Pulogalamu ya ProHoster > Blog > Ulamuliro > Chidziwitso cha Hashicorp Consul's Kubernetes Authorization

Chidziwitso cha Hashicorp Consul's Kubernetes Authorization

Chidziwitso cha Hashicorp Consul's Kubernetes Authorization

Ndiko kulondola, pambuyo pa kumasulidwa Hashicorp Consul 1.5.0 koyambirira kwa Meyi 2019, mu Consul mutha kuvomereza kugwiritsa ntchito ndi ntchito zomwe zikuyenda ku Kubernetes komweko.

Mu phunziro ife kulenga sitepe ndi sitepe POC (Umboni wamalingaliro, PoC) wowonetsa mawonekedwe atsopanowa.Mukuyembekezeka kukhala ndi chidziwitso choyambirira cha Kubernetes ndi Consul wa Hashicorp.Ngakhale mutha kugwiritsa ntchito nsanja iliyonse yamtambo kapena malo omwe ali pamalopo, mu phunziroli tidzagwiritsa ntchito Google Cloud Platform.

mwachidule

Ngati tipita Zolemba za Consul pa njira yake yovomerezeka, tiwona mwachidule cholinga chake ndi momwe amagwiritsidwira ntchito, komanso zaukadaulo komanso chidule chamalingaliro. Ndikupangira kuti ndikuwerengere kamodzi ndisanayambe, monga momwe ndikufotokozera ndikutafuna zonse.

Chidziwitso cha Hashicorp Consul's Kubernetes Authorization

Chithunzi 1: Chiwonetsero chovomerezeka cha njira yovomerezeka ya Consul

Tiyeni tione mkati zolemba za njira yovomerezeka ya Kubernetes.

Zedi, pali zambiri zothandiza pamenepo, koma palibe kalozera wamomwe mungagwiritsire ntchito zonse. Chifukwa chake, monga munthu aliyense wanzeru, mumafufuza pa intaneti kuti mupeze malangizo. Ndiyeno^Iwe umalephera. Zimachitika. Tiyeni tikonze izi.

Tisanapitirire kupanga POC yathu, tiyeni tibwererenso mwachidule njira zovomerezeka za Consul (Chithunzi 1) ndikuchikonza malinga ndi Kubernetes.

zomangamanga

Mu phunziro ili, tipanga seva ya Consul pamakina osiyana omwe angalumikizane ndi gulu la Kubernetes ndi kasitomala wa Consul adayikidwa. Kenako tidzapanga pulogalamu yathu ya dummy mu pod ndikugwiritsa ntchito njira yathu yololeza kuti tiwerenge kuchokera ku Consul key/value store.

Chithunzi chili m'munsichi chimafotokoza za kamangidwe komwe tikupanga m'phunziroli, komanso lingaliro la njira yololeza, zomwe zidzafotokozedwe mtsogolo.

Chidziwitso cha Hashicorp Consul's Kubernetes Authorization

Chithunzi 2: Kubernetes Authorization Method Overview

Chidziwitso chofulumira: seva ya Consul sikuyenera kukhala kunja kwa gulu la Kubernetes kuti izi zigwire ntchito. Koma inde, akhoza kuchita izi ndi izo.

Chifukwa chake, kutenga chithunzithunzi cha Consul (Chithunzi 1) ndikuyika Kubernetes kwa icho, timapeza chithunzi pamwambapa (Chithunzi 2), ndipo malingaliro apa ndi awa:

  1. Pod iliyonse idzakhala ndi akaunti yautumiki yomwe ili ndi chizindikiro cha JWT chopangidwa ndi chodziwika ndi Kubernetes. Chizindikirochi chimayikidwanso mu pod mwachisawawa.
  2. Ntchito yathu kapena ntchito yathu mkati mwa pod imayambitsa lamulo lolowera kwa kasitomala wathu wa Consul. Pempho lolowera liphatikizanso chizindikiro chathu ndi dzina analengedwa mwapadera njira yololeza (mtundu wa Kubernetes). Gawo #2 likugwirizana ndi gawo 1 la chithunzi cha Consul (Scheme 1).
  3. Makasitomala athu a Consul adzatumiza pempholi ku seva yathu ya Consul.
  4. MAGIC! Apa ndipamene seva ya Consul imatsimikizira kuti pempholo ndi loona, imasonkhanitsa zambiri zokhudza pempholo ndikufanizira ndi malamulo omwe atchulidwa kale. Pansipa pali chithunzi china chowonetsera izi. Gawo ili likugwirizana ndi masitepe 3, 4 ndi 5 a chithunzithunzi cha Consul (Chithunzi 1).
  5. Seva yathu ya Consul imapanga chizindikiro cha Consul chokhala ndi zilolezo molingana ndi malamulo athu ovomerezeka (omwe tawafotokozera) okhudza yemwe wapempha. Izo zidzatumizanso chizindikiro chimenecho. Izi zikugwirizana ndi gawo 6 la chithunzi cha Consul (Chithunzi 1).
  6. Makasitomala athu a Consul amatumiza chizindikiro ku ntchito kapena ntchito yomwe mukufuna.

Ntchito yathu kapena ntchito yathu tsopano ikhoza kugwiritsa ntchito chizindikiro ichi cha Consul kuti tilumikizane ndi data yathu ya Consul, malinga ndi mwayi wa chizindikirocho.

Matsenga awululidwa!

Kwa inu omwe simukukondwera ndi kalulu wotuluka pachipewa ndikufuna kudziwa momwe zimagwirira ntchito ... ndiloleni "ndiwonetseni kuya kwake dzenje la kalulu".

Monga tanenera kale, sitepe yathu ya "matsenga" (Chithunzi 2: Gawo 4) ndi pamene seva ya Consul imatsimikizira pempho, imasonkhanitsa zambiri za pempho, ndikufanizira ndi malamulo omwe atchulidwa kale. Gawo ili likugwirizana ndi masitepe 3, 4 ndi 5 a chithunzithunzi cha Consul (Chithunzi 1). Pansipa pali chithunzi (chithunzi 3), chomwe cholinga chake ndikuwonetsa bwino zomwe zikuchitika pansi pa hood njira yovomerezeka ya Kubernetes.

Chidziwitso cha Hashicorp Consul's Kubernetes Authorization

Chithunzi 3: Matsenga awululidwa!

  1. Monga poyambira, kasitomala wathu wa Consul amatumiza pempho lolowera ku seva yathu ya Consul ndi chizindikiro cha akaunti ya Kubernetes ndi dzina lachidziwitso la njira yololeza yomwe idapangidwa kale. Gawo ili likugwirizana ndi sitepe 3 mu kufotokozera dera lapitalo.
  2. Tsopano seva ya Consul (kapena mtsogoleri) ikuyenera kutsimikizira zowona za chizindikiro cholandilidwa. Chifukwa chake, ifunsira gulu la Kubernetes (kudzera kasitomala wa Consul) ndipo, ndi zilolezo zoyenera, tipeza ngati chizindikirocho ndi chenicheni komanso kuti ndi chandani.
  3. Pempho lovomerezeka limabwezeredwa kwa mtsogoleri wa Consul, ndipo seva ya Consul imayang'ana njira yololeza ndi dzina lodziwika kuchokera pa pempho lolowera (ndi mtundu wa Kubernetes).
  4. Mtsogoleri wa kazembe amazindikiritsa njira yovomerezeka (ngati ipezeka) ndikuwerenga malamulo omangiriza omwe aphatikizidwapo. Kenako imawerenga malamulowa ndikufananiza ndi zizindikiritso zotsimikizika.
  5. TA-da! Tiyeni tipitirire ku sitepe 5 mu malongosoledwe a dera lapitalo.

