I-ProHoster > Блог > Ukuphatha > Isingeniso se-Hashicorp Consul's Kubernetes Authorization

Isingeniso se-Hashicorp Consul's Kubernetes Authorization

Isingeniso se-Hashicorp Consul's Kubernetes Authorization

Kunjalo, ngemva kokukhululwa I-Hashicorp Consul 1.5.0 ekuqaleni kukaMeyi 2019, ku-Consul ungagunyaza izinhlelo zokusebenza nezinsizakalo ezisebenza e-Kubernetes ngokomdabu.

Kulesi sifundo sizodala isinyathelo ngesinyathelo I-POC (Ubufakazi bomqondo, i-PoC) okubonisa lesi sici esisha. Kulindeleke ukuthi ube nolwazi oluyisisekelo lwe-Kubernetes ne-Hashicorp's Consul. Nakuba ungasebenzisa noma iyiphi inkundla yefu noma indawo engaphakathi, kulesi sifundo sizosebenzisa I-Cloud Platform ye-Google.

Uhlolojikelele

Uma siya ku Imibhalo ye-Consul ngendlela yayo yokugunyaza, sizothola ukubuka konke okusheshayo kwenhloso yayo kanye necala lokusebenzisa, kanye neminye imininingwane yobuchwepheshe kanye nombono ojwayelekile womqondo. Ngincoma kakhulu ukuyifunda okungenani kanye ngaphambi kokuqhubeka, njengoba manje ngizobe ngichaza futhi ngikuhlafuna konke.

Isingeniso se-Hashicorp Consul's Kubernetes Authorization

Umdwebo 1: Uhlolojikelele olusemthethweni lwendlela yokugunyaza i-Consul

Ake sibheke phakathi imibhalo yendlela ethile yokugunyaza yakwa-Kubernetes.

Impela, kukhona imininingwane ewusizo lapho, kepha asikho isiqondiso sokuthi ungayisebenzisa kanjani yonke. Ngakho-ke, njenganoma yimuphi umuntu ophile saka, uhlola i-inthanethi ukuze uthole isiqondiso. Bese-ke... Uyehluleka. Kuyenzeka. Asilungise lokhu.

Ngaphambi kokuthi siqhubekele ekudaleni i-POC yethu, ake sibuyele ekubukezweni kwezindlela zokugunyazwa ze-Consul (Umdwebo 1) futhi siwulungise ngokomongo we-Kubernetes.

bokwakha

Kulesi sifundo, sizodala iseva ye-Consul emshinini ohlukile ozoxhumana neqoqo le-Kubernetes kufakwe iklayenti le-Consul. Sizobe sesidala uhlelo lwethu lokusebenza lwe-dummy ku-pod futhi sisebenzise indlela yethu yokugunyaza emisiwe ukuze sifunde kukhiye wethu we-Consul/value store.

Umdwebo ongezansi uchaza ngezakhiwo esizenzayo kulesi sifundo, kanye nengqondo yendlela yokugunyaza, ezochazwa kamuva.

Isingeniso se-Hashicorp Consul's Kubernetes Authorization

Umdwebo 2: I-Kubernetes Authorization Method Overview

Inothi elisheshayo: iseva ye-Consul ayidingi ukuhlala ngaphandle kweqoqo le-Kubernetes ukuze lokhu kusebenze. Kodwa yebo, angakwenza ngale ndlela nalokhuya.

Ngakho-ke, ngokuthatha umdwebo wokubuka konke we-Consul (Umdwebo 1) futhi sisebenzise i-Kubernetes kuwo, sithola umdwebo ongenhla (Umdwebo 2), futhi umqondo lapha umi kanje:

  1. I-pod ngayinye izoba ne-akhawunti yesevisi enamathiselwe kuyo equkethe ithokheni ye-JWT ekhiqizwe futhi eyaziwa yi-Kubernetes. Lolu phawu luphinde lufakwe ku-pod ngokuzenzakalelayo.
  2. Uhlelo lwethu lokusebenza noma isevisi ngaphakathi kwe-pod iqala umyalo wokungena ngemvume kuklayenti lethu le-Consul. Isicelo sokungena ngemvume sizofaka nethokheni yethu negama adalwe ngokukhethekile indlela yokugunyaza (uhlobo lwe-Kubernetes). Lesi sinyathelo #2 sihambisana nesinyathelo 1 somdwebo we-Consul (Isu 1).
  3. Iklayenti lethu le-Consul lizobe selidlulisela lesi sicelo kuseva yethu ye-Consul.
  4. UMTHETHO! Kulapho iseva ye-Consul iqinisekisa khona ubuqiniso besicelo, iqoqa ulwazi mayelana nobunikazi besicelo futhi isiqhathanise nanoma yimiphi imithetho echazwe ngaphambilini ehlotshaniswayo. Ngezansi kunomunye umdwebo obonisa lokhu. Lesi sinyathelo sihambisana nezinyathelo 3, 4 kanye ne-5 zomdwebo wokubuka konke we-Consul (Umdwebo 1).
  5. Iseva yethu ye-Consul ikhiqiza ithokheni ye-Consul enezimvume ngokuya ngemithetho yethu yendlela yokugunyazwa ecacisiwe (esiyichazile) mayelana nokuthi ungubani ofake isicelo. Lizobe selithumela lolo phawu emuva. Lokhu kuhambisana nesinyathelo sesi-6 somdwebo we-Consul (Umdwebo 1).
  6. Iklayenti lethu le-Consul lidlulisela ithokheni kuhlelo lokusebenza olucelayo noma isevisi.

Uhlelo lwethu lokusebenza noma isevisi manje ingasebenzisa le tokheni ye-Consul ukuxhumana nedatha yethu ye-Consul, njengoba kunqunywa amalungelo ethokheni.

Umlingo uyambulwa!

Kulabo abangajabule ngomvundla ophuma esigqokweni ofuna ukwazi ukuthi usebenza kanjani... ake nginibonise ukuthi kujule kangakanani umgodi onogwaja".

Njengoba kushiwo ngaphambili, isinyathelo sethu "somlingo" (Umfanekiso 2: Isinyathelo 4) yilapho iseva ye-Consul iqinisekisa isicelo, iqoqa ulwazi mayelana nesicelo, futhi iqhathanise nanoma yimiphi imithetho echazwe ngaphambilini ehlobene. Lesi sinyathelo sihambisana nezinyathelo 3, 4 kanye ne-5 zomdwebo wokubuka konke we-Consul (Umdwebo 1). Ngezansi kunomdwebo (Umdwebo 3), inhloso yawo ukukhombisa ngokucacile ukuthi kwenzekani ngempela ngaphansi kwesigqoko indlela ethile yokugunyazwa ye-Kubernetes.

Isingeniso se-Hashicorp Consul's Kubernetes Authorization

Umdwebo 3: Umlingo uyembulwa!

  1. Njengesiqalo, iklayenti lethu le-Consul lidlulisela isicelo sokungena kuseva yethu ye-Consul ngethokheni ye-akhawunti ye-Kubernetes kanye negama elithile lesibonelo lendlela yokugunyaza eyadalwa ngaphambili. Lesi sinyathelo sihambisana nesinyathelo sesi-3 encazelweni yesekethe yangaphambilini.
  2. Manje iseva ye-Consul (noma umholi) idinga ukuqinisekisa ubuqiniso bethokheni etholiwe. Ngakho-ke, izothintana neqoqo le-Kubernetes (ngeklayenti le-Consul) futhi, ngezimvume ezifanele, sizothola ukuthi ithokheni liyiqiniso yini nokuthi elikabani.
  3. Isicelo esiqinisekisiwe sibe sesibuyiselwa kumholi we-Consul, bese iseva ye-Consul ibheka indlela yokugunyazwa enegama elishiwo esicelweni sokungena (nohlobo lwe-Kubernetes).
  4. Umholi wenxusa ukhomba isibonelo sendlela yokugunyazwa eshiwo (uma sitholakele) futhi afunde isethi yemithetho ebophayo enamathiselwe kuyo. Ibe-ke ifunda le mithetho bese iqhathanisa nezibaluli zobunikazi eziqinisekisiwe.
  5. TA-dah! Asiqhubekele esinyathelweni sesi-5 encazelweni yesekethe eyedlule.

