使用oc(同kubectl)命令访问apiserver资源的时候,会使用到/root/.kube/config文件中使用的配置。
使用user访问apiserver
oc命令使用config中定义的user和证书(公钥和私钥)访问apiserver。使用如下命令查看当前使用的config上下文:monitor为当前的namespace,test-openshfit-com:8443为apiserver暴露的server,system:admin为访问apiserver使用的user名称
# oc config current-context monitor/test-openshfit-com:8443/system:admin
查看system:admin对应的证书(下面使用变量代替)
users: - name: system:admin/test-openshift-com:8443 user: client-certificate-data: ${CA} client-key-data: ${KEY}
导出证书,将下面decode出的内容分别保存到/home/ca.cert,/home/ca.key
# echo -n ${CA}|base64 --decode #/home/ca.cert
# echo -n ${KEY}|base64 --decode #/home/ca.key
使用如下方式即可访问cluster范围内的资源,该方式与oc命令的原理一样。下面以访问servers为例
APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}') curl $APISERVER/api/v1/services --cert /home/ca.cert --key /home/ca.key --user system:admin
使用serviceaccount访问apiserver
serviceaccount除了可以为pod提供secret外,还可以作为访问apiserver资源的凭证。使用如下命令创建一个名为curltest的serviceaccount,并获取其token
oc create serviceaccount curltest APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}') TOKEN=$(oc serviceaccounts get-token curltest)
使用如下命令进行rolebinding之后就可以查看namespaces为monitor下面的资源,但不可以查看其他namespace的资源。system:master可以看作一个超级账户,可参见user-facing-roles
oc policy add-role-to-user system:master -z curltest curl $APISERVER/api/v1/namespaces/monitor/services --header "Authorization: Bearer $TOKEN"
使用下面命令查看当前rolebinding情况,可以查看当前serveraccount可进行的操作权限。注:openshift的add-role-to-user/add-cluster-role-to-user其实就是kubernetes进行rolebinding/clusterrolebinding的操作,将一个role权限赋予一个user或serviceaccount。
# oc describe rolebinding system:master Name: system:master Namespace: monitor Created: 5 minutes ago Labels: <none> Annotations: <none> Role: /system:master Users: <none> Groups: <none> ServiceAccounts: curltest Subjects: <none> Verbs Non-Resource URLs Resource Names API Groups Resources [*] [] [] [*] [*] [*] [*] [] [] []
使用如下命令进行clusterrolebinding之后就可以访问cluster范围内的资源,首先需要删除先前的rolebinding
oc policy remove-role-from-user system:master -z curltest oadm policy add-cluster-role-to-user system:master -z curltest TOKEN=$(oc serviceaccounts get-token curltest) curl $APISERVER/api/v1/services --header "Authorization: Bearer $TOKEN"
查看clusterrolebinding情况
# oc describe clusterrolebinding system:master Name: system:masters Created: 2 weeks ago Labels: <none> Annotations: <none> Role: /system:master Users: <none> Groups: system:masters ServiceAccounts: monitor/curltest Subjects: <none> Verbs Non-Resource URLs Resource Names API Groups Resources [*] [] [] [*] [*] [*] [*] [] [] []
环境清理
oadm policy remove-cluster-role-from-user system:master -z liu oc delete sa curltest
PS:
- 使用kubectl get RESOURECE -v=NUM可以查看kubectl的与apiserver的交互,RESOURECE为pod,service等;NUM取值为6-8
参考:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
https://docs.openshift.com/container-platform/3.5/rest_api/index.html
https://docs.openshift.com/container-platform/3.9/admin_guide/manage_rbac.html
https://docs.openshift.com/enterprise/3.0/admin_guide/manage_authorization_policy.html