tiyeni tibwerere ku magawo atatu ofunikira ndikusanthula:
audit-policy-file - njira yopita ku fayilo ya YAML yofotokoza ndondomeko yowunikira. Tidzabwereranso ku zomwe zili mkati mwake, koma pakadali pano ndiwona kuti fayiloyo iyenera kuwerengedwa ndi ndondomeko ya api-server. Chifukwa chake, ndikofunikira kuyiyika mkati mwa chidebecho, chomwe mutha kuwonjezera nambala iyi m'magawo oyenera a config:
audit-log-path - njira yopita ku fayilo ya log. Njirayo iyeneranso kupezeka panjira ya api-server, chifukwa chake timafotokozera kukwera kwake chimodzimodzi:
Mu ndondomeko mukhoza kufotokoza mndandanda wa ogwiritsa (Users ΠΈ ServiceAccounts) ndi magulu ogwiritsa ntchito. Mwachitsanzo, umu ndi momwe tidzanyalanyaza ogwiritsa ntchito, koma lembani china chilichonse pamlingo Request: