Kunjalo, ngemva kokukhululwa
Kulesi sifundo sizodala isinyathelo ngesinyathelo
Uhlolojikelele
Uma siya ku
Umdwebo 1: Uhlolojikelele olusemthethweni lwendlela yokugunyaza i-Consul
Ake sibheke phakathi
Impela, kukhona imininingwane ewusizo lapho, kepha asikho isiqondiso sokuthi ungayisebenzisa kanjani yonke. Ngakho-ke, njenganoma yimuphi umuntu ophile saka, uhlola i-inthanethi ukuze uthole isiqondiso. Bese-ke... Uyehluleka. Kuyenzeka. Asilungise lokhu.
Ngaphambi kokuthi siqhubekele ekudaleni i-POC yethu, ake sibuyele ekubukezweni kwezindlela zokugunyazwa ze-Consul (Umdwebo 1) futhi siwulungise ngokomongo we-Kubernetes.
bokwakha
Kulesi sifundo, sizodala iseva ye-Consul emshinini ohlukile ozoxhumana neqoqo le-Kubernetes kufakwe iklayenti le-Consul. Sizobe sesidala uhlelo lwethu lokusebenza lwe-dummy ku-pod futhi sisebenzise indlela yethu yokugunyaza emisiwe ukuze sifunde kukhiye wethu we-Consul/value store.
Umdwebo ongezansi uchaza ngezakhiwo esizenzayo kulesi sifundo, kanye nengqondo yendlela yokugunyaza, ezochazwa kamuva.
Umdwebo 2: I-Kubernetes Authorization Method Overview
Inothi elisheshayo: iseva ye-Consul ayidingi ukuhlala ngaphandle kweqoqo le-Kubernetes ukuze lokhu kusebenze. Kodwa yebo, angakwenza ngale ndlela nalokhuya.
Ngakho-ke, ngokuthatha umdwebo wokubuka konke we-Consul (Umdwebo 1) futhi sisebenzise i-Kubernetes kuwo, sithola umdwebo ongenhla (Umdwebo 2), futhi umqondo lapha umi kanje:
- I-pod ngayinye izoba ne-akhawunti yesevisi enamathiselwe kuyo equkethe ithokheni ye-JWT ekhiqizwe futhi eyaziwa yi-Kubernetes. Lolu phawu luphinde lufakwe ku-pod ngokuzenzakalelayo.
- Uhlelo lwethu lokusebenza noma isevisi ngaphakathi kwe-pod iqala umyalo wokungena ngemvume kuklayenti lethu le-Consul. Isicelo sokungena ngemvume sizofaka nethokheni yethu negama adalwe ngokukhethekile indlela yokugunyaza (uhlobo lwe-Kubernetes). Lesi sinyathelo #2 sihambisana nesinyathelo 1 somdwebo we-Consul (Isu 1).
- Iklayenti lethu le-Consul lizobe selidlulisela lesi sicelo kuseva yethu ye-Consul.
- UMTHETHO! Kulapho iseva ye-Consul iqinisekisa khona ubuqiniso besicelo, iqoqa ulwazi mayelana nobunikazi besicelo futhi isiqhathanise nanoma yimiphi imithetho echazwe ngaphambilini ehlotshaniswayo. Ngezansi kunomunye umdwebo obonisa lokhu. Lesi sinyathelo sihambisana nezinyathelo 3, 4 kanye ne-5 zomdwebo wokubuka konke we-Consul (Umdwebo 1).
- Iseva yethu ye-Consul ikhiqiza ithokheni ye-Consul enezimvume ngokuya ngemithetho yethu yendlela yokugunyazwa ecacisiwe (esiyichazile) mayelana nokuthi ungubani ofake isicelo. Lizobe selithumela lolo phawu emuva. Lokhu kuhambisana nesinyathelo sesi-6 somdwebo we-Consul (Umdwebo 1).
- Iklayenti lethu le-Consul lidlulisela ithokheni kuhlelo lokusebenza olucelayo noma isevisi.
Uhlelo lwethu lokusebenza noma isevisi manje ingasebenzisa le tokheni ye-Consul ukuxhumana nedatha yethu ye-Consul, njengoba kunqunywa amalungelo ethokheni.
Umlingo uyambulwa!
Kulabo abangajabule ngomvundla ophuma esigqokweni ofuna ukwazi ukuthi usebenza kanjani... ake nginibonise ukuthi kujule kangakanani umgodi onogwaja".
Njengoba kushiwo ngaphambili, isinyathelo sethu "somlingo" (Umfanekiso 2: Isinyathelo 4) yilapho iseva ye-Consul iqinisekisa isicelo, iqoqa ulwazi mayelana nesicelo, futhi iqhathanise nanoma yimiphi imithetho echazwe ngaphambilini ehlobene. Lesi sinyathelo sihambisana nezinyathelo 3, 4 kanye ne-5 zomdwebo wokubuka konke we-Consul (Umdwebo 1). Ngezansi kunomdwebo (Umdwebo 3), inhloso yawo ukukhombisa ngokucacile ukuthi kwenzekani ngempela ngaphansi kwesigqoko indlela ethile yokugunyazwa ye-Kubernetes.
Umdwebo 3: Umlingo uyembulwa!
- Njengesiqalo, iklayenti lethu le-Consul lidlulisela isicelo sokungena kuseva yethu ye-Consul ngethokheni ye-akhawunti ye-Kubernetes kanye negama elithile lesibonelo lendlela yokugunyaza eyadalwa ngaphambili. Lesi sinyathelo sihambisana nesinyathelo sesi-3 encazelweni yesekethe yangaphambilini.
- Manje iseva ye-Consul (noma umholi) idinga ukuqinisekisa ubuqiniso bethokheni etholiwe. Ngakho-ke, izothintana neqoqo le-Kubernetes (ngeklayenti le-Consul) futhi, ngezimvume ezifanele, sizothola ukuthi ithokheni liyiqiniso yini nokuthi elikabani.
- Isicelo esiqinisekisiwe sibe sesibuyiselwa kumholi we-Consul, bese iseva ye-Consul ibheka indlela yokugunyazwa enegama elishiwo esicelweni sokungena (nohlobo lwe-Kubernetes).
- Umholi wenxusa ukhomba isibonelo sendlela yokugunyazwa eshiwo (uma sitholakele) futhi afunde isethi yemithetho ebophayo enamathiselwe kuyo. Ibe-ke ifunda le mithetho bese iqhathanisa nezibaluli zobunikazi eziqinisekisiwe.
- TA-dah! Asiqhubekele esinyathelweni sesi-5 encazelweni yesekethe eyedlule.
Qalisa i-Consul-server emshinini ojwayelekile obonakalayo
Kusukela manje kuqhubeke, ngizobe nginikeza iziqondiso zokudala le-POC, ngokuvamile ngamachashazi, ngaphandle kwezincazelo ezigcwele zemisho. Futhi, njengoba kuphawuliwe ekuqaleni, ngizosebenzisa i-GCP ukuze ngidale yonke ingqalasizinda, kodwa ungakha ingqalasizinda efanayo kwenye indawo.
- Qala umshini we-virtual (isibonelo/iseva).
- Dala umthetho we-firewall (iqembu lokuvikela ku-AWS):
- Ngithanda ukunikeza igama lomshini ofanayo kukho kokubili umthetho kanye nethegi yenethiwekhi, kulokhu "skywiz-consul-server-poc".
- Thola ikheli le-IP lekhompyutha yakho bese ulingeza ohlwini lwamakheli e-IP omthombo ukuze sikwazi ukufinyelela ku-interface yomsebenzisi (UI).
- Vula imbobo engu-8500 ye-UI. Chofoza okuthi Dala. Sizophinde sishintshe le firewall maduze [
isixhumanisi ]. - Engeza umthetho we-firewall kusibonelo. Buyela emuva kudeshibhodi ye-VM ku-Consul Server bese wengeza okuthi “skywiz-consul-server-poc” kunkambu yomaka benethiwekhi. Chofoza Londoloza.
- Faka i-Consul emshinini obonakalayo, hlola lapha. Khumbula ukuthi udinga inguqulo ye-Consul ≥ 1.5 [isixhumanisi]
- Ake sakhe i-node eyodwa Consul - ukucushwa kungokulandelayo.
groupadd --system consul
useradd -s /sbin/nologin --system -g consul consul
mkdir -p /var/lib/consul
chown -R consul:consul /var/lib/consul
chmod -R 775 /var/lib/consul
mkdir /etc/consul.d
chown -R consul:consul /etc/consul.d
- Ukuze uthole umhlahlandlela onemininingwane eminingi ngokufaka i-Consul nokumisa iqoqo lamanodi angu-3, bheka
lapha . - Dala ifayela /etc/consul.d/agent.json kanje [
isixhumanisi ]:
### /etc/consul.d/agent.json
{
"acl" : {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true
}
}
- Qala iseva yethu ye-Consul:
consul agent
-server
-ui
-client 0.0.0.0
-data-dir=/var/lib/consul
-bootstrap-expect=1
-config-dir=/etc/consul.d
- Kufanele ubone inqwaba yokuphumayo bese ugcina ngokuthi “... isibuyekezo sivinjwe ama-ACL.”
- Thola ikheli le-IP langaphandle leseva ye-Consul bese uvule isiphequluli esinaleli kheli le-IP ku-port 8500. Qiniseka ukuthi i-UI iyavuleka.
- Zama ukungeza ipheya yokhiye/inani. Kumelwe ukuba kunephutha. Lokhu kungenxa yokuthi silayishe iseva ye-Consul nge-ACL futhi sikhubaze yonke imithetho.
- Buyela emuva kugobolondo lakho kuseva ye-Consul bese uqala inqubo ngemuva noma enye indlela yokuyenza isebenze bese ufaka okulandelayo:
consul acl bootstrap
- Thola inani le-"SecretID" bese ubuyela ku-UI. Kuthebhu ye-ACL, faka i-ID eyimfihlo yethokheni osanda kuyikopisha. Kopisha i-SecretID kwenye indawo, sizoyidinga kamuva.
- Manje engeza ipheya yokhiye/inani. Kule POC, engeza okulandelayo: ukhiye: “custom-ns/test_key”, inani: “Ngikufolda yangokwezifiso-ns!”
Sethula iqoqo le-Kubernetes lohlelo lwethu lokusebenza neklayenti le-Consul njenge-Daemoset
- Dala iqoqo le-K8s (Kubernetes). Sizoyidala endaweni efanayo neseva ukuze sifinyelele ngokushesha, futhi ukuze sikwazi ukusebenzisa i-subnet efanayo ukuze sixhume kalula namakheli e-IP angaphakathi. Sizoyibiza ngokuthi "skywiz-app-with-consul-client-poc".
- Njengenothi eseceleni, nasi isifundo esihle engasithola ngenkathi ngimisa iqoqo le-POC Consul ne-Consul Connect.
- Sizophinda sisebenzisa ishadi lesigqoko se-Hashicorp elinefayela lamanani anwetshiwe.
- Faka futhi ulungiselele i-Helm. Izinyathelo zokumisa:
kubectl create serviceaccount tiller --namespace kube-system
kubectl create clusterrolebinding tiller-admin-binding
--clusterrole=cluster-admin --serviceaccount=kube-system:tiller
./helm init --service-account=tiller
./helm update
- ishadi lesigqoko:
https://www.consul.io/docs/platform/k8s/helm.html - Sebenzisa inani lefayela elilandelayo (qaphela ukuthi ngiye ngacisha kakhulu):
### poc-helm-consul-values.yaml
global:
enabled: false
image: "consul:latest"
# Expose the Consul UI through this LoadBalancer
ui:
enabled: false
# Allow Consul to inject the Connect proxy into Kubernetes containers
connectInject:
enabled: false
# Configure a Consul client on Kubernetes nodes. GRPC listener is required for Connect.
client:
enabled: true
join: ["<PRIVATE_IP_CONSUL_SERVER>"]
extraConfig: |
{
"acl" : {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true
}
}
# Minimal Consul configuration. Not suitable for production.
server:
enabled: false
# Sync Kubernetes and Consul services
syncCatalog:
enabled: false
- Faka ishadi lesigqoko:
./helm install -f poc-helm-consul-values.yaml ./consul-helm - name skywiz-app-with-consul-client-poc
- Uma izama ukusebenza, izodinga izimvume zeseva ye-Consul, ngakho-ke masizingeze.
- Qaphela “i-Pod Address Range” etholakala kudeshibhodi yeqoqo bese ubhekisela emuva kumthetho wethu wokuvikela umlilo othi “skywiz-consul-server-poc”.
- Engeza ububanzi bekheli le-pod kuhlu lwamakheli e-IP nezimbobo ezivulekile 8301 kanye no-8300.
- Iya ku-Consul UI futhi ngemva kwemizuzu embalwa uzobona iqoqo lethu livela kuthebhu yama-nodes.
Ukulungiselela Indlela Yokugunyaza Ngokuhlanganisa I-Consul ne-Kubernetes
- Buyela kugobolondo leseva ye-Consul bese uthekelisa ithokheni oyigcine ngaphambilini:
export CONSUL_HTTP_TOKEN=<SecretID>
- Sizodinga ulwazi oluvela kuqoqo lethu le-Kubernetes ukuze sidale isibonelo sendlela ye-auth:
- kubernetes-host
kubectl get endpoints | grep kubernetes
- kubernetes-service-account-jwt
kubectl get sa <helm_deployment_name>-consul-client -o yaml | grep "- name:"
kubectl get secret <secret_name_from_prev_command> -o yaml | grep token:
- Ithokheni ifakwe ikhodi ye-base64, ngakho-ke isuse ukubethela usebenzisa ithuluzi olithandayo [
isixhumanisi ] - kubernetes-ca-cert
kubectl get secret <secret_name_from_prev_command> -o yaml | grep ca.crt:
- Thatha isitifiketi se-“ca.crt” (ngemuva kokukhishwa kwe-base64) bese usibhala efayeleni elithi “ca.crt”.
- Manje qinisa indlela ye-auth, esikhundleni sezimeli ngamavelu osanda kuwathola.
consul acl auth-method create
-type "kubernetes"
-name "auth-method-skywiz-consul-poc"
-description "This is an auth method using kubernetes for the cluster skywiz-app-with-consul-client-poc"
-kubernetes-host "<k8s_endpoint_retrieved earlier>"
[email protected]
-kubernetes-service-account-
jwt="<decoded_token_retrieved_earlier>"
- Okulandelayo sidinga ukwakha umthetho futhi siwunamathisele endimeni entsha. Kule ngxenye ungasebenzisa i-Consul UI, kodwa sizosebenzisa umugqa womyalo.
- Bhala umthetho
### kv-custom-ns-policy.hcl
key_prefix "custom-ns/" {
policy = "write"
}
- Sebenzisa umthetho
consul acl policy create
-name kv-custom-ns-policy
-description "This is an example policy for kv at custom-ns/"
-rules @kv-custom-ns-policy.hcl
- Thola i-ID yomthetho osanda kuwudala kusukela kokuphumayo.
- Dala indima ngomthetho omusha.
consul acl role create
-name "custom-ns-role"
-description "This is an example role for custom-ns namespace"
-policy-id <policy_id>
- Manje sizohlobanisa indima yethu entsha nesibonelo sendlela ye-auth. Qaphela ukuthi ifulegi elithi "isikhethi" linquma ukuthi isicelo sethu sokungena sizoyithola yini le ndima. Hlola lapha ukuze uthole ezinye izinketho zesikhethi:
https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes
consul acl binding-rule create
-method=auth-method-skywiz-consul-poc
-bind-type=role
-bind-name='custom-ns-role'
-selector='serviceaccount.namespace=="custom-ns"'
Okokugcina ukucupha
Amalungelo okufinyelela
- Dala amalungelo okufinyelela. Kudingeka sinikeze u-Consul imvume yokuqinisekisa nokukhomba ubunikazi bethokheni ye-akhawunti yesevisi ye-K8s.
- Bhala okulandelayo efayeleni
[isixhumanisi] :
###skywiz-poc-consul-server_rbac.yaml
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: review-tokens
namespace: default
subjects:
- kind: ServiceAccount
name: skywiz-app-with-consul-client-poc-consul-client
namespace: default
roleRef:
kind: ClusterRole
name: system:auth-delegator
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service-account-getter
namespace: default
rules:
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: get-service-accounts
namespace: default
subjects:
- kind: ServiceAccount
name: skywiz-app-with-consul-client-poc-consul-client
namespace: default
roleRef:
kind: ClusterRole
name: service-account-getter
apiGroup: rbac.authorization.k8s.io
- Masidale amalungelo okufinyelela
kubectl create -f skywiz-poc-consul-server_rbac.yaml
Ixhuma ku-Consul Client
- Njengoba kuphawuliwe
lapha Kunezinketho ezimbalwa zokuxhuma ku-daemoset, kodwa sizodlulela kusixazululo esilula esilandelayo: - Faka ifayela elilandelayo [
isixhumanisi ].
### poc-consul-client-ds-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: consul-ds-client
spec:
selector:
app: consul
chart: consul-helm
component: client
hasDNS: "true"
release: skywiz-app-with-consul-client-poc
ports:
- protocol: TCP
port: 80
targetPort: 8500
- Bese usebenzisa umyalo olandelayo ukwakha i-configmap [
isixhumanisi ]. Sicela uqaphele ukuthi sibhekisela egameni lenkonzo yethu, lishintshe uma kunesidingo.
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
labels:
addonmanager.kubernetes.io/mode: EnsureExists
name: kube-dns
namespace: kube-system
data:
stubDomains: |
{"consul": ["$(kubectl get svc consul-ds-client -o jsonpath='{.spec.clusterIP}')"]}
EOF
Ukuhlola indlela ye-auth
Manje ake sibone umlingo usebenza!
- Dala amanye amafolda angukhiye ngokhiye ofanayo wezinga eliphezulu (okungukuthi /sample_key) kanye nevelu olithandayo. Dala izinqubomgomo ezifanele nezindima zezindlela ezintsha ezibalulekile. Sizokwenza izibopho kamuva.
Ukuhlolwa kwendawo yegama ngokwezifiso:
- Masizenzele eyethu indawo yamagama:
kubectl create namespace custom-ns
- Masidale i-pod endaweni yethu entsha yamagama. Bhala ukucushwa kwe-pod.
###poc-ubuntu-custom-ns.yaml
apiVersion: v1
kind: Pod
metadata:
name: poc-ubuntu-custom-ns
namespace: custom-ns
spec:
containers:
- name: poc-ubuntu-custom-ns
image: ubuntu
command: ["/bin/bash", "-ec", "sleep infinity"]
restartPolicy: Never
- Dala ngaphansi:
kubectl create -f poc-ubuntu-custom-ns.yaml
- Uma isiqukathi sisebenza, hamba lapho bese ufaka ama-curl.
kubectl exec poc-ubuntu-custom-ns -n custom-ns -it /bin/bash
apt-get update && apt-get install curl -y
- Manje sizothumela isicelo sokungena ku-Consul sisebenzisa indlela yokugunyaza esiyidalile ekuqaleni [
isixhumanisi ]. - Ukubuka ithokheni efakiwe ku-akhawunti yakho yesevisi:
cat /run/secrets/kubernetes.io/serviceaccount/token
- Bhala okulandelayo efayeleni elingaphakathi kwesiqukathi:
### payload.json
{
"AuthMethod": "auth-method-test",
"BearerToken": "<jwt_token>"
}
- Ngena ngemvume!
