251 lines
10 KiB
Markdown
251 lines
10 KiB
Markdown
---
|
||
title: kubelet 认证/鉴权
|
||
weight: 110
|
||
---
|
||
<!--
|
||
reviewers:
|
||
- liggitt
|
||
title: Kubelet authentication/authorization
|
||
weight: 110
|
||
-->
|
||
|
||
<!--
|
||
## Overview
|
||
-->
|
||
## 概述 {#overview}
|
||
|
||
<!--
|
||
A kubelet's HTTPS endpoint exposes APIs which give access to data of varying sensitivity,
|
||
and allow you to perform operations with varying levels of power on the node and within containers.
|
||
-->
|
||
kubelet 的 HTTPS 端点公开了一些 API,这些 API 可以访问敏感度不同的数据,
|
||
并允许你在节点上和容器内以不同级别的权限执行操作。
|
||
|
||
<!--
|
||
This document describes how to authenticate and authorize access to the kubelet's HTTPS endpoint.
|
||
-->
|
||
本文档介绍了如何对 kubelet 的 HTTPS 端点的访问进行认证和鉴权。
|
||
|
||
<!--
|
||
## Kubelet authentication
|
||
-->
|
||
## kubelet 身份认证 {#kubelet-authentication}
|
||
|
||
<!--
|
||
By default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured
|
||
authentication methods are treated as anonymous requests, and given a username of `system:anonymous`
|
||
and a group of `system:unauthenticated`.
|
||
-->
|
||
默认情况下,未被已配置的其他身份认证方法拒绝的对 kubelet 的 HTTPS 端点的请求会被视为匿名请求,
|
||
并被赋予 `system:anonymous` 用户名和 `system:unauthenticated` 组。
|
||
|
||
<!--
|
||
To disable anonymous access and send `401 Unauthorized` responses to unauthenticated requests:
|
||
-->
|
||
要禁用匿名访问并向未经身份认证的请求发送 `401 Unauthorized` 响应,请执行以下操作:
|
||
|
||
<!--
|
||
* start the kubelet with the `--anonymous-auth=false` flag
|
||
-->
|
||
* 带 `--anonymous-auth=false` 标志启动 kubelet
|
||
|
||
<!--
|
||
To enable X509 client certificate authentication to the kubelet's HTTPS endpoint:
|
||
-->
|
||
要对 kubelet 的 HTTPS 端点启用 X509 客户端证书认证:
|
||
|
||
<!--
|
||
* start the kubelet with the `--client-ca-file` flag, providing a CA bundle to verify client certificates with
|
||
* start the apiserver with `--kubelet-client-certificate` and `--kubelet-client-key` flags
|
||
* see the [apiserver authentication documentation](/docs/reference/access-authn-authz/authentication/#x509-client-certificates) for more details
|
||
-->
|
||
* 带 `--client-ca-file` 标志启动 kubelet,提供一个 CA 证书包以供验证客户端证书
|
||
* 带 `--kubelet-client-certificate` 和 `--kubelet-client-key` 标志启动 API 服务器
|
||
* 有关更多详细信息,请参见
|
||
[API 服务器身份认证文档](/zh-cn/docs/reference/access-authn-authz/authentication/#x509-client-certificates)
|
||
|
||
<!--
|
||
To enable API bearer tokens (including service account tokens) to be used to authenticate to the kubelet's HTTPS endpoint:
|
||
-->
|
||
要启用 API 持有者令牌(包括服务账号令牌)以对 kubelet 的 HTTPS 端点进行身份认证,请执行以下操作:
|
||
|
||
<!--
|
||
* ensure the `authentication.k8s.io/v1beta1` API group is enabled in the API server
|
||
* start the kubelet with the `--authentication-token-webhook` and `--kubeconfig` flags
|
||
* the kubelet calls the `TokenReview` API on the configured API server to determine user information from bearer tokens
|
||
-->
|
||
* 确保在 API 服务器中启用了 `authentication.k8s.io/v1beta1` API 组
|
||
* 带 `--authentication-token-webhook` 和 `--kubeconfig` 标志启动 kubelet
|
||
* kubelet 调用已配置的 API 服务器上的 `TokenReview` API,以根据持有者令牌确定用户信息
|
||
|
||
<!--
|
||
## Kubelet authorization
|
||
-->
|
||
## kubelet 鉴权 {#kubelet-authorization}
|
||
|
||
<!--
|
||
Any request that is successfully authenticated (including an anonymous request) is then authorized. The default authorization mode is `AlwaysAllow`, which allows all requests.
