ProHoster > Ibhulogi > Ulawulo > Intshayelelo kuGunyaziso lwe-Hashicorp Consul's Kubernetes

Intshayelelo kuGunyaziso lwe-Hashicorp Consul's Kubernetes

Intshayelelo kuGunyaziso lwe-Hashicorp Consul's Kubernetes

Kunjalo, emva kokukhululwa Ummeli weHashicorp 1.5.0 ekuqaleni kukaMeyi 2019, kwi-Consul ungagunyazisa izicelo kunye neenkonzo ezisebenza eKubernetes ngokwemveli.

Kule tutorial siya kudala inyathelo ngenyathelo POC (Ubungqina bengqiqo, i-PoC) ebonisa eli nqaku litsha.Kulindeleke ukuba ube nolwazi olusisiseko lwe-Kubernetes kunye ne-Consul ye-Hashicorp.Ngelixa ungasebenzisa naliphi na iqonga lelifu okanye indawo yendawo, kwesi sifundo siya kusebenzisa i-Google Cloud Platform.

isishwankathelo

Ukuba siya ku Amaxwebhu e-Consul ngendlela yawo yogunyaziso, sizakufumana ushwankathelo olukhawulezayo lwenjongo yalo kunye nemeko yokusetyenziswa, kunye neenkcukacha zobugcisa kunye nombono jikelele wengqiqo. Ndincoma kakhulu ukuba ndiyifunde ubuncinane kanye ngaphambi kokuba ndiqhubeke, njengoko ngoku ndiza kuchaza kwaye ndiyihlafune yonke.

Intshayelelo kuGunyaziso lwe-Hashicorp Consul's Kubernetes

Umzobo woku-1: Isishwankathelo esisemthethweni sendlela yogunyaziso loMmeli

Masijonge ngaphakathi uxwebhu lwendlela ethile yogunyaziso lweKubernetes.

Ngokuqinisekileyo, kukho ulwazi oluluncedo apho, kodwa akukho sikhokelo malunga nendlela yokuyisebenzisa yonke. Ke, njengaye nawuphi na umntu obhadlileyo, ukhangela isikhokelo kwi-Intanethi. Kwaye ke ... Uyasilela. Iyenzeka. Masiyilungise lento.

Ngaphambi kokuba siqhubele phambili ekudaleni i-POC yethu, masibuyele kumbono jikelele weendlela zogunyaziso ze-Consul (Umzobo 1) kwaye siwucokise kumxholo we-Kubernetes.

izakhiwo

Kule tutorial, siya kwenza iseva ye-Consul kumatshini owahlukileyo oza kunxibelelana neqela le-Kubernetes kunye nomxhasi we-Consul ofakiwe. Emva koko siya kudala usetyenziso lwethu lwe-dummy kwi-pod kwaye sisebenzise indlela yethu yogunyaziso emiselweyo ukufunda kwiqhosha lethu le-Consul / ivenkile yexabiso.

Umzobo ongezantsi uchaza ulwakhiwo esilwenzayo kwesi sifundo, kunye nengqiqo emva kwendlela yogunyaziso, eya kuchazwa kamva.

Intshayelelo kuGunyaziso lwe-Hashicorp Consul's Kubernetes

Umzobo 2: I-Kubernetes Authorization Method Overview

Inqaku elikhawulezayo: i-Consul server ayifuni ukuhlala ngaphandle kweqela le-Kubernetes ukuze oku kusebenze. Kodwa ewe, angayenza ngale ndlela naleya.

Ke, sithatha i-Consul overview diagram (Diagram 1) kunye nokusebenzisa i-Kubernetes kuyo, sifumana umzobo ongentla (uMzobo 2), kwaye ingqiqo apha ilandelayo:

  1. I-pod nganye iya kuba ne-akhawunti yenkonzo eqhotyoshelwe kuyo equlethe ithokheni ye-JWT eyenziwe kwaye eyaziwa nguKubernetes. Lo mqondiso uphinde ufakwe kwi-pod ngokungagqibekanga.
  2. Isicelo sethu okanye inkonzo ngaphakathi kwepod iqalisa umyalelo wokungena kumxumi wethu we-Consul. Isicelo sokungena siya kubandakanya uphawu lwethu kunye negama yenziwe ngokukodwa indlela yogunyaziso (uhlobo lweKubernetes). Eli nyathelo #2 lihambelana nesinyathelo 1 somzobo we-Consul (iSikimu 1).
  3. Umxumi wethu we-Consul uya kuthi ke asithumele esi sicelo kumncedisi wethu we-Consul.
  4. UBUGCISA! Apha kulapho umncedisi we-Consul uqinisekisa ubunyani besicelo, uqokelela ulwazi malunga nesazisi sesicelo kwaye usithelekise nayo nayiphi na imigaqo echazwe kwangaphambili. Ngezantsi ngomnye umzobo ukubonisa oku. Eli nyathelo lihambelana namanyathelo 3, 4 kunye ne-5 e-Consul overview diagram (Idiagram 1).
  5. Umncedisi wethu we-Consul uvelisa ithokheni yoMmeli kunye neemvume ngokwemigaqo yethu yendlela yogunyaziso echaziweyo (esiyichazile) malunga nesazisi somceli. Iya kuthi ke ithumele loo mqondiso emva. Oku kuhambelana nesinyathelo sesi-6 somzobo we-Consul (Umzobo 1).
  6. Umxhasi wethu we-Consul uthumela ithokheni kwisicelo esicelayo okanye inkonzo.

Isicelo sethu okanye inkonzo yethu ngoku inokusebenzisa lo mqondiso we-Consul ukunxibelelana nedatha yethu ye-Consul, njengoko kumiselwe ngamalungelo ophawu.

Umlingo utyhiliwe!

Kwabo bangonwabanga nje ngomvundla ophuma emnqwazini kwaye nifuna ukwazi ukuba isebenza njani... mandinibonise indlela enzulu ngayo. umngxuma umvundla».

Njengoko kuchaziwe ngaphambili, inyathelo lethu "lomlingo" (Umfanekiso 2: Inyathelo lesi-4) kulapho umncedisi we-Consul uqinisekisa isicelo, uqokelela ulwazi malunga nesicelo, kwaye uthelekise kuyo nayiphi na imigaqo echazwe kwangaphambili. Eli nyathelo lihambelana namanyathelo 3, 4 kunye ne-5 e-Consul overview diagram (Idayagram 1). Ngezantsi ngumzobo (umzobo wesi-3), injongo yawo kukubonisa ngokucacileyo oko kwenzeka ngokwenene phantsi kwentloko indlela yogunyaziso ethile Kubernetes.

Intshayelelo kuGunyaziso lwe-Hashicorp Consul's Kubernetes

Umzobo 3: Umlingo utyhiliwe!

  1. Njengesiqalo, umxhasi wethu we-Consul udlulisela isicelo sokungena kwi-Consul server yethu kunye ne-akhawunti ye-Kubernetes ithokheni kunye negama lomzekelo wendlela yogunyaziso eyenziwe ngaphambili. Eli nyathelo lihambelana nesinyathelo sesi-3 kwinkcazo yesekethe yangaphambili.
  2. Ngoku umncedisi we-Consul (okanye inkokeli) kufuneka iqinisekise ubunyani bophawu olufunyenweyo. Ngoko ke, iya kudibana neqela le-Kubernetes (nge-Consul client) kwaye, kunye neemvume ezifanelekileyo, siya kufumanisa ukuba uphawu luyinyani kwaye ingubani.
  3. Isicelo esiqinisekisiweyo sibuyiselwa kwinkokeli ye-Consul, kwaye umncedisi we-Consul ujonge indlela yogunyaziso kunye negama elikhankanyiweyo kwisicelo sokungena (kunye nohlobo lweKubernetes).
  4. Inkokeli ye-consul ichonga umzekelo wendlela yogunyaziso echaziweyo (ukuba ifunyenwe) kwaye ifunde isethi yemithetho ebophelelayo eqhotyoshelwe kuyo. Emva koko ifunda le migaqo kwaye ithelekise neempawu zesazisi eziqinisekisiweyo.
  5. TA-dah! Masiqhubele phambili kwinyathelo lesi-5 kwingcaciso yesekethe yangaphambili.