curl
--request POST
--data @payload.json
consul-ds-client.default.svc.cluster.local/v1/acl/login
- Ukuze uqedele izinyathelo ezingenhla emugqeni owodwa (njengoba sizobe senza izivivinyo eziningi), ungenza okulandelayo:
echo "{
"AuthMethod": "auth-method-skywiz-consul-poc",
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)"
}"
| curl
--request POST
--data @-
consul-ds-client.default.svc.cluster.local/v1/acl/login
- Iyasebenza! Okungenani kufanele. Manje thatha i-SecretID bese uzama ukufinyelela ukhiye/inani okufanele sifinyelele kulo.
curl
consul-ds-client.default.svc.cluster.local/v1/kv/custom-ns/test_key --header “X-Consul-Token: <SecretID_from_prev_response>”
- Ungakwazi ukuqopha i-base64 "Value" futhi ubone ukuthi ifana nevelu ku-custom-ns/test_key ku-UI. Uma usebenzise inani elifanayo ngenhla kulesi sifundo, inani lakho elibhalwe ngekhodi lizoba IkknbSBpbiB0aGUgY3VzdG9tLW5zIGZvbGRlciEi.
Ukuhlolwa kwe-akhawunti yesevisi yomsebenzisi:
- Dala i-ServiceAccount yangokwezifiso usebenzisa umyalo olandelayo [
isixhumanisi ].
kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: custom-sa
EOF
- Dala ifayela elisha lokucushwa le-pod. Sicela uqaphele ukuthi ngifake ukufakwa kwama-curl ukusindisa abasebenzi :)
###poc-ubuntu-custom-sa.yaml
apiVersion: v1
kind: Pod
metadata:
name: poc-ubuntu-custom-sa
namespace: default
spec:
serviceAccountName: custom-sa
containers:
- name: poc-ubuntu-custom-sa
image: ubuntu
command: ["/bin/bash","-ec"]
args: ["apt-get update && apt-get install curl -y; sleep infinity"]
restartPolicy: Never
- Ngemuva kwalokho, sebenzisa igobolondo ngaphakathi kwesitsha.
kubectl exec -it poc-ubuntu-custom-sa /bin/bash
- Ngena ngemvume!
echo "{
"AuthMethod": "auth-method-skywiz-consul-poc",
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)"
}"
| curl
--request POST
--data @-
consul-ds-client.default.svc.cluster.local/v1/acl/login
- Imvume inqatshelwe. Oh, sikhohlwe ukungeza imithetho emisha ebophezela ngezimvume ezifanele, masenze lokho manje.
Phinda izinyathelo zangaphambilini ezingenhla:
a) Dala iNqubomgomo efanayo yesiqalo esithi “custom-sa/”.
b) Dala Iqhaza, libize ngokuthi “custom-sa-role”
c) Namathisela Ipholisi Endimeni.
- Dala i-Rule-Binding (okungenzeka kuphela kusuka ku-cli/api). Qaphela incazelo ehlukile yefulegi lesikhethi.
consul acl binding-rule create
-method=auth-method-skywiz-consul-poc
-bind-type=role
-bind-name='custom-sa-role'
-selector='serviceaccount.name=="custom-sa"'
- Ngena futhi kusukela kusiqukathi se-"poc-ubuntu-custom-sa". Impumelelo!
- Bheka ukufinyelela kwethu kundlela yangokwezifiso-sa/ yokhiye.
curl
consul-ds-client.default.svc.cluster.local/v1/kv/custom-sa/test_key --header “X-Consul-Token: <SecretID>”
- Ungaphinda uqinisekise ukuthi leli thokheni alikuniki ukufinyelela ku-kv kokuthi "custom-ns/". Vele uphinde umyalo ongenhla ngemva kokufaka u-"custom-sa" nesiqalo esithi "custom-ns".
Imvume inqatshelwe.
Isibonelo sembondela:
- Kuhle ukuqaphela ukuthi zonke imephu ezibophezela imithetho zizokwengezwa kuthokheni ngalawa malungelo.