|
||
-->
|
||
任何成功通过身份认证的请求(包括匿名请求)之后都会被鉴权。
|
||
默认的鉴权模式为 `AlwaysAllow`,它允许所有请求。
|
||
|
||
<!--
|
||
There are many possible reasons to subdivide access to the kubelet API:
|
||
-->
|
||
细分对 kubelet API 的访问权限可能有多种原因:
|
||
|
||
<!--
|
||
* anonymous auth is enabled, but anonymous users' ability to call the kubelet API should be limited
|
||
* bearer token auth is enabled, but arbitrary API users' (like service accounts) ability to call the kubelet API should be limited
|
||
* client certificate auth is enabled, but only some of the client certificates signed by the configured CA should be allowed to use the kubelet API
|
||
-->
|
||
* 启用了匿名身份认证,但是应限制匿名用户调用 kubelet API 的能力
|
||
* 启用了持有者令牌认证,但应限制任意 API 用户(如服务账号)调用 kubelet API 的能力
|
||
* 启用了客户端证书身份认证,但仅应允许已配置的 CA 签名的某些客户端证书使用 kubelet API
|
||
|
||
<!--
|
||
To subdivide access to the kubelet API, delegate authorization to the API server:
|
||
-->
|
||
要细分对 kubelet API 的访问权限,请将鉴权委派给 API 服务器:
|
||
|
||
<!--
|
||
* ensure the `authorization.k8s.io/v1beta1` API group is enabled in the API server
|
||
* start the kubelet with the `--authorization-mode=Webhook` and the `--kubeconfig` flags
|
||
* the kubelet calls the `SubjectAccessReview` API on the configured API server to determine whether each request is authorized
|
||
-->
|
||
* 确保在 API 服务器中启用了 `authorization.k8s.io/v1beta1` API 组
|
||
* 带 `--authorization-mode=Webhook` 和 `--kubeconfig` 标志启动 kubelet
|
||
* kubelet 调用已配置的 API 服务器上的 `SubjectAccessReview` API,
|
||
以确定每个请求是否得到鉴权
|
||
|
||
<!--
|
||
The kubelet authorizes API requests using the same [request attributes](/docs/reference/access-authn-authz/authorization/#review-your-request-attributes) approach as the apiserver.
|
||
-->
|
||
kubelet 使用与 API
|
||
服务器相同的[请求属性](/zh-cn/docs/reference/access-authn-authz/authorization/#review-your-request-attributes)方法对
|
||
API 请求执行鉴权。
|
||
|
||
<!--
|
||
The verb is determined from the incoming request's HTTP verb:
|
||
-->
|
||
请求的动词根据传入请求的 HTTP 动词确定:
|
||
|
||
<!--
|
||
HTTP verb | request verb
|
||
-->
|
||
HTTP 动词 | 请求动词
|
||
----------|---------------
|
||
POST | create
|
||
GET, HEAD | get
|
||
PUT | update
|
||
PATCH | patch
|
||
DELETE | delete
|
||
|
||
<!--
|
||
The resource and subresource is determined from the incoming request's path:
|
||
-->
|
||
资源和子资源是根据传入请求的路径确定的:
|
||
|
||
<!--
|
||
Kubelet API | resource | subresource
|
||
--------------------|----------|------------
|
||
/stats/\* | nodes | stats
|
||
/metrics/\* | nodes | metrics
|
||
/logs/\* | nodes | log
|
||
/spec/\* | nodes | spec
|
||
/checkpoint/\* | nodes | checkpoint
|
||
*all others* | nodes | proxy
|
||
-->
|
||
kubelet API | 资源 | 子资源
|
||
-------------|----------|------------
|
||
/stats/\* | nodes | stats
|
||
/metrics/\* | nodes | metrics
|
||
/logs/\* | nodes | log
|
||
/spec/\* | nodes | spec
|
||
/checkpoint/\* | nodes | checkpoint
|
||
**其它所有** | nodes | proxy
|
||
|
||
<!--
|
||
The namespace and API group attributes are always an empty string, and
|
||
the resource name is always the name of the kubelet's `Node` API object.
|
||
-->
|
||
名字空间和 API 组属性始终是空字符串,
|
||
资源名称始终是 kubelet 的 `Node` API 对象的名称。
|
||
|
||
<!--
|
||
When running in this mode, ensure the user identified by the `--kubelet-client-certificate` and `--kubelet-client-key`
|
||
flags passed to the apiserver is authorized for the following attributes:
|
||
-->
|
||
在此模式下运行时,请确保传递给 API 服务器的由 `--kubelet-client-certificate` 和
|
||
`--kubelet-client-key` 标志标识的用户具有以下属性的鉴权:
|
||
|
||
* verb=\*, resource=nodes, subresource=proxy
|
||
* verb=\*, resource=nodes, subresource=stats
|
||
* verb=\*, resource=nodes, subresource=log
|
||
* verb=\*, resource=nodes, subresource=spec
|
||
* verb=\*, resource=nodes, subresource=metrics
|
||
|
||
<!--
|
||
### Fine-grained authorization
|
||
-->
|
||
### 细粒度鉴权 {#fine-grained-authorization}
|
||
|
||
{{< feature-state feature_gate_name="KubeletFineGrainedAuthz" >}}
|
||
|
||
<!--
|
||
When the feature gate `KubeletFineGrainedAuthz` is enabled kubelet performs a
|
||
fine-grained check before falling back to the `proxy` subresource for the `/pods`,
|
||
`/runningPods`, `/configz` and `/healthz` endpoints. The resource and subresource
|
||
are determined from the incoming request's path:
|
||
-->
|
||
当特性门控 `KubeletFineGrainedAuthz` 被启用时,kubelet 处理对
|
||
`/pods`、`/runningPods`、`/configz` 和 `/healthz` 等端点的请求时,在回退到 `proxy` 子资源之前,
|
||
会执行一次细粒度的检查。资源和子资源是根据传入请求的路径确定的:
|
||
|
||
<!--
|
||
Kubelet API | resource | subresource
|
||
--------------|----------|------------
|
||
/stats/\* | nodes | stats
|
||
/metrics/\* | nodes | metrics
|
||
/logs/\* | nodes | log
|
||
/pods | nodes | pods, proxy
|
||
/runningPods/ | nodes | pods, proxy
|
||
/healthz | nodes | healthz, proxy
|
||
/configz | nodes | configz, proxy
|
||
*all others* | nodes | proxy
|
||
-->
|
||
kubelet API | 资源 | 子资源
|
||
--------------|----------|------------
|
||
/stats/\* | nodes | stats
|
||
/metrics/\* | nodes | metrics
|
||
/logs/\* | nodes | log
|
||
/pods | nodes | pods, proxy
|
||
/runningPods/ | nodes | pods, proxy
|
||
/healthz | nodes | healthz, proxy
|
||
/configz | nodes | configz, proxy
|
||
**其他所有** | nodes | proxy
|
||
|
||
<!--
|
||
When the feature-gate `KubeletFineGrainedAuthz` is enabled, ensure the user
|
||
identified by the `--kubelet-client-certificate` and `--kubelet-client-key`
|
||
flags passed to the API server is authorized for the following attributes:
|
||
-->
|
||
当特性门控 `KubeletFineGrainedAuthz` 被启用时,请确保经传递给 API 服务器的
|
||
`--kubelet-client-certificate` 和 `--kubelet-client-key` 标志所鉴别的用户被授权了以下属性:
|
||
|
||
* verb=\*, resource=nodes, subresource=proxy
|
||
* verb=\*, resource=nodes, subresource=stats
|
||
* verb=\*, resource=nodes, subresource=log
|
||
* verb=\*, resource=nodes, subresource=metrics
|
||
* verb=\*, resource=nodes, subresource=configz
|
||
* verb=\*, resource=nodes, subresource=healthz
|
||
* verb=\*, resource=nodes, subresource=pods
|
||
|
||
<!--
|
||
If [RBAC authorization](/docs/reference/access-authn-authz/rbac/) is used,
|
||
enabling this gate also ensure that the builtin `system:kubelet-api-admin` ClusterRole
|
||
is updated with permissions to access all the above mentioned subresources.
|
||
-->
|
||
如果使用的是 [RBAC 鉴权](/zh-cn/docs/reference/access-authn-authz/rbac/),
|
||
那么启用此特性门控时,系统还会自动更新内置的 `system:kubelet-api-admin ClusterRole`,
|
||
确保其具备访问上述所有子资源的权限。 |