Thamangani Consul-server pamakina okhazikika

Kuyambira pano, nthawi zambiri ndikhala ndikupereka malangizo amomwe mungapangire POC iyi, nthawi zambiri m'malo a zipolopolo, popanda kufotokozera kwathunthu kwa ziganizo. Komanso, monga tanena kale, ndigwiritsa ntchito GCP kupanga zomangira zonse, koma mutha kupanga zomangira zomwezo kwina kulikonse.

  • Yambitsani makina enieni (chitsanzo/seva).

Chidziwitso cha Hashicorp Consul's Kubernetes Authorization

  • Pangani lamulo la firewall (gulu lachitetezo mu AWS):
  • Ndimakonda kupatsa dzina la makina omwewo ku malamulo onse ndi tag ya netiweki, pamenepa "skywiz-consul-server-poc".
  • Pezani adilesi ya IP yapakompyuta yanu ndikuwonjezera pamndandanda wa ma adilesi a IP kuti titha kugwiritsa ntchito mawonekedwe (UI).
  • Tsegulani doko 8500 la UI. Dinani Pangani. Tisinthanso firewall iyi posachedwa [ссылка].
  • Onjezerani lamulo la firewall ku chitsanzocho. Bwererani ku VM dashboard pa Consul Server ndikuwonjezera "skywiz-consul-server-poc" kumunda wama tags. Dinani Save.

Chidziwitso cha Hashicorp Consul's Kubernetes Authorization

  • Ikani Consul pamakina enieni, onani apa. Kumbukirani kuti mukufuna mtundu wa Consul β‰₯ 1.5 [ulalo]
  • Tiyeni tipange mfundo imodzi Consul - kasinthidwe ndi motere.

groupadd --system consul
useradd -s /sbin/nologin --system -g consul consul
mkdir -p /var/lib/consul
chown -R consul:consul /var/lib/consul
chmod -R 775 /var/lib/consul
mkdir /etc/consul.d
chown -R consul:consul /etc/consul.d

  • Kuti mumve zambiri pakukhazikitsa Consul ndikukhazikitsa gulu la ma node atatu, onani apa.
  • Pangani fayilo /etc/consul.d/agent.json motere [ссылка]:

### /etc/consul.d/agent.json
{
 "acl" : {
 "enabled": true,
 "default_policy": "deny",
 "enable_token_persistence": true
 }
}

  • Yambitsani seva yathu ya Consul:

consul agent 
-server 
-ui 
-client 0.0.0.0 
-data-dir=/var/lib/consul 
-bootstrap-expect=1 
-config-dir=/etc/consul.d

  • Muyenera kuwona zotulutsa zambiri ndikumaliza ndi "... zosintha zotsekedwa ndi ACLs."
  • Pezani adilesi yakunja ya IP ya seva ya Consul ndikutsegula msakatuli ndi adilesi iyi ya IP pa port 8500. Onetsetsani kuti UI ikutsegula.
  • Yesani kuwonjezera makiyi/mtengo awiri. Pakuyenera kukhala vuto. Izi ndichifukwa tidakweza seva ya Consul ndi ACL ndikuyimitsa malamulo onse.
  • Bwererani ku chipolopolo chanu pa seva ya Consul ndikuyamba ndondomekoyi kumbuyo kapena njira ina kuti muyambe kuyendetsa ndikulowetsani zotsatirazi:

consul acl bootstrap

  • Pezani mtengo wa "SecretID" ndikubwerera ku UI. Mu tabu ya ACL, lowetsani ID yachinsinsi ya chizindikiro chomwe mwakopera. Koperani SecretID kwinakwake, tidzayifuna mtsogolo.
  • Tsopano onjezani makiyi / mtengo. Pa POC iyi, onjezani izi: kiyi: "custom-ns/test_key", mtengo: "Ndili mufoda ya-ns!"