- Isiqukathi sethu esithi "poc-ubuntu-custom-sa" sisendaweni yamagama ezenzakalelayo - ngakho-ke masiyisebenzisele ukubophezela okuhlukile komthetho.
- Phinda izinyathelo zangaphambilini:
a) Dala iNqubomgomo efanayo yesiqalo esiyinhloko “sokuzenzakalelayo/”.
b) Dala Iqhaza, uyiqambe ngokuthi “indima ezenzakalelayo-ns-indima”
c) Namathisela Ipholisi Endimeni. - Dala i-Rule-Binding (okungenzeka kuphela kusuka ku-cli/api)
consul acl binding-rule create
-method=auth-method-skywiz-consul-poc
-bind-type=role
-bind-name='default-ns-role'
-selector='serviceaccount.namespace=="default"'
- Buyela emuva kusiqukathi sethu se-"poc-ubuntu-custom-sa" bese uzama ukufinyelela indlela "ezenzakalelayo/" kv.
- Imvume inqatshelwe.
Ungabuka izifakazelo ezishiwo zethokheni ngayinye ku-UI ngaphansi kwe-ACL > Amathokheni. Njengoba ubona, ithokheni yethu yamanje inendima eyodwa kuphela ethi "custom-sa-role" enamathiselwe kuyo. Ithokheni esiyisebenzisayo njengamanje lakhiwe ngesikhathi singena futhi kwakukhona umthetho owodwa kuphela obophezelayo owawufana ngaleso sikhathi. Sidinga ukungena ngemvume futhi futhi sisebenzise ithokheni entsha. - Qiniseka ukuthi ungafunda kuzo zombili izindlela ze-kv ethi "custom-sa/" kanye "nokuzenzakalelayo/" kv.
Impumelelo!
Lokhu kungenxa yokuthi i-“poc-ubuntu-custom-sa” yethu ifana nokubophezela kwemithetho ethi “custom-sa” kanye “nokuzenzakalelayo-ns”.
isiphetho
Ithokheni ye-TTL mgmt?
Ngesikhathi salokhu kubhala, ayikho indlela ehlanganisiwe yokunquma i-TTL yamathokheni akhiqizwa yile ndlela yokugunyazwa. Kungaba yithuba elihle kakhulu lokuhlinzeka ngokuzenzakalelayo okuvikelekile kokugunyazwa kwe-Consul.
Kukhona inketho yokwenza ithokheni mathupha nge-TTL:
https://www.consul.io/docs/acl/acl-system.html#acl-tokens
Isikhathi sokuphelelwa yisikhathi - Isikhathi lapho le tokheni izohoxiswa khona. (Ongakukhetha; kwengezwe ku-Consul 1.5.0)- Ikhona kuphela ukuze kudalwe/ukubuyekezwa mathupha
https://www.consul.io/api/acl/tokens.html#expirationtime
Sethemba ukuthi esikhathini esizayo esiseduze sizokwazi ukulawula ukuthi amathokheni akhiqizwa kanjani (ngomthetho ngamunye noma indlela yokugunyazwa) bese wengeza i-TTL.
Kuze kube yileso sikhathi, kuphakanyiswa ukuthi usebenzise indawo yokugcina yokuphuma ku-logic yakho.
https://www.consul.io/api/acl/acl.html#logout-from-auth-method https://www.consul.io/docs/acl/acl-auth-methods.html#overall-login-process
Funda nezinye izindatshana kubhulogi yethu:
Ukufuduka kusuka ku-ClickHouse ngaphandle kokugunyazwa kuya ku-ClickHouse ngokugunyazwa kuholele kuphi? Ungawaqhuba kanjani amapayipi amaningi usebenzisa i-GitLab CI/CD Amaqhinga Amathathu Alula Wokunciphisa Izithombe Ze-Docker I-Traefik njengesilawuli se-Ingress se-K8S Isipele senani elikhulu lamaphrojekthi ewebhu ahlukahlukene I-Telegraph bot ye-Redmine. Ungayenza kanjani impilo ibe lula kuwe nakwabanye
Source: www.habr.com