Qalisa i-Consul-server emshinini ojwayelekile obonakalayo

Kusukela manje kuqhubeke, ngizobe nginikeza iziqondiso zokudala le-POC, ngokuvamile ngamachashazi, ngaphandle kwezincazelo ezigcwele zemisho. Futhi, njengoba kuphawuliwe ekuqaleni, ngizosebenzisa i-GCP ukuze ngidale yonke ingqalasizinda, kodwa ungakha ingqalasizinda efanayo kwenye indawo.

  • Qala umshini we-virtual (isibonelo/iseva).

Isingeniso se-Hashicorp Consul's Kubernetes Authorization

  • Dala umthetho we-firewall (iqembu lokuvikela ku-AWS):
  • Ngithanda ukunikeza igama lomshini ofanayo kukho kokubili umthetho kanye nethegi yenethiwekhi, kulokhu "skywiz-consul-server-poc".
  • Thola ikheli le-IP lekhompyutha yakho bese ulingeza ohlwini lwamakheli e-IP omthombo ukuze sikwazi ukufinyelela ku-interface yomsebenzisi (UI).
  • Vula imbobo engu-8500 ye-UI. Chofoza okuthi Dala. Sizophinde sishintshe le firewall maduze [isixhumanisi].
  • Engeza umthetho we-firewall kusibonelo. Buyela emuva kudeshibhodi ye-VM ku-Consul Server bese wengeza okuthi “skywiz-consul-server-poc” kunkambu yomaka benethiwekhi. Chofoza Londoloza.

Isingeniso se-Hashicorp Consul's Kubernetes Authorization

  • Faka i-Consul emshinini obonakalayo, hlola lapha. Khumbula ukuthi udinga inguqulo ye-Consul ≥ 1.5 [isixhumanisi]
  • Ake sakhe i-node eyodwa Consul - ukucushwa kungokulandelayo.

groupadd --system consul
useradd -s /sbin/nologin --system -g consul consul
mkdir -p /var/lib/consul
chown -R consul:consul /var/lib/consul
chmod -R 775 /var/lib/consul
mkdir /etc/consul.d
chown -R consul:consul /etc/consul.d

  • Ukuze uthole umhlahlandlela onemininingwane eminingi ngokufaka i-Consul nokumisa iqoqo lamanodi angu-3, ​​bheka lapha.
  • Dala ifayela /etc/consul.d/agent.json kanje [isixhumanisi]:

### /etc/consul.d/agent.json
{
 "acl" : {
 "enabled": true,
 "default_policy": "deny",
 "enable_token_persistence": true
 }
}

  • Qala iseva yethu ye-Consul:

consul agent 
-server 
-ui 
-client 0.0.0.0 
-data-dir=/var/lib/consul 
-bootstrap-expect=1 
-config-dir=/etc/consul.d

  • Kufanele ubone inqwaba yokuphumayo bese ugcina ngokuthi “... isibuyekezo sivinjwe ama-ACL.”
  • Thola ikheli le-IP langaphandle leseva ye-Consul bese uvule isiphequluli esinaleli kheli le-IP ku-port 8500. Qiniseka ukuthi i-UI iyavuleka.
  • Zama ukungeza ipheya yokhiye/inani. Kumelwe ukuba kunephutha. Lokhu kungenxa yokuthi silayishe iseva ye-Consul nge-ACL futhi sikhubaze yonke imithetho.
  • Buyela emuva kugobolondo lakho kuseva ye-Consul bese uqala inqubo ngemuva noma enye indlela yokuyenza isebenze bese ufaka okulandelayo:

consul acl bootstrap

  • Thola inani le-"SecretID" bese ubuyela ku-UI. Kuthebhu ye-ACL, faka i-ID eyimfihlo yethokheni osanda kuyikopisha. Kopisha i-SecretID kwenye indawo, sizoyidinga kamuva.
  • Manje engeza ipheya yokhiye/inani. Kule POC, engeza okulandelayo: ukhiye: “custom-ns/test_key”, inani: “Ngikufolda yangokwezifiso-ns!”