Qhuba uMncedisi-mncedisi kumatshini oqhelekileyo wenyani

Ukusukela ngoku ukuya phambili, ndiza kube ndinikeza imiyalelo malunga nendlela yokuyila le POC, rhoqo kwiindawo zembumbulu, ngaphandle kweenkcazo ezipheleleyo zesivakalisi. Kwakhona, njengoko kuphawuliwe ngaphambili, ndiza kusebenzisa i-GCP ukwenza zonke iziseko zophuhliso, kodwa unokudala isiseko esifanayo naphi na kwenye indawo.

  • Qala umatshini wenyani (umzekelo/umncedisi).

Intshayelelo kuGunyaziso lwe-Hashicorp Consul's Kubernetes

  • Yenza umgaqo wefirewall (iqela lokhuseleko kwi-AWS):
  • Ndithanda ukwabela igama lomatshini ofanayo kuwo omabini umthetho kunye nethegi yenethiwekhi, kulo mzekelo "skywiz-consul-server-poc".
  • Fumana idilesi ye-IP yekhompyuter yakho kwaye uyongeze kuluhlu lweedilesi ze-IP zomthombo ukuze sifikelele kujongano lomsebenzisi (UI).
  • Vula izibuko 8500 ukwenzela UI. Cofa Yenza. Siza kuyitshintsha le firewall kwakhona kungekudala [unxibelelwano].
  • Yongeza umthetho we-firewall kumzekelo. Buyela kwideshibhodi ye-VM kwi-Consul Server kwaye ungeze "skywiz-consul-server-poc" kwi-network tags field. Cofa Gcina.

Intshayelelo kuGunyaziso lwe-Hashicorp Consul's Kubernetes

  • Faka i-Consul kumatshini obonakalayo, khangela apha. Khumbula ukuba ufuna i-Consul version ≥ 1.5 [ikhonkco]
  • Masenze i-node enye i-Consul - uqwalaselo luhamba ngolu hlobo lulandelayo.

groupadd --system consul
useradd -s /sbin/nologin --system -g consul consul
mkdir -p /var/lib/consul
chown -R consul:consul /var/lib/consul
chmod -R 775 /var/lib/consul
mkdir /etc/consul.d
chown -R consul:consul /etc/consul.d

  • Ukufumana isikhokelo esineenkcukacha ngakumbi ngokufaka i-Consul kunye nokuseta iqoqo lee-nodes ezi-3, bona apha.
  • Yenza ifayile /etc/consul.d/agent.json ngolu hlobo lulandelayo [unxibelelwano]:

### /etc/consul.d/agent.json
{
 "acl" : {
 "enabled": true,
 "default_policy": "deny",
 "enable_token_persistence": true
 }
}

  • Qala iseva yethu ye-Consul:

consul agent 
-server 
-ui 
-client 0.0.0.0 
-data-dir=/var/lib/consul 
-bootstrap-expect=1 
-config-dir=/etc/consul.d

  • Kuya kufuneka ubone iqela lemveliso kwaye uphele nge "... uhlaziyo oluvaliwe yi-ACLs."
  • Fumana idilesi ye-IP yangaphandle yomncedisi we-Consul kwaye uvule isikhangeli ngale dilesi ye-IP kwi-port 8500. Qinisekisa ukuba i-UI ivula.
  • Zama ukufaka isitshixo/ixabiso lesibini. Kunoba kukhona impazamo. Oku kungenxa yokuba silayishe umncedisi we-Consul nge-ACL kwaye sikhubaze yonke imithetho.
  • Buyela kwiqokobhe lakho kumncedisi we-Consul kwaye uqale inkqubo ngasemva okanye enye indlela yokuyenza isebenze kwaye ungenise oku kulandelayo:

consul acl bootstrap

  • Fumana ixabiso elithi "SecretID" kwaye ubuyele kwi-UI. Kwi ACL thebhu, ngenisa i-ID eyimfihlo yophawu osanda kukotshwa. Khuphela i-SecretID kwenye indawo, siya kuyidinga kamva.
  • Ngoku yongeza isitshixo/ixabiso lesibini. Kule POC, yongeza oku kulandelayo: isitshixo: “custom-ns/test_key”, ixabiso: “Ndikwifolda yesiko-ns!”

Ukwazisa iqela leKubernetes kwisicelo sethu kunye nomxhasi weConsul njengeDaemoset

  • Yenza iqela le-K8s (Kubernetes). Siza kuyidala kwindawo enye njengeseva ukufikelela ngokukhawuleza, kwaye ke sinokusebenzisa i-subnet efanayo ukudibanisa ngokulula needilesi ze-IP zangaphakathi. Siza kuyibiza ngokuthi "skywiz-app-with-consul-client-poc".

Intshayelelo kuGunyaziso lwe-Hashicorp Consul's Kubernetes

  • Njengenqaku elisecaleni, nasi isifundo esilungileyo endisifumene ngelixa ndiseta iqela le-POC Consul kunye ne-Consul Connect.
  • Siza kusebenzisa itshathi ye-Hashicorp helm enefayile yamaxabiso awandisiweyo.
  • Faka kwaye uqwalasele iHelm. Amanyathelo oqwalaselo:

kubectl create serviceaccount tiller --namespace kube-system
kubectl create clusterrolebinding tiller-admin-binding 
   --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
./helm init --service-account=tiller
./helm update

### poc-helm-consul-values.yaml
global:
 enabled: false
 image: "consul:latest"
# Expose the Consul UI through this LoadBalancer
ui:
 enabled: false
# Allow Consul to inject the Connect proxy into Kubernetes containers
connectInject:
 enabled: false
# Configure a Consul client on Kubernetes nodes. GRPC listener is required for Connect.
client:
 enabled: true
 join: ["<PRIVATE_IP_CONSUL_SERVER>"]
 extraConfig: |
{
  "acl" : {
 "enabled": true,   
 "default_policy": "deny",   
 "enable_token_persistence": true 
  }
}
# Minimal Consul configuration. Not suitable for production.
server:
 enabled: false
# Sync Kubernetes and Consul services
syncCatalog:
 enabled: false

  • Faka itshathi yokukhokela:

./helm install -f poc-helm-consul-values.yaml ./consul-helm - name skywiz-app-with-consul-client-poc

  • Xa izama ukusebenza, iya kufuna iimvume zomncedisi we Consul, ngoko ke masizongeze.
  • Qaphela "uluhlu lwedilesi yePod" ebekwe kwideshibhodi yeqela kwaye ubuyele kumgaqo wethu "skywiz-consul-server-poc" firewall.
  • Yongeza uluhlu lweedilesi zepod kuluhlu lweedilesi ze-IP kwaye uvule izibuko 8301 kunye ne-8300.

Intshayelelo kuGunyaziso lwe-Hashicorp Consul's Kubernetes

  • Yiya kwi-Consul UI kwaye emva kwemizuzu embalwa uya kubona iqela lethu livela kwi-nodes tab.

Intshayelelo kuGunyaziso lwe-Hashicorp Consul's Kubernetes

Ukuqwalasela iNdlela yoGunyaziso ngokuDityaniswa kweConsul kunye neKubernetes

  • Buyela kwiqokobhe lomncedisi we-Consul kwaye uthumele ithokheni oyigcinileyo ngaphambili:

export CONSUL_HTTP_TOKEN=<SecretID>

  • Siza kufuna ulwazi oluvela kwiqela lethu leKubernetes ukwenza umzekelo wendlela ye-auth:
  • kubernetes-host

kubectl get endpoints | grep kubernetes

  • kubernetes-service-account-jwt

kubectl get sa <helm_deployment_name>-consul-client -o yaml | grep "- name:"
kubectl get secret <secret_name_from_prev_command> -o yaml | grep token:

  • Umqondiso unekhowudi ye-base64, ngoko ke uyicime usebenzisa isixhobo osithandayo [unxibelelwano]
  • kubernetes-ca-cert

kubectl get secret <secret_name_from_prev_command> -o yaml | grep ca.crt:

  • Thatha isatifikethi se-“ca.crt” (emva kwe-base64 decoding) kwaye usibhale kwifayile ye-“ca.crt”.
  • Ngoku qinisekisa indlela ye-auth, ususa izibambi-ndawo ngamaxabiso osanda kuwafumana.

