GKE 元数据服务器如何在 Workload Identity 中工作
[英]How does the GKE metadata server work in Workload Identity
问题描述
I've recently been making use of the GKE Workload Identity feature.
我最近一直在使用GKE Workload Identity功能。 I'd be interested to know in more detail how the gke-metadata-server component works.我有兴趣更详细地了解gke-metadata-server组件的工作原理。
- GCP client code (
gcloudor other language SDKs) falls through to the GCE metadata methodGCP 客户端代码( gcloud或其他语言 SDK)属于 GCE 元数据方法 - Request made to
http://metadata.google.internal/path向http://metadata.google.internal/path提出请求 - (guess) Setting
GKE_METADATA_SERVERon my node pool configures this to resolve to thegke-metadata-serverpod on that node.(猜测)在我的节点池上设置GKE_METADATA_SERVER将其配置为解析到该节点上的gke-metadata-serverpod。 - (guess) the
gke-metadata-serverpod with --privileged and host networking has a means of determining the source (pod IP?) then looking up the pod and its service account to check for theiam.gke.io/gcp-service-accountannotation.(猜想)具有 --privileged 和主机网络的gke-metadata-serverpod 具有确定源(pod IP?)然后查找 pod 及其服务帐户以检查iam.gke.io/gcp-service-account的方法iam.gke.io/gcp-service-account注释。 - (guess) the proxy calls the metadata server with the pods 'pseudo' identity set (eg
[PROJECT_ID].svc.id.goog[[K8S_NAMESPACE]/[KSA_NAME]]) to get a token for the service account annotated on its Kubernetes service account.(猜测)代理调用带有 pod '伪'身份集(例如[PROJECT_ID].svc.id.goog[[K8S_NAMESPACE]/[KSA_NAME]])的元数据服务器,以获取在其 Kubernetes 上注释的服务帐户的令牌服务帐户。 - If this account has token creator / workload ID user rights to the service account presumably the response from GCP is a success and contains a token, which is then packaged and set back to the calling pod for authenticated calls to other Google APIs.如果此帐户对服务帐户具有令牌创建者/工作负载 ID 用户权限,则可能来自 GCP 的响应是成功的并包含一个令牌,然后将其打包并设置回调用 pod,以便对其他 Google API 进行经过身份验证的调用。
I guess the main puzzle for me right now is the verification of the calling pods identity.我想我现在的主要难题是验证调用 pod 的身份。 Originally I thought this would use the TokenReview API but now I'm not sure how the Google client tools would know to use the service account token mounted into the pod...最初我认为这将使用 TokenReview API 但现在我不确定 Google 客户端工具如何知道使用挂载到 pod 中的服务帐户令牌...
Edit follow-up questions:编辑后续问题:
Q1: In between step 2 and 3, is the request to metadata.google.internal routed to the GKE metadata proxy by the setting GKE_METADATA_SERVER on the node pool? Q1:在第 2 步和第 3 步之间,对metadata.google.internal的请求是否通过在节点池上设置GKE_METADATA_SERVER路由到 GKE 元数据代理?
Q2: Why does the metadata server pod need host networking? Q2:为什么元数据服务器 pod 需要主机联网?
Q3: In the video here: https://youtu.be/s4NYEJDFc0M?t=2243 it's taken as a given that the pod makes a GCP call. Q3:在此处的视频中: https://youtu.be/s4NYEJDFc0M?t=2243假定 pod 进行了 GCP 调用。 How does the GKE metadata server identify the pod making the call to start the process? GKE 元数据服务器如何识别发出调用以启动进程的 pod?
1 个解决方案
解决方案1
18 已采纳 2019-11-04 18:50:14
Before going into details, please familiarize yourself with these components:在详细介绍之前,请先熟悉这些组件:
OIDC provider : Runs on Google's infrastructure, provides cluster specific metadata and signs authorized JWTs. OIDC 提供者:在 Google 的基础架构上运行,提供特定于集群的元数据并签署授权的 JWT。
GKE metadata server : It runs as a DaemonSet meaning one instance on every node, exposes pod specific metadata server (it will provide backwards compatibility with old client libraries), emulates existing node metadata server. GKE 元数据服务器:它作为 DaemonSet 运行,这意味着每个节点上都有一个实例,公开 pod 特定的元数据服务器(它将提供与旧客户端库的向后兼容性),模拟现有的节点元数据服务器。
Google IAM : issues access token, validates bindings, validates OIDC signatures. Google IAM :颁发访问令牌、验证绑定、验证 OIDC 签名。
Google cloud : accepts access tokens, does pretty much anything.谷歌云:接受访问令牌,几乎可以做任何事情。
JWT : JSON Web token JWT : JSON Web 令牌
mTLS : Mutual Transport Layer Security mTLS :相互传输层安全
The steps below explain how GKE metadata server components work:以下步骤说明了 GKE 元数据服务器组件的工作原理:
Step 1 : An authorized user binds the cluster to the namespace.第 1 步:授权用户将集群绑定到命名空间。
Step 2 : Workload tries to access Google Cloud service using client libraries.第 2 步:Workload 尝试使用客户端库访问 Google Cloud 服务。
Step 3 : GKE metadata server is going to request an OIDC signed JWT from the control plane.第 3 步:GKE 元数据服务器将向控制平面请求 OIDC 签名的 JWT。 That connection is authenticated using mutual TLS (mTLS) connection with node credential.该连接使用带有节点凭据的双向 TLS (mTLS) 连接进行身份验证。
Step 4 : Then the GKE metadata server is going use that OIDC signed JWT to request an access token for the [identity namespace]/[Kubernetes service account] from IAM.第 4 步:然后 GKE 元数据服务器将使用 OIDC 签名的 JWT 从 IAM 请求[identity namespace]/[Kubernetes service account]的访问令牌。 IAM is going to validate that the appropriate bindings exist on identity namespace and in the OIDC provider. IAM 将验证身份命名空间和 OIDC 提供程序中是否存在适当的绑定。
Step 5 : And then IAM validates that it was signed by the cluster's correct OIDC provider.第 5 步:然后 IAM 验证它是否由集群的正确 OIDC 提供商签名。 It will then return an access token for the [identity namespace]/[kubernetes service account].然后它将返回[identity namespace]/[kubernetes service account] 的访问令牌。
Step 6 : Then the metadata server sends the access token it just got back to IAM.第 6 步:然后元数据服务器将刚刚获得的访问令牌发送回 IAM。 IAM will then exchange that for a short lived GCP service account token after validating the appropriate bindings.然后,IAM 将在验证适当的绑定后将其交换为短暂的 GCP 服务帐户令牌。
Step 7 : Then GKE metadata server returns the GCP service account token to the workload.第 7 步:然后 GKE 元数据服务器将 GCP 服务帐户令牌返回给工作负载。
Step 8 : The workload can then use that token to make calls to any Google Cloud Service.第 8 步:然后,工作负载可以使用该令牌调用任何 Google Cloud Service。
I also found a video regarding Workload Identity which you will find useful.我还发现了一个有关 Workload Identity 的视频,您会发现它很有用。
EDIT Follow-up questions' answers:编辑后续问题的答案:
Below are answers to your follow-up questions:以下是您后续问题的答案:
Q1 : In between step 2 and 3, is the request to metadata.google.internal routed to the gke metadata proxy by the setting GKE_METADATA_SERVER on the node pool? Q1 :在第 2 步和第 3 步之间,对 metadata.google.internal 的请求是否通过在节点池上设置 GKE_METADATA_SERVER 路由到 gke 元数据代理?
You are right, GKE_METADATA_SERVER is set on the node pool.你是对的,GKE_METADATA_SERVER 设置在节点池上。 This exposes a metadata API to the workloads that is compatible with the V1 Compute Metadata APIs.这会将元数据 API 公开给与 V1 计算元数据 API 兼容的工作负载。 Once workload tries to access Google Cloud service, the GKE metadata server performs a lookup (the metadata server checks to see if a pod exists in the list whose IP matches the incoming IP of the request) before it goes on to request the OIDC token from the control plane.一旦工作负载尝试访问 Google Cloud 服务,GKE 元数据服务器会在继续从控制平面。
Keep in mind that GKE_METADATA_SERVER enumeration feature can only be enabled if Workload Identity is enabled at the cluster level.请记住,只有在集群级别启用了 Workload Identity 才能启用GKE_METADATA_SERVER枚举功能。
Q2 : Why does the metadata server pod need host networking? Q2 : 为什么元数据服务器 pod 需要主机联网?
The gke-metadata-server intercepts all GCE metadata server requests from pods, however pods using the host network are not intercepted. gke-metadata-server 拦截来自 pod 的所有 GCE 元数据服务器请求,但是不会拦截使用主机网络的 pod。
Q3 : How does the GKE metadata server identify the pod making the call to start the process? Q3 :GKE 元数据服务器如何识别调用启动进程的 pod?
The pods are identified using iptables rules.使用 iptables 规则识别 pod。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.