Sethula iqoqo le-Kubernetes lohlelo lwethu lokusebenza neklayenti le-Consul njenge-Daemoset

  • Dala iqoqo le-K8s (Kubernetes). Sizoyidala endaweni efanayo neseva ukuze sifinyelele ngokushesha, futhi ukuze sikwazi ukusebenzisa i-subnet efanayo ukuze sixhume kalula namakheli e-IP angaphakathi. Sizoyibiza ngokuthi "skywiz-app-with-consul-client-poc".

Isingeniso se-Hashicorp Consul's Kubernetes Authorization

  • Njengenothi eseceleni, nasi isifundo esihle engasithola ngenkathi ngimisa iqoqo le-POC Consul ne-Consul Connect.
  • Sizophinda sisebenzisa ishadi lesigqoko se-Hashicorp elinefayela lamanani anwetshiwe.
  • Faka futhi ulungiselele i-Helm. Izinyathelo zokumisa:

kubectl create serviceaccount tiller --namespace kube-system
kubectl create clusterrolebinding tiller-admin-binding 
   --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
./helm init --service-account=tiller
./helm update

### poc-helm-consul-values.yaml
global:
 enabled: false
 image: "consul:latest"
# Expose the Consul UI through this LoadBalancer
ui:
 enabled: false
# Allow Consul to inject the Connect proxy into Kubernetes containers
connectInject:
 enabled: false
# Configure a Consul client on Kubernetes nodes. GRPC listener is required for Connect.
client:
 enabled: true
 join: ["<PRIVATE_IP_CONSUL_SERVER>"]
 extraConfig: |
{
  "acl" : {
 "enabled": true,   
 "default_policy": "deny",   
 "enable_token_persistence": true 
  }
}
# Minimal Consul configuration. Not suitable for production.
server:
 enabled: false
# Sync Kubernetes and Consul services
syncCatalog:
 enabled: false

  • Faka ishadi lesigqoko:

./helm install -f poc-helm-consul-values.yaml ./consul-helm - name skywiz-app-with-consul-client-poc

  • Uma izama ukusebenza, izodinga izimvume zeseva ye-Consul, ngakho-ke masizingeze.
  • Qaphela “i-Pod Address Range” etholakala kudeshibhodi yeqoqo bese ubhekisela emuva kumthetho wethu wokuvikela umlilo othi “skywiz-consul-server-poc”.
  • Engeza ububanzi bekheli le-pod kuhlu lwamakheli e-IP nezimbobo ezivulekile 8301 kanye no-8300.

Isingeniso se-Hashicorp Consul's Kubernetes Authorization

  • Iya ku-Consul UI futhi ngemva kwemizuzu embalwa uzobona iqoqo lethu livela kuthebhu yama-nodes.

Isingeniso se-Hashicorp Consul's Kubernetes Authorization

Ukulungiselela Indlela Yokugunyaza Ngokuhlanganisa I-Consul ne-Kubernetes

  • Buyela kugobolondo leseva ye-Consul bese uthekelisa ithokheni oyigcine ngaphambilini:

export CONSUL_HTTP_TOKEN=<SecretID>

  • Sizodinga ulwazi oluvela kuqoqo lethu le-Kubernetes ukuze sidale isibonelo sendlela ye-auth:
  • kubernetes-host

kubectl get endpoints | grep kubernetes

  • kubernetes-service-account-jwt

kubectl get sa <helm_deployment_name>-consul-client -o yaml | grep "- name:"
kubectl get secret <secret_name_from_prev_command> -o yaml | grep token:

  • Ithokheni ifakwe ikhodi ye-base64, ngakho-ke isuse ukubethela usebenzisa ithuluzi olithandayo [isixhumanisi]
  • kubernetes-ca-cert

kubectl get secret <secret_name_from_prev_command> -o yaml | grep ca.crt:

  • Thatha isitifiketi se-“ca.crt” (ngemuva kokukhishwa kwe-base64) bese usibhala efayeleni elithi “ca.crt”.
  • Manje qinisa indlela ye-auth, esikhundleni sezimeli ngamavelu osanda kuwathola.