consul acl auth-method create 
-type "kubernetes" 
-name "auth-method-skywiz-consul-poc" 
-description "This is an auth method using kubernetes for the cluster skywiz-app-with-consul-client-poc" 
-kubernetes-host "<k8s_endpoint_retrieved earlier>" 
[email protected] 
-kubernetes-service-account-
jwt="<decoded_token_retrieved_earlier>"

  • Okulandelayo kufuneka senze umgaqo kwaye siwunamathisele kwindima entsha. Kule nxalenye ungasebenzisa i-Consul UI, kodwa siya kusebenzisa umgca womyalelo.
  • Bhala umgaqo

### kv-custom-ns-policy.hcl
key_prefix "custom-ns/" {
 policy = "write"
}

  • Sebenzisa umgaqo

consul acl policy create 
-name kv-custom-ns-policy 
-description "This is an example policy for kv at custom-ns/" 
-rules @kv-custom-ns-policy.hcl

  • Fumana i-ID yomgaqo osanda kuwenza kwimveliso.
  • Yenza indima ngomgaqo omtsha.

consul acl role create 
-name "custom-ns-role" 
-description "This is an example role for custom-ns namespace" 
-policy-id <policy_id>

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='custom-ns-role' 
-selector='serviceaccount.namespace=="custom-ns"'

Okokugqibela ulungelelwaniso

Amalungelo okufikelela

  • Yenza amalungelo okufikelela. Kufuneka simnike imvume yoMmeli ukuba aqinisekise kwaye achonge isibonakaliso senkonzo ye-akhawunti ye-K8s.
  • Bhala oku kulandelayo kwifayile [ikhonkco]:

###skywiz-poc-consul-server_rbac.yaml
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: review-tokens
 namespace: default
subjects:
- kind: ServiceAccount
 name: skywiz-app-with-consul-client-poc-consul-client
 namespace: default
roleRef:
 kind: ClusterRole
 name: system:auth-delegator
 apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: service-account-getter
 namespace: default
rules:
- apiGroups: [""]
 resources: ["serviceaccounts"]
 verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: get-service-accounts
 namespace: default
subjects:
- kind: ServiceAccount
 name: skywiz-app-with-consul-client-poc-consul-client
 namespace: default
roleRef:
 kind: ClusterRole
 name: service-account-getter
 apiGroup: rbac.authorization.k8s.io

  • Masidale amalungelo okufikelela

kubectl create -f skywiz-poc-consul-server_rbac.yaml

Ukuqhagamshela kuMxumi wabathengi

  • Njengoko kuphawuliwe aphaKukho iindlela ezininzi onokukhetha kuzo zokuqhagamshela kwi-daemoset, kodwa siya kuqhubela phambili kwesi sisombululo silula silandelayo:
  • Faka le fayile ilandelayo [unxibelelwano].

### poc-consul-client-ds-svc.yaml
apiVersion: v1
kind: Service
metadata:
 name: consul-ds-client
spec:
 selector:
   app: consul
   chart: consul-helm
   component: client
   hasDNS: "true"
   release: skywiz-app-with-consul-client-poc
 ports:
 - protocol: TCP
   port: 80
   targetPort: 8500

  • Emva koko sebenzisa lo myalelo ulandelayo wokwakha ukwenza imaphu yoqwalaselo [unxibelelwano]. Nceda uqaphele ukuba sibhekisa kwigama lenkonzo yethu, yitshintshe xa kukho imfuneko.

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
 labels:
   addonmanager.kubernetes.io/mode: EnsureExists
 name: kube-dns
 namespace: kube-system
data:
 stubDomains: |
   {"consul": ["$(kubectl get svc consul-ds-client -o jsonpath='{.spec.clusterIP}')"]}
EOF

Ukuvavanya indlela ye-auth

Ngoku makhe sibone umlingo usebenza!

  • Yenza iifolda ezininzi ezizitshixo ngeqhosha elifanayo eliphezulu (okt. /sample_key) kunye nexabiso lokhetho lwakho. Yenza imigaqo-nkqubo efanelekileyo kunye neendima zeendlela ezintsha eziphambili. Siza kwenza izibophelelo kamva.

