[k8s] 30. Authentication - 실습

Authentication - 실습

1. X509 Client Certs

• 인증서를 갖고 https와 http에 대한 API를 날려봄
• 클러스터에 있는 kubeconfig 확인하고, Clienty key와 Client crt를 가져와서 https를 날려볼 것
• kubectl로 프록시를 띄우고 http로 API를 날려볼 것

Postman 설치 및 설정

• 검색해서 알아서 다운 받으시고..
• Settings > General > SSL certificate verification > OFF 설정
  

실습 과정

1. 마스터 노드에서 다음 경로 파일 확인
   클러스터에 CA 인증서와 클러스터 정보, user에 user 정보, client key로 base64로 되어 있음
2. cat /etc/kubernetes/admin.conf
3. 마스터 노드에서 다음 명령어를 통해 클라이언트 인증서, 키 가져오기

   grep 'client-key-data' /etc/kubernetes/admin.conf | head -n 1 | awk '{print $2}' | base64 -d

   내 PC에 client.crt, client.key를 만들고 위 명령어를 통해 나온 값을 복사하기
   
4. grep 'client-certificate-data' /etc/kubernetes/admin.conf | head -n 1 | awk '{print $2}' | base64 -d
5. Postman에서 client.crt, client.key 등록하고 API 날려보기
   File -> setting -> certificate에 client.crt, client.key 등록하고
   https://192.168.35.30:6443/api/v1/nodes API 날려보기!!
   
   4. 마스터 노드에 다음 명령어로 kubeadm/kubectl/kubelet 설치--> 설치하면서 이미 함5. 마스터 노드에서 다음 명령어로 admin.conf 인증서 복사--> 설치하면서 이미 함
6. mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config
7. yum install -y --disableexcludes=kubernetes kubeadm-1.15.5-0.x86_64 kubectl-1.15.5-0.x86_64 kubelet-1.15.5-0.x86_64
8. 마스터 노드에서 다음 명령어로 kubectl proxy 띄우기포트는 8001, 접속 아이피는 마스터 노드 아이피
   accept-host='^*$' : 어느 호스트건 접속 가능, 내용 바꾸면 특정 호스트만 접속 가능하게 함
9. nohup kubectl proxy --port=8001 --address=192.168.35.30 --accept-hosts='^*$' >/dev/null 2>&1 &
10. postman에서 이번엔 무려 http로 http://192.168.35.30:8001/api/v1/nodes API 날려보기
    

2. Kubectl

• 두 클러스터에 있는 kubeconfig 파일을 복사해서 하나로 합친 다음에
• kubectl config 명령어로 클러스터를 선택하고, 선택한 클러스터에서 자원이 조회되는지 확인
• /etc/kubernetes/admin.conf에 있는 파일을 합칠 예정

Kubeconfig - 2개용

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1KVEUtLS0tLQo=
    server: https://192.168.0.30:6443
  name: cluster-a
- cluster:
    certificate-authority-data: LS0tLS1KVEUtLS0tLQo=
    server: https://192.168.0.50:6443
  name: cluster-b
contexts:
- context:
    cluster: cluster-a
    user: admin-a
  name: context-a
- context:
    cluster: cluster-b
    user: admin-b
  name: context-b
current-context: context-a
kind: Config
preferences: {}
users:
- name: admin-a
  user:
    client-certificate-data: LS0tLS1KVEUtLS0tLQo=
    client-key-data: LS0tLS1KVEUtLS0tLQo=
- name: admin-b
  user:
    client-certificate-data: LS0tLS1KVEUtLS0tLQo=
    client-key-data: LS0tLS1KVEUtLS0tLQo=

• 이런식으로 2개의 클러스터를 하나로 합쳐서 관리
• 그런데 난 클러스터가 1개잖아?
• 나는 안 될거야 아마...
• 난 그냥 1개로만 실습하겠음

Kuubeconfig - 흙수저용

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1ERXpNVEEzTVRreU1sb1hEVE14TURFeU9UQTNNVGt5TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTXRlCnFpY1hjWWVWcTZKdmtGQ0oveFN5QkVRTHZyU25OajByZ0tIeWpDVWFVWGUwQ1ZWL1NoZDJlRHo2cjBlUlZudmQKWEFJaGJzZExIYUppTlpTNUt1UHJMNkxhYU9QMGxyNWVTbmI2ampkcmNtSTM4UVFieTkycXZFTEVxTXZoc21QeQpIR1hxdFhickdTWXVGdCtSUDJWR2tabzRzMTFML2UyVTk4MnI0aFhjVmlhNk9OakNRWEx1SzgvNTZ5QTdYa1hCCkQvSDR0UjEzNXJhZURFV2JvM3p4Wk5IaUk5Wk9kclcrNU50andkZXluWUU1L3BaVWhkckd3VUc4c0lMQnZYNFgKMjFqWStUWmxlaSthWnpDUk5aK1gyNzU0cGNFWkFqejgzL1VzblhNQS85Z2xBRU5nSGQ5QlllMHJDeXVKR1lKeQo2L0o5eExSckRlcTdWVXhkN2tVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFIOVZoMGYwcnQrZk9WaFNsMzZaNTl3emMrdTQKdHRXRUNFU1FvWWtDcDNtenpoQldnWGZsd2FCL2cycmF2MkZvVTdvdnNkaTFmZWtTR0NPMmM3bkVSdFNvQTdMdwpmMXZXa2VEMlk4dDBMNUs2TCt0MUtPeE9CQTBweVMyZmV4Wkt5RVp6UGR4dmMrVU9xR1B4bEVURXQwNTJUM25HCjJKQ2lEMmVraXZ3b2xBWkFqV1lkS2p2RHlEUitzM3RWYm04UTE1Z3dPL3MwOWorK0FZeTNwTWlxenFoa1FYTzkKL1o4aDhLdFZFRHNEemZrZ2RrODVDeThnNEp6ZHRKQ3ZqLzNkYzNzeEIvVHJmenVIK3RSV0FudHhJcVh1Y29hVgpEOTIxSS9xOGd5TXZGWk9tMTdtb3FqTldtMXZEUmxBcllUNVhMRzh6QWM1bUFuTldkRGUzU2dnWnYycz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://192.168.35.30:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJVkNFcFI5ZFhUUW93RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRBeE16RXdOekU1TWpKYUZ3MHlNakF4TXpFd056RTVNak5hTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTBaMDl4SzB0cWRGNEk1NjMKVmRTeVVYb0lLcGZQRnJXUHNnY3NUaG81UHFPWW9VYVVjd3hzUCtYbHJjakxhMnh3M3p1TkpPcU5aV3BMLzlhegptdGMyZjg1TU5HMDJuVmNWQTVrUklxVk55ZDQyRUorWHZnTVpEMk5uVksxMm9YSy81SkRSZ2dJWEs4Z2ZLak9XCnd2UUgzTWNFYkE1QUd0NmdQK1FUdTVuUDRnc3NBVVZzVlNGb203OERzU2VNL2hlUGRnRmRVcXNDMEhHM09mWUIKMlZ4MzJ1dEtRc1R5TnVhVGxDQ3VYajFSMm41WUVibzVlb2tuT1VQNWIzRTRZWmlldzJqNjhIc0RtNEJhSWExUApXOVFIa3g0b0Y3Y1F0Y28weERYVE5vbXA2Mis4eGl2ZGVlN3l1SWszZm4zWGE5bWF2NXVNVVM1L01lbytsVDlUCmhwSXBod0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBbjlIdVR2cEpXU1FUN05LMk5lTElyR3dGWEI1RFo4dmcraAorSHErVWkzZVRvQVpwWmRqaW1pcytYY015a2ZxWVVXd1htTlVvREY1U2ZOMkVaMGZQSlRSNzl5dnd5aC96amFpCk9GZXl3R2FxcDA2MGJENUltYUt1MFllK21EemdzMFp3NjI2b1NYZVVvRlVSVlQ3YUMyekxkczY0MzE3eElUSXIKQkt0dnNpT3VxbU11eVd4YStkY1prVWFmTjJhRkdNcFYxbXVOdUcrZ2JEcEVsVm5mdUtYNDR1UkRmWWdEK1kzeApXR1JpM3lINHhqYkQ2Vm5EK2sxdlBNRGFTdWd2VzY5bytYbGZNZGNsRVJQbkJMV1h1b2JqbTE4Y3I1emF5U1VuCm5jWG1NSEdiL1VXdWE4QzFMRWJVSUdIRWxwc2tOT0twUVNKNGNxOW0vc1FXdWxyKzRCVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMFowOXhLMHRxZEY0STU2M1ZkU3lVWG9JS3BmUEZyV1BzZ2NzVGhvNVBxT1lvVWFVCmN3eHNQK1hscmNqTGEyeHczenVOSk9xTlpXcEwvOWF6bXRjMmY4NU1ORzAyblZjVkE1a1JJcVZOeWQ0MkVKK1gKdmdNWkQyTm5WSzEyb1hLLzVKRFJnZ0lYSzhnZktqT1d3dlFIM01jRWJBNUFHdDZnUCtRVHU1blA0Z3NzQVVWcwpWU0ZvbTc4RHNTZU0vaGVQZGdGZFVxc0MwSEczT2ZZQjJWeDMydXRLUXNUeU51YVRsQ0N1WGoxUjJuNVlFYm81CmVva25PVVA1YjNFNFlaaWV3Mmo2OEhzRG00QmFJYTFQVzlRSGt4NG9GN2NRdGNvMHhEWFROb21wNjIrOHhpdmQKZWU3eXVJazNmbjNYYTltYXY1dU1VUzUvTWVvK2xUOVRocElwaHdJREFRQUJBb0lCQVFDcG04Y1FMbVRGaFNYbQpCSllxVURtZGJkWFB5UmliTW53OFBFdWdRdDNSRG9VQThtQktHMkkzN2VrRHpuYXl6SU1rVGtadCtaQkI0Rm53CmdLVEJoS1NuazZEYnh3Y3JGdng4OWMwRXNLY1owY0VEZ0c5REk3U1NYQWVQWC9DZXdILy9EU05KUkRIRmpsK1IKUVQ4YkxtUnlRMk1Ub0JCRTdhRFRNZFM1dHNLY0RxRVJNM1NkSXJHMGVieWk3dTFIWmlYNCtRWHRwa2FFeU1ZaAorYi84Y1hVTTEwOGp6MW9qTUMzRnlQckN4VDlFTUU4d21PTEFodzdrU05xRG12SVpnb3pJQ3JLSnFwV3FDbHoyCjZaa3l2K0luTEpGWUxIRXZ0Nzhrb054RlpnOHdobjFSV0Zkc2NYdWFsMEZMVkl3cmdjOTlxdTFOaU9yOTl0VG4KTkovMHJWcWhBb0dCQU9CZWdyeXpPV3hVSVcxTEpMQS9nWGVzZGZRTFJoM2lPcUM2QmMvKzBBVkZGWHNROVgzZQo0c1JaMGJMS1MxSjY4RkNTM05obCszcHlERmVlL1VrL1pjcGFsb0xVbnlPVjZNN2JDZkk0SmRzYlRnRjgydjQ5CnRkZzFUSGlBeWlSR0JWKzMxTUs5YzZZbWRWL1Nlam9IM1pzdkI2ckEvdS9HeVlacjdEZEhJaVUzQW9HQkFPOHEKT1VrS0ZVcnkyZk5hd0NpMnlhbnZsTEh4MkJ1UmcrVUNTdEZRK2RLdEdpd2VsSEtXdTV2Zlc5WDZNODUybVVhUQpKdDlDdm9yS1pTTTBiZHpMM29VZzdaRjNWeDdxdkhjUkJVdC9jbUtQZHU5cTZ4YkNqZTh4ZEgxVHVTTWZiSE1qClZRS3BqYU9EcnJTMmZGK2N0OEdQOER0ekxrbTgvQXVPbjVQeUJFWXhBb0dBY09sL0Y2R0dNMnIvUzNZMloyLysKSXBDcTUzN0k4WDhKREJ1eGt5UGo0ZE1MWlZ4NmZyYXRIaTBwWjdXQVJHalVDV2h2TllQVkU2RFRiMEQyckdiNApQZVpxdWpwd1A4TlFYdEZDWnlBMGhOaHY0RFhLSzRvNHVpN1FaaEJDS2hFRzRVMnRCN2U1dkpLOEhOWGFadHZRCmZTa2t6WnpFYnp4MTdHemhla3dVOWU4Q2dZQllrSzFJQStqZ3FVL1drMXVuZUJEejBobWhUNnEwZ3MxeDU4aG0KL1BLV2RxM0Rlc3VFSjVkdjRHVzB0b09xeURaNGIvZEZKQVZGaGkrdnVzR1lTeEtyQUFlWm43VHVhUVREbnRUMApJVXp0ZkswUmVlbDJzek0yU1gwVzBBTTJJM1BZcTFQV3VZME82VHV3QmdmR3JGVkw0NDZWcFZDVjA5c09PSkdWCmlzRFVjUUtCZ1FDeUtwV0E1cXJoWjJUOGNmRTBWUlBTOVdqNWlOVTg5NmxqV1piRDlIZ25TMUFMa2dYNFJ5dEkKOFl2Sy92NmJGUUxPNDR6RGMvb2JWbi9DK3dpUWgyQXBGOWtjMll6SVR0TGR6a3RueUdYNk0wbnBPR3pFaG15cQpuZnhlNk9ERVY3NStJWEVEdGR4cE1rcHlpY0haR0EwbjAxUWxhV2YzQ1V1ZGVsdUd0RWMrbnc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