consul acl auth-method create 
-type "kubernetes" 
-name "auth-method-skywiz-consul-poc" 
-description "This is an auth method using kubernetes for the cluster skywiz-app-with-consul-client-poc" 
-kubernetes-host "<k8s_endpoint_retrieved earlier>" 
[email protected] 
-kubernetes-service-account-
jwt="<decoded_token_retrieved_earlier>"

  • Okulandelayo sidinga ukwakha umthetho futhi siwunamathisele endimeni entsha. Kule ngxenye ungasebenzisa i-Consul UI, kodwa sizosebenzisa umugqa womyalo.
  • Bhala umthetho

### kv-custom-ns-policy.hcl
key_prefix "custom-ns/" {
 policy = "write"
}

  • Sebenzisa umthetho

consul acl policy create 
-name kv-custom-ns-policy 
-description "This is an example policy for kv at custom-ns/" 
-rules @kv-custom-ns-policy.hcl

  • Thola i-ID yomthetho osanda kuwudala kusukela kokuphumayo.
  • Dala indima ngomthetho omusha.

consul acl role create 
-name "custom-ns-role" 
-description "This is an example role for custom-ns namespace" 
-policy-id <policy_id>

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='custom-ns-role' 
-selector='serviceaccount.namespace=="custom-ns"'

Okokugcina ukucupha

Amalungelo okufinyelela

  • Dala amalungelo okufinyelela. Kudingeka sinikeze u-Consul imvume yokuqinisekisa nokukhomba ubunikazi bethokheni ye-akhawunti yesevisi ye-K8s.
  • Bhala okulandelayo efayeleni [isixhumanisi]:

###skywiz-poc-consul-server_rbac.yaml
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: review-tokens
 namespace: default
subjects:
- kind: ServiceAccount
 name: skywiz-app-with-consul-client-poc-consul-client
 namespace: default
roleRef:
 kind: ClusterRole
 name: system:auth-delegator
 apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: service-account-getter
 namespace: default
rules:
- apiGroups: [""]
 resources: ["serviceaccounts"]
 verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: get-service-accounts
 namespace: default
subjects:
- kind: ServiceAccount
 name: skywiz-app-with-consul-client-poc-consul-client
 namespace: default
roleRef:
 kind: ClusterRole
 name: service-account-getter
 apiGroup: rbac.authorization.k8s.io

  • Masidale amalungelo okufinyelela

kubectl create -f skywiz-poc-consul-server_rbac.yaml

Ixhuma ku-Consul Client

  • Njengoba kuphawuliwe laphaKunezinketho ezimbalwa zokuxhuma ku-daemoset, kodwa sizodlulela kusixazululo esilula esilandelayo:
  • Faka ifayela elilandelayo [isixhumanisi].

### poc-consul-client-ds-svc.yaml
apiVersion: v1
kind: Service
metadata:
 name: consul-ds-client
spec:
 selector:
   app: consul
   chart: consul-helm
   component: client
   hasDNS: "true"
   release: skywiz-app-with-consul-client-poc
 ports:
 - protocol: TCP
   port: 80
   targetPort: 8500

  • Bese usebenzisa umyalo olandelayo ukwakha i-configmap [isixhumanisi]. Sicela uqaphele ukuthi sibhekisela egameni lenkonzo yethu, lishintshe uma kunesidingo.

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
 labels:
   addonmanager.kubernetes.io/mode: EnsureExists
 name: kube-dns
 namespace: kube-system
data:
 stubDomains: |
   {"consul": ["$(kubectl get svc consul-ds-client -o jsonpath='{.spec.clusterIP}')"]}
EOF

Ukuhlola indlela ye-auth

Manje ake sibone umlingo usebenza!

  • Dala amanye amafolda angukhiye ngokhiye ofanayo wezinga eliphezulu (okungukuthi /sample_key) kanye nevelu olithandayo. Dala izinqubomgomo ezifanele nezindima zezindlela ezintsha ezibalulekile. Sizokwenza izibopho kamuva.

Isingeniso se-Hashicorp Consul's Kubernetes Authorization

Ukuhlolwa kwendawo yegama ngokwezifiso:

  • Masizenzele eyethu indawo yamagama:

kubectl create namespace custom-ns

  • Masidale i-pod endaweni yethu entsha yamagama. Bhala ukucushwa kwe-pod.