Intshayelelo kuGunyaziso lwe-Hashicorp Consul's Kubernetes

Uvavanyo lwendawo yegama ngokwesiko:

  • Masizenzele eyethu indawo yamagama:

kubectl create namespace custom-ns

  • Masenze ipod kwindawo yethu entsha yamagama. Bhala ubumbeko lwepod.

###poc-ubuntu-custom-ns.yaml
apiVersion: v1
kind: Pod
metadata:
 name: poc-ubuntu-custom-ns
 namespace: custom-ns
spec:
 containers:
 - name: poc-ubuntu-custom-ns
   image: ubuntu
   command: ["/bin/bash", "-ec", "sleep infinity"]
 restartPolicy: Never

  • Yila ngaphantsi:

kubectl create -f poc-ubuntu-custom-ns.yaml

  • Emva kokuba isikhongozeli sisebenza, yiya apho kwaye ufake i-curl.

kubectl exec poc-ubuntu-custom-ns -n custom-ns -it /bin/bash
apt-get update && apt-get install curl -y

  • Ngoku siza kuthumela isicelo sokungena kwi-Consul sisebenzisa indlela yogunyaziso esiyidale ngaphambili [unxibelelwano].
  • Ukujonga ithokheni engenisiweyo kwiakhawunti yakho yenkonzo:

cat /run/secrets/kubernetes.io/serviceaccount/token

  • Bhala oku kulandelayo kwifayile engaphakathi kwisikhongozeli:

### payload.json
{
 "AuthMethod": "auth-method-test",
 "BearerToken": "<jwt_token>"
}

  • Ngema!

curl 
--request POST 
--data @payload.json 
consul-ds-client.default.svc.cluster.local/v1/acl/login

  • Ukugqibezela la manyathelo angasentla kumgca omnye (kuba siza kube siqhuba iimvavanyo ezininzi), ungenza oku kulandelayo:

echo "{ 
"AuthMethod": "auth-method-skywiz-consul-poc", 
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" 
}" 
| curl 
--request POST 
--data @- 
consul-ds-client.default.svc.cluster.local/v1/acl/login

  • Iyasebenza! Ubuncinane kufanele. Ngoku thatha i-SecretID kwaye uzame ukufikelela kwisitshixo / ixabiso esifanele sibe nokufikelela kulo.

curl 
consul-ds-client.default.svc.cluster.local/v1/kv/custom-ns/test_key --header “X-Consul-Token: <SecretID_from_prev_response>”

  • Unokwenza i-base64 decode "Ixabiso" kwaye ubone ukuba iyahambelana nexabiso kwi-custom-ns/test_key kwi-UI. Ukuba usebenzise ixabiso elifanayo ngasentla kwesi sifundo, ixabiso lakho elifakwe ngekhowudi liya kuba yi-IkknbSBpbiB0aGUgY3VzdG9tLW5zIGZvbGRlciEi.

Uvavanyo lweakhawunti yenkonzo yomsebenzisi:

  • Yenza iAkhawunti yeNkonzo yesiko usebenzisa lo myalelo ulandelayo [unxibelelwano].

kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
 name: custom-sa
EOF

  • Yenza ifayile yoqwalaselo entsha yepod. Nceda uqaphele ukuba ndifake ufakelo lwe-curl ukugcina umsebenzi :)

###poc-ubuntu-custom-sa.yaml
apiVersion: v1
kind: Pod
metadata:
 name: poc-ubuntu-custom-sa
 namespace: default
spec:
 serviceAccountName: custom-sa
 containers:
 - name: poc-ubuntu-custom-sa
   image: ubuntu
   command: ["/bin/bash","-ec"]
   args: ["apt-get update && apt-get install curl -y; sleep infinity"]
 restartPolicy: Never

  • Emva koko, sebenzisa igobolondo ngaphakathi kwesitya.

kubectl exec -it poc-ubuntu-custom-sa /bin/bash

  • Ngema!

echo "{ 
"AuthMethod": "auth-method-skywiz-consul-poc", 
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" 
}" 
| curl 
--request POST 
--data @- 
consul-ds-client.default.svc.cluster.local/v1/acl/login

  • Isivumelwano asamkelwanga. Owu, silibale ukongeza imithetho emitsha ebophelelayo ngeemvume ezifanelekileyo, masenze oko ngoku.

Phinda la manyathelo angaphambili angentla:
a) Yenza uMgaqo-nkqubo ofanayo wesimaphambili “custom-sa/”.
b) Yenza indima, uyibize "indima yesiko-sa-indima"
c) Ncamathisela iPolisi kwiNdima.

  • Yenza i-Rule-Binding (inokwenzeka kuphela kwi-cli/api). Qaphela intsingiselo eyahlukileyo yomkhethi iflegi.

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='custom-sa-role' 
-selector='serviceaccount.name=="custom-sa"'

  • Ngena kwakhona kwisikhongozeli "poc-ubuntu-custom-sa". Impumelelo!
  • Jonga ukufikelela kwethu kwindlela yesiko-sa/ engundoqo.

curl 
consul-ds-client.default.svc.cluster.local/v1/kv/custom-sa/test_key --header “X-Consul-Token: <SecretID>”

  • Unokuqinisekisa kwakhona ukuba lo mqondiso awuniki ufikelelo kwi-kv kwi-"custom-ns/". Phinda nje lo myalelo ungasentla emva kokufaka u-"custom-sa" ngesimaphambili "custom-ns".
    Isivumelwano asamkelwanga.

Umzekelo owelekayo:

  • Kuyaphawuleka ukuba zonke iimephu ezibophelelayo ziya kongezwa kwithokheni ngala malungelo.
  • Isikhongozeli sethu "poc-ubuntu-custom-sa" sikwindawo yegama engagqibekanga - ke masiyisebenzisele ukubophelela umthetho okwahlukileyo.
  • Phinda amanyathelo angaphambili:
    a) Yila uMgaqo-nkqubo ofanayo wesiqalo “esimiselweyo/” esingundoqo.
    b) Yenza indima, uyinike igama "indima emiselweyo-indima"
    c) Ncamathisela iPolisi kwiNdima.
  • Yenza iRule-Binding (iyenzeka kuphela kwicli/api)

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='default-ns-role' 
-selector='serviceaccount.namespace=="default"'

  • Buyela umva kwisikhongozeli sethu "poc-ubuntu-custom-sa" kwaye uzame ukufikelela kwi "default/" kv indlela.
  • Isivumelwano asamkelwanga.
    Ungajonga iziqinisekiso ezikhankanyiweyo zophawu ngalunye kwi-UI phantsi kwe-ACL > Iimpawu. Njengoko ubona, ithokheni yethu yangoku ine "custom-sa-role" enye edityaniswe kuyo. Umqondiso esiwusebenzisayo ngoku wenziwa xa singena kwaye kwakukho umthetho omnye obophelelayo ohambelana ngoko. Kufuneka singene kwakhona kwaye sisebenzise ithokheni entsha.
  • Qinisekisa ukuba unokufunda kuzo zozibini iindlela zika-"custom-sa/" kunye no "default/" kv.
    Impumelelo!
    Oku kungenxa yokuba i-“poc-ubuntu-custom-sa” yethu ihambelana ne-“custom-sa” kunye ne-“default-ns” yezibophelelo zemigaqo.

isiphelo

TTL uphawu mgmt?

Ngeli xesha lokubhala, akukho ndlela edibeneyo yokumisela i-TTL yamathokheni awenziwe yile ndlela yokugunyazisa. Iya kuba lithuba elihle lokubonelela ngokhuseleko oluzenzekelayo logunyaziso lwe-Consul.

Kukho ukhetho lokwenza ithokheni ngesandla ngeTTL:

Ngethemba ukuba kwixesha elizayo siya kukwazi ukulawula indlela amathokheni enziwa ngayo (ngomgaqo okanye indlela yogunyaziso) kwaye ungeze i-TTL.

Kude kube ngoko, kucetyiswa ukuba usebenzise isiphelo sokuphuma kwilogic yakho.

Funda namanye amanqaku kwibhlog yethu:

umthombo: www.habr.com

Yongeza izimvo