Kukhazikitsa gulu la Kubernetes kuti tigwiritse ntchito ndi kasitomala wa Consul ngati Daemoset

  • Pangani gulu la K8s (Kubernetes). Tizipanga m'dera lomwelo ngati seva kuti tipezeke mwachangu, kotero kuti titha kugwiritsa ntchito subnet yomweyo kuti tilumikizane mosavuta ndi ma adilesi amkati a IP. Tizitcha "skywiz-app-with-consul-client-poc".

Chidziwitso cha Hashicorp Consul's Kubernetes Authorization

  • Monga cholemba chakumbali, nali phunziro labwino lomwe ndidakumana nalo ndikukhazikitsa gulu la POC Consul ndi Consul Connect.
  • Tikhalanso tikugwiritsa ntchito tchati cha helm cha Hashicorp chokhala ndi fayilo yowonjezereka.
  • Ikani ndikusintha Helm. Zosintha:

kubectl create serviceaccount tiller --namespace kube-system
kubectl create clusterrolebinding tiller-admin-binding 
   --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
./helm init --service-account=tiller
./helm update

### poc-helm-consul-values.yaml
global:
 enabled: false
 image: "consul:latest"
# Expose the Consul UI through this LoadBalancer
ui:
 enabled: false
# Allow Consul to inject the Connect proxy into Kubernetes containers
connectInject:
 enabled: false
# Configure a Consul client on Kubernetes nodes. GRPC listener is required for Connect.
client:
 enabled: true
 join: ["<PRIVATE_IP_CONSUL_SERVER>"]
 extraConfig: |
{
  "acl" : {
 "enabled": true,   
 "default_policy": "deny",   
 "enable_token_persistence": true 
  }
}
# Minimal Consul configuration. Not suitable for production.
server:
 enabled: false
# Sync Kubernetes and Consul services
syncCatalog:
 enabled: false

  • Ikani tchati chowongolera:

./helm install -f poc-helm-consul-values.yaml ./consul-helm - name skywiz-app-with-consul-client-poc

  • Ikayesa kuthamanga, ifunika zilolezo za seva ya Consul, ndiye tiyeni tiwonjeze.
  • Zindikirani "Pod Address Range" yomwe ili pa cluster dashboard ndikubwereranso ku "skywiz-consul-server-poc" lamulo la firewall.
  • Onjezani ma adilesi a pod pamndandanda wama adilesi a IP ndikutsegula madoko 8301 ndi 8300.

Chidziwitso cha Hashicorp Consul's Kubernetes Authorization

  • Pitani ku Consul UI ndipo pakangopita mphindi zochepa mudzawona gulu lathu likuwonekera pagawo la node.

Chidziwitso cha Hashicorp Consul's Kubernetes Authorization

Kukonza Njira Yovomerezeka mwa Kuphatikiza Consul ndi Kubernetes

  • Bwererani ku chipolopolo cha seva ya Consul ndikutumiza chizindikiro chomwe mudasunga kale:

export CONSUL_HTTP_TOKEN=<SecretID>

  • Tidzafunika zambiri kuchokera kugulu lathu la Kubernetes kuti tipange chitsanzo cha njira yovomerezeka:
  • kubernetes-host

kubectl get endpoints | grep kubernetes

  • kubernetes-service-account-jwt

kubectl get sa <helm_deployment_name>-consul-client -o yaml | grep "- name:"
kubectl get secret <secret_name_from_prev_command> -o yaml | grep token:

  • Chizindikirocho ndi base64 encoded, kotero chiduleni pogwiritsa ntchito chida chomwe mumakonda [ссылка]
  • kubernetes-ca-cert

kubectl get secret <secret_name_from_prev_command> -o yaml | grep ca.crt:

  • Tengani satifiketi ya "ca.crt" (pambuyo pa base64 decoding) ndikulemba mufayilo ya "ca.crt".
  • Tsopano yambitsani njira ya auth, m'malo mwa zoikira malo ndi zikhalidwe zomwe mwalandira kumene.

consul acl auth-method create 
-type "kubernetes" 
-name "auth-method-skywiz-consul-poc" 
-description "This is an auth method using kubernetes for the cluster skywiz-app-with-consul-client-poc" 
-kubernetes-host "<k8s_endpoint_retrieved earlier>" 
[email protected] 
-kubernetes-service-account-
jwt="<decoded_token_retrieved_earlier>"

  • Kenaka tiyenera kupanga lamulo ndikuligwirizanitsa ndi udindo watsopano. Pa gawoli mutha kugwiritsa ntchito Consul UI, koma tigwiritsa ntchito mzere wolamula.
  • Lembani lamulo

### kv-custom-ns-policy.hcl
key_prefix "custom-ns/" {
 policy = "write"
}

  • Tsatirani lamulolo

consul acl policy create 
-name kv-custom-ns-policy 
-description "This is an example policy for kv at custom-ns/" 
-rules @kv-custom-ns-policy.hcl

  • Pezani ID ya lamulo lomwe mwangopanga kuchokera pazotulutsa.
  • Pangani gawo ndi lamulo latsopano.

consul acl role create 
-name "custom-ns-role" 
-description "This is an example role for custom-ns namespace" 
-policy-id <policy_id>

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='custom-ns-role' 
-selector='serviceaccount.namespace=="custom-ns"'

Pomaliza masanjidwe

Ufulu wopeza

  • Pangani ufulu wofikira. Tiyenera kupereka chilolezo cha Consul kuti titsimikizire ndikuzindikira chizindikiro cha akaunti ya K8s.
  • Lembani zotsatirazi ku fayilo [ulalo]:

###skywiz-poc-consul-server_rbac.yaml
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: review-tokens
 namespace: default
subjects:
- kind: ServiceAccount
 name: skywiz-app-with-consul-client-poc-consul-client
 namespace: default
roleRef:
 kind: ClusterRole
 name: system:auth-delegator
 apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: service-account-getter
 namespace: default
rules:
- apiGroups: [""]
 resources: ["serviceaccounts"]
 verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: get-service-accounts
 namespace: default
subjects:
- kind: ServiceAccount
 name: skywiz-app-with-consul-client-poc-consul-client
 namespace: default
roleRef:
 kind: ClusterRole
 name: service-account-getter
 apiGroup: rbac.authorization.k8s.io

  • Tiyeni tipange ufulu wofikira

kubectl create -f skywiz-poc-consul-server_rbac.yaml

Kulumikizana ndi Consul Client

  • Monga taonera apaPali zosankha zingapo zolumikizira ku daemoset, koma tipitilira njira yosavuta iyi:
  • Ikani fayilo yotsatirayi [ссылка].

### poc-consul-client-ds-svc.yaml
apiVersion: v1
kind: Service
metadata:
 name: consul-ds-client
spec:
 selector:
   app: consul
   chart: consul-helm
   component: client
   hasDNS: "true"
   release: skywiz-app-with-consul-client-poc
 ports:
 - protocol: TCP
   port: 80
   targetPort: 8500

  • Kenako gwiritsani ntchito lamulo lotsatirali kuti mupange configmap [ссылка]. Chonde dziwani kuti tikunena za dzina la ntchito yathu, m'malo mwake ngati kuli kofunikira.

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
 labels:
   addonmanager.kubernetes.io/mode: EnsureExists
 name: kube-dns
 namespace: kube-system
data:
 stubDomains: |
   {"consul": ["$(kubectl get svc consul-ds-client -o jsonpath='{.spec.clusterIP}')"]}
EOF

Kuyesa njira ya auth

Tsopano tiyeni tiwone matsenga akuchita!

  • Pangani makiyi ena angapo okhala ndi kiyi yofanana yapamwamba (ie. /sample_key) ndi mtengo womwe mwasankha. Pangani ndondomeko zoyenera ndi maudindo a njira zazikulu zatsopano. Tidzamanganso pambuyo pake.

