使用 x509 证书访问 Kubernetes API
Accessing Kuberentes API using x509 certificate
我已经创建了由 Kubernetes API 服务器的 CA 签名的私钥和证书。我已经在 ~/.kube/config 文件中配置了用户、集群和上下文。使用用户拥有客户端证书和密钥的上下文,使用 client-go 库对 Kubernetes API 服务器进行 API 调用的过程是什么。
在this documentation中可以找到以下摘录:
k8s.io/client-go and tools using it such as kubectl and kubelet are able to execute an external command to receive user credentials. (...)
To authenticate against the API:
- The user issues a
kubectl command.
- Credential plugin prompts the user for LDAP credentials, exchanges credentials with external service for a token.
- Credential plugin returns token to client-go, which uses it as a bearer token against the API server.
- API server uses the webhook token authenticator to submit a
TokenReview to the external service.
- External service verifies the signature on the token and returns the user's username and groups.
另请参阅:
我已经创建了由 Kubernetes API 服务器的 CA 签名的私钥和证书。我已经在 ~/.kube/config 文件中配置了用户、集群和上下文。使用用户拥有客户端证书和密钥的上下文,使用 client-go 库对 Kubernetes API 服务器进行 API 调用的过程是什么。
在this documentation中可以找到以下摘录:
k8s.io/client-goand tools using it such askubectlandkubeletare able to execute an external command to receive user credentials. (...)To authenticate against the API:
- The user issues a
kubectlcommand.- Credential plugin prompts the user for LDAP credentials, exchanges credentials with external service for a token.
- Credential plugin returns token to client-go, which uses it as a bearer token against the API server.
- API server uses the webhook token authenticator to submit a
TokenReviewto the external service.- External service verifies the signature on the token and returns the user's username and groups.
另请参阅: