如何创建新的客户端证书/令牌,以便以编程方式访问GKE上托管的Kubernetes API?
[英]How to create new client certificates / tokens for programmatic access to the Kubernetes API hosted on GKE?
问题描述
I am running a Kubernetes cluster hosted on GKE and would like to write an application (written in Go) that speaks to the Kubernetes API. 
我正在运行一个托管在GKE上的Kubernetes集群,并且想编写一个与Kubernetes API对话的应用程序(用Go编写)。 My understanding is that I can either provide a client certificate, bearer token, or HTTP Basic Authentication in order to authenticate with the apiserver. 我的理解是,我可以提供客户端证书,不记名令牌或HTTP基本身份验证,以便与apiserver进行身份验证。 I have already found the right spot to inject any of these into the Golang client library . 我已经找到了将其中任何一个注入Golang客户端库的正确位置。
Unfortunately, the examples I ran across tend to reference to existing credentials stored in my personal kubeconfig file. 不幸的是,我遇到的示例倾向于引用存储在我的个人kubeconfig文件中的现有凭据。 This seems non-advisable from a security perspective and makes me believe that I should create a new client certificate / token / username-password pair in order to support easy revocation/removal of compromised accounts. 从安全角度来看,这似乎是不可取的,并且让我相信我应该创建一个新的客户端证书/令牌/用户名 - 密码对,以便支持轻松撤销/删除受感染的帐户。 However, I could not find a spot in the documentation actually describing how to go about this when running on managed Kubernetes in GKE. 但是,在GKE中运行托管Kubernetes时,我无法在文档中找到实际描述如何解决此问题的位置。 (There's this guide on creating new certificates explaining that the apiserver needs to get restarted with updated parameters eventually, something that to my understanding cannot be done in GKE.) (这是关于创建新证书的指南,解释了apiserver最终需要使用更新的参数重新启动,这在我的理解中无法在GKE中完成。)
Are my security concerns for reusing my personal Kubernetes credentials in one (or potentially multiple) applications unjustified? 我的安全问题是否在一个(或可能是多个)应用程序中重复使用我的个人Kubernetes凭据是不合理的? If not, what's the right approach to generate a new set of credentials? 如果没有,那么生成一组新凭证的正确方法是什么?
Thanks. 谢谢。
1 个解决方案
解决方案1
2 已采纳 2016-03-16 21:45:33
If your application is running inside the cluster, you can use Kubernetes Service Accounts to authenticate to the API server. 如果您的应用程序在群集内运行,则可以使用Kubernetes服务帐户对API服务器进行身份验证。
If this is outside of the cluster, things aren't as easy, and I suppose your concerns are justified. 如果这不在集群之外,事情就不那么容易了,我想你的担忧是合理的。 Right now, GKE does not allow additional custom identities beyond the one generated for your personal kubeconfig file. 目前,GKE不允许超出为您的个人kubeconfig文件生成的自定义身份。
Instead of using your credentials, you could grab a service account's token (inside a pod, read from /var/run/secrets/kubernetes.io/serviceaccount/token ), and use that instead. 您可以获取服务帐户的令牌(在pod中,从/var/run/secrets/kubernetes.io/serviceaccount/token读取),而不是使用您的凭据,而是使用它。 It's a gross hack, and not a great general solution, but it might be slightly preferable to using your own personal credentials. 这是一个严重的黑客攻击,而不是一个很好的通用解决方案,但使用您自己的个人凭据可能略胜一筹。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.