###poc-ubuntu-custom-ns.yaml
apiVersion: v1
kind: Pod
metadata:
 name: poc-ubuntu-custom-ns
 namespace: custom-ns
spec:
 containers:
 - name: poc-ubuntu-custom-ns
   image: ubuntu
   command: ["/bin/bash", "-ec", "sleep infinity"]
 restartPolicy: Never

  • Dala ngaphansi:

kubectl create -f poc-ubuntu-custom-ns.yaml

  • Uma isiqukathi sisebenza, hamba lapho bese ufaka ama-curl.

kubectl exec poc-ubuntu-custom-ns -n custom-ns -it /bin/bash
apt-get update && apt-get install curl -y

  • Manje sizothumela isicelo sokungena ku-Consul sisebenzisa indlela yokugunyaza esiyidalile ekuqaleni [isixhumanisi].
  • Ukubuka ithokheni efakiwe ku-akhawunti yakho yesevisi:

cat /run/secrets/kubernetes.io/serviceaccount/token

  • Bhala okulandelayo efayeleni elingaphakathi kwesiqukathi:

### payload.json
{
 "AuthMethod": "auth-method-test",
 "BearerToken": "<jwt_token>"
}

  • Ngena ngemvume!

curl 
--request POST 
--data @payload.json 
consul-ds-client.default.svc.cluster.local/v1/acl/login

  • Ukuze uqedele izinyathelo ezingenhla emugqeni owodwa (njengoba sizobe senza izivivinyo eziningi), ungenza okulandelayo:

echo "{ 
"AuthMethod": "auth-method-skywiz-consul-poc", 
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" 
}" 
| curl 
--request POST 
--data @- 
consul-ds-client.default.svc.cluster.local/v1/acl/login

  • Iyasebenza! Okungenani kufanele. Manje thatha i-SecretID bese uzama ukufinyelela ukhiye/inani okufanele sifinyelele kulo.

curl 
consul-ds-client.default.svc.cluster.local/v1/kv/custom-ns/test_key --header “X-Consul-Token: <SecretID_from_prev_response>”

  • Ungakwazi ukuqopha i-base64 "Value" futhi ubone ukuthi ifana nevelu ku-custom-ns/test_key ku-UI. Uma usebenzise inani elifanayo ngenhla kulesi sifundo, inani lakho elibhalwe ngekhodi lizoba IkknbSBpbiB0aGUgY3VzdG9tLW5zIGZvbGRlciEi.

Ukuhlolwa kwe-akhawunti yesevisi yomsebenzisi:

  • Dala i-ServiceAccount yangokwezifiso usebenzisa umyalo olandelayo [isixhumanisi].

kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
 name: custom-sa
EOF

  • Dala ifayela elisha lokucushwa le-pod. Sicela uqaphele ukuthi ngifake ukufakwa kwama-curl ukusindisa abasebenzi :)

###poc-ubuntu-custom-sa.yaml
apiVersion: v1
kind: Pod
metadata:
 name: poc-ubuntu-custom-sa
 namespace: default
spec:
 serviceAccountName: custom-sa
 containers:
 - name: poc-ubuntu-custom-sa
   image: ubuntu
   command: ["/bin/bash","-ec"]
   args: ["apt-get update && apt-get install curl -y; sleep infinity"]
 restartPolicy: Never

  • Ngemuva kwalokho, sebenzisa igobolondo ngaphakathi kwesitsha.

kubectl exec -it poc-ubuntu-custom-sa /bin/bash

  • Ngena ngemvume!

echo "{ 
"AuthMethod": "auth-method-skywiz-consul-poc", 
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" 
}" 
| curl 
--request POST 
--data @- 
consul-ds-client.default.svc.cluster.local/v1/acl/login

  • Imvume inqatshelwe. Oh, sikhohlwe ukungeza imithetho emisha ebophezela ngezimvume ezifanele, masenze lokho manje.

Phinda izinyathelo zangaphambilini ezingenhla:
a) Dala iNqubomgomo efanayo yesiqalo esithi “custom-sa/”.
b) Dala Iqhaza, libize ngokuthi “custom-sa-role”
c) Namathisela Ipholisi Endimeni.

