跳至内容

身份验证

kOps 支持配置身份验证系统。由于 apimachinery 中存在严重错误 #55022,不应将此用于 1.8.5 之前的 kubernetes 版本。

kopeio 身份验证

如果你想尝试 kopeio 身份验证,可以使用 --authentication kopeio。但是请注意,kopeio 身份验证尚未正式发布,因此没有太多上游文档。

或者,你可以在集群中添加此块

authentication:
  kopeio: {}

例如

apiVersion: kops.k8s.io/v1alpha2
kind: Cluster
metadata:
  name: cluster.example.com
spec:
  authentication:
    kopeio: {}
  authorization:
    rbac: {}

AWS IAM Authenticator

要启用 AWS IAM Authenticator,你需要在集群配置中添加以下部分。

authentication:
  aws: {}

例如

apiVersion: kops.k8s.io/v1alpha2
kind: Cluster
metadata:
  name: cluster.example.com
spec:
  authentication:
    aws: {}
  authorization:
    rbac: {}

如果没有配置 backendMode,默认情况下 aws-iam-authenticator 需要创建 AWS IAM Authenticator 配置作为 ConfigMap。有关 AWS IAM Authenticator 的更多详细信息,请访问 kubernetes-sigs/aws-iam-authenticator

使用 ConfigMap 的示例配置

---
apiVersion: v1
kind: ConfigMap
metadata:
  namespace: kube-system
  name: aws-iam-authenticator
  labels:
    k8s-app: aws-iam-authenticator
data:
  config.yaml: |
    # a unique-per-cluster identifier to prevent replay attacks
    # (good choices are a random token or a domain name that will be unique to your cluster)
    clusterID: my-dev-cluster.example.com
    server:
      # each mapRoles entry maps an IAM role to a username and set of groups
      # Each username and group can optionally contain template parameters:
      #  1) "{{ AccountID }}" is the 12 digit AWS ID.
      #  2) "{{ SessionName }}" is the role session name.
      mapRoles:
      # statically map arn:aws:iam::000000000000:role/KubernetesAdmin to a cluster admin
      - roleARN: arn:aws:iam::000000000000:role/KubernetesAdmin
        username: kubernetes-admin
        groups:
        - system:masters
      # map EC2 instances in my "KubernetesNode" role to users like
      # "aws:000000000000:instance:i-0123456789abcdef0". Only use this if you
      # trust that the role can only be assumed by EC2 instances. If an IAM user
      # can assume this role directly (with sts:AssumeRole) they can control
      # SessionName.
      - roleARN: arn:aws:iam::000000000000:role/KubernetesNode
        username: aws:{{ AccountID }}:instance:{{ SessionName }}
        groups:
        - system:bootstrappers
        - aws:instances
      # map federated users in my "KubernetesAdmin" role to users like
      # "admin:alice-example.com". The SessionName is an arbitrary role name
      # like an e-mail address passed by the identity provider. Note that if this
      # role is assumed directly by an IAM User (not via federation), the user
      # can control the SessionName.
      - roleARN: arn:aws:iam::000000000000:role/KubernetesAdmin
        username: admin:{{ SessionName }}
        groups:
        - system:masters
      # each mapUsers entry maps an IAM role to a static username and set of groups
      mapUsers:
      # map user IAM user Alice in 000000000000 to user "alice" in "system:masters"
      - userARN: arn:aws:iam::000000000000:user/Alice
        username: alice
        groups:
        - system:masters

还可以为 aws-iam-authenticator 配置替代后端模式。backendMode 配置选项允许在逗号分隔的字符串中定义多个后端。这些后端中的映射将被合并。当在多个后端中找到相同的映射时,列表中的第一个后端将优先。如果 MountedFile 不包含在后端列表中,则不需要 configmap,并且 cluster-id 将默认为集群的名称。cluster-id 可以通过设置 clusterID API 字段来覆盖。如果你希望继续使用 configmap 来配置除映射之外的身份验证器设置,则必须在 backendMode 列表中包含 MountedFile。

这需要 aws-iam-authenticator 镜像 >= 0.5.0。有关更多信息,请参见 usergroup-mappings

authentication:
  aws:
    backendMode: CRD,MountedFile
    clusterID: demo.cluster.us-west-2

当将 backendMode 配置设置为 CRD 时,可以在集群模板中提供内联 AWS IAM 身份映射列表。

authentication:
  aws:
    backendMode: CRD
    clusterID: demo.cluster.us-west-2
    identityMappings:
    - arn: arn:aws:iam::000000000000:role/KubernetesAdmin
      username: admin:{{ SessionName }}
      groups:
      - system:masters
    - arn: arn:aws:iam::000000000000:user/Alice
      username: alice
      groups:
      - system:masters

使用 IAM Authenticator 创建新的集群

  • 按照 AWS 入门指南 创建集群
  • 当你到达指南的“自定义集群配置”部分时,修改集群规范并将身份验证和授权配置添加到 YAML 配置中。
  • 可以选择设置 backendMode: CRD 并内联配置身份映射。
  • 继续按照集群创建指南构建集群。
    • :warning: 当未配置 backendMode(或将其设置为 MountedFile)时,集群首次启动时,aws-iam-authenticator POD 将处于不良状态,因为它试图查找 aws-iam-authenticator ConfigMap,但我们尚未创建它。

如果未配置 backendMode 或将其设置为 MountedFile,则需要执行以下附加步骤

  • 集群启动后,你需要在集群上创建 aws-iam-authenticator ConfigMap kubectl apply -f aws-iam-authenticator_example-config.yaml
  • 配置创建后,你需要删除最初创建的 aws-iam-authenticator POD,这将强制新的 POD 启动并正确找到 ConfigMap。
    kubectl get pods -n kube-system | grep aws-iam-authenticator | awk '{print $1}' | xargs kubectl delete pod -n kube-system

在现有集群上启用 IAM Authenticator

  • 在集群上创建 aws-iam-authenticator ConfigMap kubectl apply -f aws-iam-authenticator_example-config.yaml
  • 编辑集群配置 kops edit cluster ${NAME},并将身份验证和授权配置添加到 YAML 配置中。
  • 更新集群配置 kops update cluster ${CLUSTER_NAME} --yes
  • 暂时禁用 aws-iam-authenticator DaemonSet kubectl patch daemonset -n kube-system aws-iam-authenticator -p '{"spec": {"template": {"spec": {"nodeSelector": {"disable-aws-iam-authenticator": "true"}}}}}'
  • 对主节点执行滚动更新 kops rolling-update cluster ${CLUSTER_NAME} --instance-group-roles=Master --force --yes
  • 重新启用 aws-iam-authenticator DaemonSet kubectl patch daemonset -n kube-system aws-iam-authenticator --type json -p='[{"op": "remove", "path": "/spec/template/spec/nodeSelector/disable-aws-iam-authenticator"}]'