Beyond cluster-admin_ Getting Started with Kubernetes Users and Permissions.pdf

《Beyond cluster-admin_ Getting Started with Kubernetes Users and Permissions.pdf》由会员分享，可在线阅读，更多相关《Beyond cluster-admin_ Getting Started with Kubernetes Users and Permissions.pdf（30页珍藏版）》请在三个皮匠报告上搜索。

1、Beyond cluster-admin:Getting Started with Kubernetes Users and PermissionsTiffany JerniganDeveloper AdvocateVMwaretiffanyfayjT I F F A N Y F A Y JT I F F A N Y F A Y M A S T O D O N.O N L I N E AUTHENTICATION&AUTHORIZATION AUTHN(authentication):who are you?AUTHZ(authorization):what are you allowed t

2、o do?k8s.io/docs/reference/access-authn-authz/T I F F A N Y F A Y JT I F F A N Y F A Y M A S T O D O N.O N L I N E AUTHENTICATION&USER PROVISIONINGT I F F A N Y F A Y JT I F F A N Y F A Y M A S T O D O N.O N L I N E PROVISIONING USERSAt least three possibilities:certificatescan use your own CA(e.g.V

3、ault),or Kuberneteswarning:Kubernetes API server doesnt support revocation,so you need short-lived certsOIDC tokenscan use an auth provider of your choice(e.g.okta,keycloak)or something linked to your clouds IAM(ab)use serviceaccounts to provision users(a service account is really just a user named

4、system:serviceaccount:)T I F F A N Y F A Y JT I F F A N Y F A Y M A S T O D O N.O N L I N E PROVISIONING USERS Humans:TLS,OIDC,Service Account/Client Certs,etc.Robots:use Service AccountsT I F F A N Y F A Y JT I F F A N Y F A Y M A S T O D O N.O N L I N E Example creation with OpenSSL:#Generate key

5、and CSR for our useropenssl genrsa 4096 user.keyopenssl req-new-key user.key-subj/CN=ada.lovelace/O=devs/O=ops user.csrAfter that,transfer the CSR to the CACERTIFICATEST I F F A N Y F A Y JT I F F A N Y F A Y M A S T O D O N.O N L I N E#Copy the CSR to the CA(for instance,a kubeadm-deployed control

6、plane node)#Then generate the cert:sudo openssl x509-req-CA/etc/kubernetes/pki/ca.crt-CAkey/etc/kubernetes/pki/ca.key-in user.csr-days 1-set_serial 1234 user.crt#Copy certificate(user.crt)back to the user!CERTIFICATES SELF-HOSTEDT I F F A N Y F A Y JT I F F A N Y F A Y M A S T O D O N.O N L I N E Or