问题描述
我在DigitalOcean上托管的coreOs群集上使用KUbernetes.并使用此存储库进行设置.我用以下行启动apiserver:
I am using KUbernetes on a coreOs cluster hosted on DigitalOcean.And using this repo to set it up. I start the apiserver with the following line:
/opt/bin/kube-apiserver --runtime-config=api/v1 --allow-privileged=true \ --insecure-bind-address=0.0.0.0 --insecure-port=8080 \ --secure-port=6443 --etcd-servers=http://127.0.0.1:2379 \ --logtostderr=true --advertise-address=${COREOS_PRIVATE_IPV4} \ --service-cluster-ip-range=10.100.0.0/16 --bind-address=0.0.0.0
/opt/bin/kube-apiserver --runtime-config=api/v1 --allow-privileged=true \ --insecure-bind-address=0.0.0.0 --insecure-port=8080 \ --secure-port=6443 --etcd-servers=http://127.0.0.1:2379 \ --logtostderr=true --advertise-address=${COREOS_PRIVATE_IPV4} \ --service-cluster-ip-range=10.100.0.0/16 --bind-address=0.0.0.0
问题在于它接受任何人的请求!我希望能够提供一个简单的用户/密码身份验证.我一直在阅读此和此,看来我必须执行以下操作,但是我不能长时间关闭集群,所以我需要你们的帮助.顺便说一句,mt吊舱不会创建另一个吊舱,所以我只需要几个用户,例如1/2的开发人员和1个用户用于CI.
The problem is that it accepts request from anyone! I want to be able to provide a simple user/password authentication. I have been reading this and this and it seems that I have to do something like the below, but I cannot afford to take the cluster down for a long period of time, so I need your guys help with this one.Btw, mt pods do not create another pods, so I only need a few user, like 1/2 for devs and 1 for CI.
我正在考虑做一些看起来似乎需要的操作,例如包括authorization-mode和authorization-policy-file标志,并将不安全绑定地址本地主机设置为仅在本地可用.我想念什么吗?
I am thinking of doing something like include authorization-mode and authorization-policy-file flags as it seems required and make the insecure-bind-address localhost to make it only available locally. I am missing something?
/opt/bin/kube-apiserver --runtime-config=api/v1 --allow-privileged=true \ --authorization-mode=ABAC --authorization-policy-file=/access.json \ --insecure-bind-address=127.0.0.1 --insecure-port=8080 \ --secure-port=6443 --etcd-servers=http://127.0.0.1:2379 \ --logtostderr=true --advertise-address=${COREOS_PRIVATE_IPV4} \ --service-cluster-ip-range=10.100.0.0/16 --bind-address=0.0.0.0
/opt/bin/kube-apiserver --runtime-config=api/v1 --allow-privileged=true \ --authorization-mode=ABAC --authorization-policy-file=/access.json \ --insecure-bind-address=127.0.0.1 --insecure-port=8080 \ --secure-port=6443 --etcd-servers=http://127.0.0.1:2379 \ --logtostderr=true --advertise-address=${COREOS_PRIVATE_IPV4} \ --service-cluster-ip-range=10.100.0.0/16 --bind-address=0.0.0.0
{"user":"admin"}{"user":"wercker"}{"user":"dev1"}{"user":"dev2"}
{"user":"admin"}{"user":"wercker"}{"user":"dev1"}{"user":"dev2"}
但是密码在哪里?我实际上如何使用kubectl和curl或httpie发出请求?
But where are the passwords? How do I actually make the request with kubectl and curl or httpie?
推荐答案
如果您希望用户使用HTTP基本身份验证(user:password)进行身份验证,则可以添加:
If you want your users to authenticate using HTTP Basic Auth (user:password), you can add:
--basic-auth-file=/basic_auth.csv
到您的kube-apiserver命令行,其中文件的每一行应为password, user-name, user-id.例如:
to your kube-apiserver command line, where each line of the file should be password, user-name, user-id. E.g.:
@dm1nP@ss,admin,admin
w3rck3rP@ss,wercker,wercker
etc...
如果您想使用访问令牌(HTTP身份验证:承载),则可以指定:
If you'd rather use access tokens (HTTP Authentication: Bearer), you can specify:
--token-auth-file=/known-tokens.csv
其中每行应为token,user-name,user-id[,optional groups].例如:
@dm1nT0k3n,admin,admin,adminGroup,devGroup
w3rck3rT0k3n,wercker,wercker,devGroup
etc...
有关更多信息,请查看身份验证文档.还要检出 example_policy_file.jsonl 示例ABAC文件.
For more info, checkout the Authentication docs. Also checkout example_policy_file.jsonl for an example ABAC file.
这篇关于Kubernetes简单身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!