  • Dala i-Rule-Binding (okungenzeka kuphela kusuka ku-cli/api). Qaphela incazelo ehlukile yefulegi lesikhethi.

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='custom-sa-role' 
-selector='serviceaccount.name=="custom-sa"'

  • Ngena futhi kusukela kusiqukathi se-"poc-ubuntu-custom-sa". Impumelelo!
  • Bheka ukufinyelela kwethu kundlela yangokwezifiso-sa/ yokhiye.

curl 
consul-ds-client.default.svc.cluster.local/v1/kv/custom-sa/test_key --header “X-Consul-Token: <SecretID>”

  • Ungaphinda uqinisekise ukuthi leli thokheni alikuniki ukufinyelela ku-kv kokuthi "custom-ns/". Vele uphinde umyalo ongenhla ngemva kokufaka u-"custom-sa" nesiqalo esithi "custom-ns".
    Imvume inqatshelwe.

Isibonelo sembondela:

  • Kuhle ukuqaphela ukuthi zonke imephu ezibophezela imithetho zizokwengezwa kuthokheni ngalawa malungelo.
  • Isiqukathi sethu esithi "poc-ubuntu-custom-sa" sisendaweni yamagama ezenzakalelayo - ngakho-ke masiyisebenzisele ukubophezela okuhlukile komthetho.
  • Phinda izinyathelo zangaphambilini:
    a) Dala iNqubomgomo efanayo yesiqalo esiyinhloko “sokuzenzakalelayo/”.
    b) Dala Iqhaza, uyiqambe ngokuthi “indima ezenzakalelayo-ns-indima”
    c) Namathisela Ipholisi Endimeni.
  • Dala i-Rule-Binding (okungenzeka kuphela kusuka ku-cli/api)

consul acl binding-rule create 
-method=auth-method-skywiz-consul-poc 
-bind-type=role 
-bind-name='default-ns-role' 
-selector='serviceaccount.namespace=="default"'

  • Buyela emuva kusiqukathi sethu se-"poc-ubuntu-custom-sa" bese uzama ukufinyelela indlela "ezenzakalelayo/" kv.
  • Imvume inqatshelwe.
    Ungabuka izifakazelo ezishiwo zethokheni ngayinye ku-UI ngaphansi kwe-ACL > Amathokheni. Njengoba ubona, ithokheni yethu yamanje inendima eyodwa kuphela ethi "custom-sa-role" enamathiselwe kuyo. Ithokheni esiyisebenzisayo njengamanje lakhiwe ngesikhathi singena futhi kwakukhona umthetho owodwa kuphela obophezelayo owawufana ngaleso sikhathi. Sidinga ukungena ngemvume futhi futhi sisebenzise ithokheni entsha.
  • Qiniseka ukuthi ungafunda kuzo zombili izindlela ze-kv ethi "custom-sa/" kanye "nokuzenzakalelayo/" kv.
    Impumelelo!
    Lokhu kungenxa yokuthi i-“poc-ubuntu-custom-sa” yethu ifana nokubophezela kwemithetho ethi “custom-sa” kanye “nokuzenzakalelayo-ns”.

isiphetho

Ithokheni ye-TTL mgmt?

Ngesikhathi salokhu kubhala, ayikho indlela ehlanganisiwe yokunquma i-TTL yamathokheni akhiqizwa yile ndlela yokugunyazwa. Kungaba yithuba elihle kakhulu lokuhlinzeka ngokuzenzakalelayo okuvikelekile kokugunyazwa kwe-Consul.

Kukhona inketho yokwenza ithokheni mathupha nge-TTL:

Sethemba ukuthi esikhathini esizayo esiseduze sizokwazi ukulawula ukuthi amathokheni akhiqizwa kanjani (ngomthetho ngamunye noma indlela yokugunyazwa) bese wengeza i-TTL.

Kuze kube yileso sikhathi, kuphakanyiswa ukuthi usebenzise indawo yokugcina yokuphuma ku-logic yakho.

Funda nezinye izindatshana kubhulogi yethu:

Source: www.habr.com

Engeza amazwana