1、使用证书访问集群
使用kubeconfig文件进行证书生成
grep client-cert ~/.kube/config |cut -d" " -f 6 | base64 -d > client.pem
grep client-key-data ~/.kube/config |cut -d" " -f 6 | base64 -d > client-key.pem
grep certificate-authority-data ~/.kube/config |cut -d" " -f 6 | base64 -d > ca.pem
curl --cert ./client.pem --key ./client-key.pem --cacert ./ca.pem https://10.202.62.179:6443/api/v1/pods
2、使用Token访问集群
确认Apiserver是否开启Token认证
[root@10 manifests]# cat /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --enable-aggregator-routing=true
- --service-node-port-range=10000-60000
- --advertise-address=10.202.62.179
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --bind-address=10.202.62.179
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NamespaceLifecycle,NamespaceExists,LimitRanger,ResourceQuota,ServiceAccount,MutatingAdmissionWebhook,ValidatingAdmissionWebhook
- --enable-bootstrap-token-auth=true # 此处应为true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
访问方法:
curl https://hostname:6443/api/v1/pods \
--header "Authorization: Bearer <token>"
创建admin Token
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
获取token
kubectl describe secret admin-user-token-xxx -n kube-system
[root@10 ~]# kubectl describe secret admin-user-token-8rl9w -n kube-system
Name: admin-user-token-8rl9w
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: 16d91047-0775-4494-a8c2-53c2111f3427
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 526 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImwtZE5GTXVvVENmWGJQblBTZWFiUGFHMHB0WTdZMzAwM1I5bkl1MXUzeUkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLThybDl3Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxNmQ5MTA0Ny0wNzc1LTQ0OTQtYThjMi01M2MyMTExZjM0MjciLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.DAeWX3Sxr-2cTmyRQB8CKE58LPh3PncbFKJIG74qeVujk94-sHxtYrEn_11sCHw59JCuGTrzaCDOErZX1PRWkYG1I15qG2rfctv8lMwpfJhjiNm-vjx8JdPsav96X4WC4p8T73Pc_7fnBceSYKwqYh3VN14SI_Gdx-uWbFF91GZtnYeqXDsZPp5kuUuaU17ek4u2NFdvrW-FUbNqurR-3IFloq5uB_8bHAE25Kyasq_gi0DZt7WWLBy5IqURfuYNzOFlZ02IOCA7Xw_zGwFIV4ieDGGi-8F6nIx-EsJNWEAzks0ceYfd9rXMQNth5VAU1Kc6ZZaieo6yDE_VUnAFHQ
访问集群
curl https://10.202.62.178:8443/api/v1/pods --header "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImwtZE5GTXVvVENmWGJQblBTZWFiUGFHMHB0WTdZMzAwM1I5bkl1MXUzeUkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1c3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLThybDl3Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxNmQ5MTA0Ny0wNzc1LTQ0OTQtYThjMi01M2MyMTExZjM0MjciLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.DAeWX3Sxr-2cTmyRQB8CKE58LPh3PncbFKJIG74qeVujk94-sHxtYrEn_11sCHw59JCuGTrzaCDOErZX1PRWkYG1I15qG2rfctv8lMwpfJhjiNm-vjx8JdPsav96X4WC4p8T73Pc_7fnBceSYKwqYh3VN14SI_Gdx-uWbFF91GZtnYeqXDsZPp5kuUuaU17ek4u2NFdvrW-FUbNqurR-3IFloq5uB_8bHAE25Kyasq_gi0DZt7WWLBy5IqURfuYNzOFlZ02IOCA7Xw_zGwFIV4ieDGGi-8F6nIx-EsJNWEAzks0ceYfd9rXMQNth5VAU1Kc6ZZaieo6yDE_VUnAFHQ" -k