Chidziwitso cha Hashicorp Consul's Kubernetes Authorization

Kuyesa kwamalo mwamakonda:

  • Tiyeni tipange malo athuathu:

kubectl create namespace custom-ns

  • Tiyeni tipange pod mu malo athu atsopano. Lembani kasinthidwe ka pod.

###poc-ubuntu-custom-ns.yaml
apiVersion: v1
kind: Pod
metadata:
 name: poc-ubuntu-custom-ns
 namespace: custom-ns
spec:
 containers:
 - name: poc-ubuntu-custom-ns
   image: ubuntu
   command: ["/bin/bash", "-ec", "sleep infinity"]
 restartPolicy: Never

  • Pangani pansi:

kubectl create -f poc-ubuntu-custom-ns.yaml

  • Chidebecho chikayamba, pitani kumeneko ndikuyika ma curl.

kubectl exec poc-ubuntu-custom-ns -n custom-ns -it /bin/bash
apt-get update && apt-get install curl -y

  • Tsopano titumiza pempho lolowera kwa Consul pogwiritsa ntchito njira yololeza yomwe tidapanga kale [ссылка].
  • Kuti muwone chizindikiro chomwe mwalowa muakaunti yanu yantchito:

cat /run/secrets/kubernetes.io/serviceaccount/token

  • Lembani zotsatirazi ku fayilo yomwe ili mkati mwa chidebecho:

### payload.json
{
 "AuthMethod": "auth-method-test",
 "BearerToken": "<jwt_token>"
}

  • Lowani muakaunti!

curl 
--request POST 
--data @payload.json 
consul-ds-client.default.svc.cluster.local/v1/acl/login

  • Kuti mumalize masitepe omwe ali pamwambapa pamzere umodzi (popeza tikhala tikuyesa mayeso angapo), mutha kuchita izi:

echo "{ 
"AuthMethod": "auth-method-skywiz-consul-poc", 
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" 
}" 
| curl 
--request POST 
--data @- 
consul-ds-client.default.svc.cluster.local/v1/acl/login

  • Ntchito! Osachepera ziyenera. Tsopano tengani SecretID ndikuyesera kupeza fungulo / mtengo womwe tiyenera kukhala nawo.

curl 
consul-ds-client.default.svc.cluster.local/v1/kv/custom-ns/test_key --header β€œX-Consul-Token: <SecretID_from_prev_response>”

  • Mutha kusankha "Value" base64 ndikuwona kuti ikufanana ndi mtengo wa custom-ns/test_key mu UI. Ngati mutagwiritsa ntchito mtengo womwewo pamwambapa paphunziroli, mtengo wanu wosungidwa ungakhale IkknbSBpbiB0aGUgY3VzdG9tLW5zIGZvbGRlciEi.

Kuyesa kwa akaunti ya ogwiritsa ntchito:

kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
 name: custom-sa
EOF

  • Pangani fayilo yatsopano yosinthira ya pod. Chonde dziwani kuti ndaphatikiza kukhazikitsa ma curl kuti ndipulumutse ntchito :)

###poc-ubuntu-custom-sa.yaml
apiVersion: v1
kind: Pod
metadata:
 name: poc-ubuntu-custom-sa
 namespace: default
spec:
 serviceAccountName: custom-sa
 containers:
 - name: poc-ubuntu-custom-sa
   image: ubuntu
   command: ["/bin/bash","-ec"]
   args: ["apt-get update && apt-get install curl -y; sleep infinity"]
 restartPolicy: Never

  • Pambuyo pake, tsitsani chipolopolo mu chidebe.

kubectl exec -it poc-ubuntu-custom-sa /bin/bash

  • Lowani muakaunti!

echo "{ 
"AuthMethod": "auth-method-skywiz-consul-poc", 
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" 
}" 
| curl 
--request POST 
--data @- 
consul-ds-client.default.svc.cluster.local/v1/acl/login

  • Chilolezo chakanizidwa. O, tinayiwala kuwonjezera malamulo atsopano omangirira ndi zilolezo zoyenera, tiyeni tichite zimenezo tsopano.

