k8s/Kubernetes>> k8s-webhook-example>> 返回
项目作者: allposs

项目描述 :
k8s的AuthN与AuthZ的实现范例
高级语言: Go
项目地址: git://github.com/allposs/k8s-webhook-example.git
创建时间: 2019-04-01T08:29:52Z
项目社区:https://github.com/allposs/k8s-webhook-example
开源协议:Other
下载


k8s-webhook-example

K8s-webhook-example is an implementation template for AuthZ and AuthN for k8s.

Badge
LICENSE
Slack

Usage

Download release or Build:

  1. $ CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build k8s-webhook-example
  3. $ CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build k8s-webhook-example

To get help:

  1. $ ./k8s-webhook-example  --help
  2.     k8s-webhook-example 1.0.1
  3.     usage: k8s-webhook-example [options]
  4.     Options:
  5.       --port        <80>                                    Server Listen Port
  6.       --ip          <0.0.0.0>                               Web server Address
  7.       --switch      <false>                                 Webhook TLS switch
  8.       --certFile    <config/webhook/TLS/server/server.crt>  TLS cert file path
  9.       --keyFile     <config/webhook/TLS/server/server.key>  TLS key file path
  10.       --caFile      <config/webhook/TLS/ca/ca.crt>          TLS ca file path
  11.     Examples:
  12.       Default webhook Server
  13.       $ k8s-webhook-example
  14.       k8s-webhook-example Listen 127.0.0.1:80 and TLS is flase  
  15.       $ k8s-webhook-example --port 80 --ip 127.0.0.1 --switch flase

Example

Run k8s-webhook-example on port 80 of the machine and turn off TLS.

  1. $ k8s-webhook-example --port 80 --ip 127.0.0.1 --switch flase

Modify AuthN.yaml and AuthZ.yaml file.

  1. AuthN.yaml

Comment out the relevant TLS content:

  1. Certificate-authority: /data/webhook/TLS/ca/ca.crt
  2. Client-certificate: /data/webhook/TLS/client/client.crt
  3. Client-key: /data/webhook/TLS/client/client.key

Modify content

  1. Server: https://<k8s-webhook-example address>/api/v1/AuthN
  3. AuthZ.yaml

Comment out the relevant TLS content:

  1. Certificate-authority: /data/webhook/TLS/ca/ca.crt
  2. Client-certificate: /data/webhook/TLS/client/client.crt
  3. Client-key: /data/webhook/TLS/client/client.key

Modify content

  1. Server: https://<k8s-webhook-example address>/api/v1/AuthZ

Start minikube

Do not use a proxy

  1. $ minikube start

Using a proxy

  1. $ minikube start --registry-mirror=https://registry.docker-cn.com --docker-env HTTP_PROXY=http://代理地址端口 --docker-env HTTPS_PROXY=http://代理地址端口

Copy the AuthN.yaml and AuthZ.yaml file to the /data/webhook directory in minikube,The minikube/User directory is interoperable with the user directory and can be copied by this method. Of course, it can be other methods.

  1. $ minikube ssh

Modify the kube-apiserver.yaml file

  1. $ vi /etc/kubernetes/manifests/kube-apiserver.yaml

modify

  1. - --authorization-mode=Node,RBAC,Webhook

New

  1. - --runtime-config=authentication.k8s.io/v1beta1=true
  2. - --authorization-webhook-config-file=/data/webhook/AuthZ.yaml
  3. - --authorization-webhook-cache-authorized-ttl=5m
  4. - --authorization-webhook-cache-unauthorized-ttl=30s
  5. - --authentication-token-webhook-config-file=/data/webhook/AuthN.yaml
  6. - --authentication-token-webhook-cache-ttl=5m