• context name: kubernetes-admin@kubernetes

실습 과정(흙수저 ver)

1. /etc/kubernetes/admin.conf 내용 복사해서 PC 환경 config파일에 복사하기
   사용자 폴더에서 .kube에 넣어둠
2. cmd를 통한 windows 버전 kubectl CLI 다운로드

   curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.18.0/bin/windows/amd64/kubectl.exe

3. kubectl config 실행

   kubectl config use-context kubernetes-admin@kubernetes

   

3. Service Account

• 네임스페이스를 만듦
• 네임스페이스가 만들어지면 자동으로 생성되는 ServiceAccount와 Secret 확인
• 파드 생성하여 토큰값을 가져 API로 접근할 예정

실습 과정

1. 마스터 노드에서 다음 명령어 실행으로 네임스페이스 생성

   kubectl create ns nm-01

2. 네임스페이스에 있는 ServiceAccount 조회

   kubectl describe -n nm-01 serviceaccounts

   
3. Secret 조회

   kubectl describe -n nm-01 secrets

   
   이 토큰값 복사
4. Pod 생성

   cat <<EOF | kubectl create -f -
   apiVersion: v1
   kind: Pod
   metadata:
   name: pod-1
   namespace: nm-01
   labels:
     app: pod
   spec:
   containers:
   - name: container
    image: kubetm/app
   EOF

5. Postman에서 기존 인증서 등록한 것 삭제
6. Postman 도메인에 다음 주소 입력
   https://192.168.35.30:6443/api/v1
7. Postman Headerer에 Key로 Authorization, Value에는 Bearer 한 칸 띄고 복사한 토큰 값 입력
   
8. Send 누르고 결과 보기
   
9. 파드 리스트 호출
   
   https://192.168.35.30:6443/api/v1/namespaces/nm-01/pods/
   Default Service Account에는 파드 리스트를 조회할 수 없다는 에러
   Default Service Account에 파드를 조회할 수 있는 권한이 없어서 생기는 에러

출처

인프런 - 대세는 쿠버네티스