Bwerezani njira zam'mbuyo pamwambapa:
a) Pangani ndondomeko yofanana yachiyambi cha β€œcustom-sa/”.
b) Pangani Ntchito, itchani "custom-sa-role"
c) Gwirizanitsani Ndondomekoyi ku Udindo.

  • Pangani Lamulo Lomanga (zotheka kuchokera ku cli/api). Onani matanthauzo osiyanasiyana a mbendera yosankhidwa.

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='custom-sa-role' 
-selector='serviceaccount.name=="custom-sa"'

  • Lowaninso kuchokera pachidebe cha "poc-ubuntu-custom-sa". Kupambana!
  • Yang'anani momwe tingafikire ku njira yachizolowezi-sa/ key.

curl 
consul-ds-client.default.svc.cluster.local/v1/kv/custom-sa/test_key --header β€œX-Consul-Token: <SecretID>”

  • Mutha kuwonetsetsanso kuti chizindikirochi sichikupereka mwayi kwa kv mu "custom-ns/". Ingobwerezani lamulo ili pamwambapa mutasintha "custom-sa" ndi prefix "custom-ns".
    Chilolezo chakanizidwa.

Chitsanzo chophatikizika:

  • Ndizofunikira kudziwa kuti mapu onse omanga malamulo adzawonjezedwa ku chizindikiro ndi maufuluwa.
  • Chidebe chathu "poc-ubuntu-custom-sa" chili m'malo osasinthika - ndiye tiyeni tichigwiritse ntchito popanga malamulo ena.
  • Bwerezani njira zam'mbuyo:
    a) Pangani Ndondomeko yofananira ya "default/" key prefix.
    b) Pangani Udindo, tchulani "default-ns-role"
    c) Gwirizanitsani Ndondomekoyi ku Udindo.
  • Pangani Lamulo-Kumanga (kutheka kuchokera ku cli/api)

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='default-ns-role' 
-selector='serviceaccount.namespace=="default"'

  • Bwererani ku chidebe chathu cha "poc-ubuntu-custom-sa" ndikuyesa kupeza njira ya "default/" kv.
  • Chilolezo chakanizidwa.
    Mutha kuwona zidziwitso zomwe zatchulidwa pa chizindikiro chilichonse mu UI pansi pa ACL> Zizindikiro. Monga mukuwonera, chizindikiro chathu chapano chili ndi "mwambo-sa-udindo" umodzi wokhazikika. Chizindikiro chomwe tikugwiritsa ntchito chidapangidwa pomwe tidalowa ndipo panali lamulo limodzi lokha lomwe limafanana ndi nthawiyo. Tiyenera kulowanso ndikugwiritsa ntchito chizindikiro chatsopano.
  • Onetsetsani kuti mutha kuwerenga kuchokera panjira zonse za "custom-sa/" ndi "default/" kv.
    Chipambano!
    Izi ndichifukwa choti "poc-ubuntu-custom-sa" yathu imagwirizana ndi zomangira za "custom-sa" ndi "default-ns".

Pomaliza

TTL token mgmt?

Pa nthawi yolemba izi, palibe njira yophatikizira yodziwira TTL ya zizindikiro zopangidwa ndi njira yovomerezeka iyi. Ungakhale mwayi wabwino kwambiri wopereka automation yotetezedwa ya chilolezo cha Consul.

Pali mwayi wopanga chizindikiro pamanja ndi TTL:

Tikukhulupirira kuti posachedwa tidzatha kuyang'anira momwe zizindikiro zimapangidwira (pa lamulo kapena njira yovomerezeka) ndikuwonjezera TTL.

Mpaka nthawiyo, akulangizidwa kuti mugwiritse ntchito pomaliza panjira yanu.

Werenganinso zolemba zina pa blog yathu:

Source: www.habr.com

Kuwonjezera ndemanga