kubernetes生成kubeconfig原理
无论我们用kubectl还是通过sdk编程访问kubernetes,其实都是在于apiserver通讯,而这个通讯过程需要认证+鉴权。
认证+鉴权的过程,涉及到3个方面:
- 客户端确认apiserver是可信的。
- apiserver确认客户端是可信的,并对应到用户名。
- apiserver确认用户名是否有权操作对应资源。
而kubeconfig文件则是客户端使用的,用以与apiserver完成上述过程的唯一依据。
剖析kubeconfig文件
下面是我测试用kubernetes集群的kubeconfig文件:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
(base) root@debian:~/k8s# cat /etc/kubernetes/admin.conf apiVersion: v1 clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwdGFXNXAKYTNWaVpVTkJNQjRYRFRJd01ESXdPREV5TXpJME5Wb1hEVE13TURJd05qRXlNekkwTlZvd0ZURVRNQkVHQTFVRQpBeE1LYldsdWFXdDFZbVZEUVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDRzCllLcEY2WHVCN3dBRkRXNHNhTDNIaFJXRHo5d3ZTdFBvek9jOVFLTnRlT3dZVmtHenB4amh2RmpHUWo4c0V3TE8KcFhEVlFsTlhRa3RUSjFFOEhzVzA5VzRUWDBhWUdlTWlVUk1kbmZ5YmNCcUhaMy9MN3dIMmIyaDZJZUwvRkdpaQpsalBQQ1AwSnluL0VoNTVEa1UzRENWcndvYTVYa1p5RFhvalNJUkE3NklpOFEyTkRtNk96cTdaaUUvVzBLS3JuCjdhdFhOTXdBRnRyelEwTVlQRVZ5L1Exd3piRnY1RFZwT1BOSkVTQ21zZDZQTGcvc3ZFaG5nbEY4QjBoM0p6S24KWEk0L0FJSnR1MGxBanhkbyswd1VOaEdqaEVod25CTFhRUTZYU3NNa2I3NDhZalcxYWt4UUlqUzhYVW9jbFphZApCWGtKeDRzRm5nUlplZGNqd0hjQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUIwR0ExVWRKUVFXCk1CUUdDQ3NHQVFVRkJ3TUNCZ2dyQmdFRkJRY0RBVEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFDS1N5czdzZUhseTVwL3JXNG82M0NyU3o3dXQ2WmVNWnJTeUd6VXlFM0ZsbHhNazJCRwptUzVhSUlIRktia2pUdFF3ZUgwcG9zbDVSRzZaM2tlWUZIMlBZS0tidGM3MS9PVSszbXFJdGJtc1lQUWFyM3FhClJHQWcvTzZ6SzIrM0xOVnMxZ2FrWXZEK3ZYOUxucXg5RGV5d29mUFhTcDUzVDFWdHJ6aHRMNDhTcW5rV3ZkZVAKZFM1NHVOUGpXK1FWOG9XdEs2U3pwRm5lNkVWL1FYZDZETUFKU0NWSCtBTVJCeW1KcnU0Zm1xSE12REt3NVBqMgptQ3NnOVBCcm4wL0QvUjhVZW9NdjM1TXNFOUpkZ0hXb1VmaitPSDBvRWVNRkFMVStab3NpU3kxYkd1eDVvSTN4ClZmMUN1T3ovMmZmOTlhTmN6em5qVGZtQXdHTjdqanZkZ0VVSgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== server: https://localhost:8443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJWitEQTB1elRuODR3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2JXbHVhV3QxWW1WRFFUQWVGdzB5TURBeU1EZ3hNak15TkRWYUZ3MHlNVEF5TURneE1qTTFNRGhhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTV2M2ltRWhNcVF6YytudGUKcjdwM2FZd0cvdUl1QmQrVlV0SGdDNTl3RmFqeTFyUTJ4QXhJTzA5K29iMW44c1dESDZ5enJlbFdNenRwVzZ0UApaM0JPOWxYay8vVHNzZHlKTHM4UVZjWGJCNE5paHdud1duK3RGa0U3UUtuN1dKUHBFbHRTL1JYS2N1SU11V2Q3ClVzRCtOZ3JhOUxWN2Rzd0hYV2RVL0UwUU1lMUJBbkh0eFhITWhjRlBUKzkzMEFUSEIvQjVCSW5OSFZVaWlISHAKKzY3bnhzZzIzZ3YwMkdFY0g1V0duTitORldPcGR6TnhLd3BiVVdhUGNySEJNQVFZNkV2NWVMaEYrcmdiajhaTgpreWF3OWtxem42ZWhDdFUxSTlWOG9vWUZMdWt5SVVxSk5BTy9GTkl5Si9aYy9Xak14V1lUSVlKRlBwMk5jOFNVCkJWQWhHd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFITFdvZ2dwUnZDZmpFaW9OMEtPckhaRWlBMi9vN2VTUEhGSwpSZTd4OHgvbTRPTkFmdUprWGF5S0xJSlFWRThKTGxndmNYRWxudnlOSnBlOWlQZHlON1d6b3JpbjZaamxoSmRxCi9GUHVMSjdva3U2VVdtbVlyWUZmaXNHd3dZYitWQ1k4SWZ1RWxFdmZ5aEFSbytnM1g0aHBzYWlSK0xXYlAyZjQKUDNYR3U4N3V2cytuSHZtK0IyNjNJWEwzM2xzUzdMRWIzVzEvYTU1UnFxaEN0dDRhNHpYRGc2eWF5MUt5cHdYMApSRkZDQ2c1NitIKzl3d3VyNVJSQXA3dlRSUlVraVFQZTJCcGZOaittREZCbmhzcXZnRDh6WkhwSUhEZCtkUVVTCkwyeDRqTVVYbWxPS2lkR1FiVFZGTDVyY25FWU9wVTY5T0xFeE5mWFBxWjRobTJQRVNQUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBNXYzaW1FaE1xUXpjK250ZXI3cDNhWXdHL3VJdUJkK1ZVdEhnQzU5d0ZhankxclEyCnhBeElPMDkrb2IxbjhzV0RINnl6cmVsV016dHBXNnRQWjNCTzlsWGsvL1Rzc2R5SkxzOFFWY1hiQjROaWh3bncKV24rdEZrRTdRS243V0pQcEVsdFMvUlhLY3VJTXVXZDdVc0QrTmdyYTlMVjdkc3dIWFdkVS9FMFFNZTFCQW5IdAp4WEhNaGNGUFQrOTMwQVRIQi9CNUJJbk5IVlVpaUhIcCs2N254c2cyM2d2MDJHRWNINVdHbk4rTkZXT3Bkek54Ckt3cGJVV2FQY3JIQk1BUVk2RXY1ZUxoRityZ2JqOFpOa3lhdzlrcXpuNmVoQ3RVMUk5Vjhvb1lGTHVreUlVcUoKTkFPL0ZOSXlKL1pjL1dqTXhXWVRJWUpGUHAyTmM4U1VCVkFoR3dJREFRQUJBb0lCQUNQbDV2WTFuanhUZEhBMQpCaFVYVElHSnNuaWdHL2pyczJBb244SU9xRE9saXYvVkNBSFZ5cy8wM2NBekdGbUJXb3hzb1l2d2pHWHY0TUxQClQ4cktpR3IrRkZXMjhhWCttUTgrUE5LbnFnOXoycmNUMDFldEtmQWdlUjNtak5wS09sbVErY2U5UURZMGJUZlAKSGpwUkpmQ3VKVE1NbFVCMEd0em9OeXZ5cWdhb0JlaWV6SFIwY2J6TE1qRnVMM3pkbFQ0RGhrR3pFMUJBb21zdwplaE8wbkhyMHBnTkxvSEJhS0tnTjhQM3FTSjJVcWVyTjVmT0VyUG9YVCt4UWdSZnFSODUzdWI2UUpFN2xUazBzCnM2VlU2aktndDdOd3l0M2o2T0hJZnNPNk9CNVNZQ2ZvaFRFRkFRei9xMmtSNXVwNUhHYkR3VlNnU1VId3FIUjAKWFl1TkU4a0NnWUVBNjhEOWFGZ3FqdDhVcGNlSHQzY3d0bzkzMXJ3bllqQ1VOTWsxa1hqcjF6Zm5lSjVhVlpCRQpmeXRoaCtaVEc1a1gwRWFaMEl1WW9hSkJEeTBjQU5QQkxURmJNcjJUVjNqNTl5NTFaMkRLalIvUy82ZTJ2dWRPCjdWcTBNQTFHUTY5N3E2dm9IQ21IUUgvUVFlZFV3cUtrZXUzTnJkVUlxS2dXNFIrcmpjTFNXaTBDZ1lFQSt0UXoKWG8vUStjNURoZG03amJMY05KTVlWYjIwejFTMm0wSWtOWjVyRm1aN2sxaENnY3lDQ0ZtMVZxbi8weU52NFNWWQpJYnNhSkgwWWJqV0p3SE5OQWNPcnJNSmkwVGs4NndqOTFTRVQvVDNzNWpXY0h0S1lid0VGVmRPOExaQ090M0NFCk5ITFJHTnhTbGgvNUdTYTJLLzN5aHdVenFmUkJzVnBKRlNSSjNXY0NnWUVBeUtCb0J0QmhCMHpZNld1d0YzV2IKUXdFODNzVW9UdXRBZE50MmR1SU04ZzVsTWNTdzQzZnVrcnA4T1liTTJ3T2h2R0VZck56ZmUwMzFSOUQvcjhTRQo5TXkzNjZwaEpXT1NkY1JYclM0MXNYdVB1SGtsajdpUTluVG1PcTVSU1hDaE1pc05VRW9YQzlDNWpod3JpYWVYCmlmV3R2MjAzL1M5dXFRNm1rL0ZqeWRFQ2dZQnI0eXc1UjBqT3VoNm5DeEUyRUxIUTExaEhRUEx0bnZWd2NKR2MKa29oak9TOThJQ0Z6TFNEZE1LRGtKdmtIdXgxYlRUSE1TR3NsT0wxeVlncmZRWGpsQW1Ic1RDd3U3Qnk4eDhCTwpsUXpCQjRySE5sWHhtQW5DN1VCN096aWNyS29HVXhvNmFReHhVZ3NmMFo3V1o2VkI1TmdWcFhJa2J4QjJsV3dMCjhQRG9qd0tCZ0MrTWJDUTRFUEVUcEoxWnVNUmJ5c1NyR0JBRWh0OWVFRmNpakhyYU12b280Y0wvWHdHYmgzVlMKS3k5eU8rNUVSRzcvQzl0Rk9qMGpMWWh2LzlhM25MYVNUTnQvaXZFWGRWbjRHZGhQaEVkeXo5OHUwd1Z3WGFSYwpIL042dS90aEplUldJTmxubVNyb3FxWXJnMGR1QmxvZ01ZOWdXTjZldkVKVzM1NnRvOXIzCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== |
它的类型是v1/Config,分为3大板块,下面依次说明。
contexts
我们可以在kubeconfig里配置多套kubernetes集群,然后使用kubectl的时候就可以指定使用哪个环境,因此1个context就代表1个kubernetes集群。
current-context指定了默认选择的context,也就是下面这个:
|
1 2 3 4 |
- context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes |
这个context的名字叫做kubernetes-admin@kubernetes,对应集群是kubernetes,用户是kubernetes-admin。
那么这里的集群和用户,其实对应kubeconfig剩下的2大板块配置。
users
用户,这个kubeconfig里只有一条配置:
|
1 2 3 4 |
- name: kubernetes-admin user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJWitEQTB1elRuODR3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2JXbHVhV3QxWW1WRFFUQWVGdzB5TURBeU1EZ3hNak15TkRWYUZ3MHlNVEF5TURneE1qTTFNRGhhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTV2M2ltRWhNcVF6YytudGUKcjdwM2FZd0cvdUl1QmQrVlV0SGdDNTl3RmFqeTFyUTJ4QXhJTzA5K29iMW44c1dESDZ5enJlbFdNenRwVzZ0UApaM0JPOWxYay8vVHNzZHlKTHM4UVZjWGJCNE5paHdud1duK3RGa0U3UUtuN1dKUHBFbHRTL1JYS2N1SU11V2Q3ClVzRCtOZ3JhOUxWN2Rzd0hYV2RVL0UwUU1lMUJBbkh0eFhITWhjRlBUKzkzMEFUSEIvQjVCSW5OSFZVaWlISHAKKzY3bnhzZzIzZ3YwMkdFY0g1V0duTitORldPcGR6TnhLd3BiVVdhUGNySEJNQVFZNkV2NWVMaEYrcmdiajhaTgpreWF3OWtxem42ZWhDdFUxSTlWOG9vWUZMdWt5SVVxSk5BTy9GTkl5Si9aYy9Xak14V1lUSVlKRlBwMk5jOFNVCkJWQWhHd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFITFdvZ2dwUnZDZmpFaW9OMEtPckhaRWlBMi9vN2VTUEhGSwpSZTd4OHgvbTRPTkFmdUprWGF5S0xJSlFWRThKTGxndmNYRWxudnlOSnBlOWlQZHlON1d6b3JpbjZaamxoSmRxCi9GUHVMSjdva3U2VVdtbVlyWUZmaXNHd3dZYitWQ1k4SWZ1RWxFdmZ5aEFSbytnM1g0aHBzYWlSK0xXYlAyZjQKUDNYR3U4N3V2cytuSHZtK0IyNjNJWEwzM2xzUzdMRWIzVzEvYTU1UnFxaEN0dDRhNHpYRGc2eWF5MUt5cHdYMApSRkZDQ2c1NitIKzl3d3VyNVJSQXA3dlRSUlVraVFQZTJCcGZOaittREZCbmhzcXZnRDh6WkhwSUhEZCtkUVVTCkwyeDRqTVVYbWxPS2lkR1FiVFZGTDVyY25FWU9wVTY5T0xFeE5mWFBxWjRobTJQRVNQUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBNXYzaW1FaE1xUXpjK250ZXI3cDNhWXdHL3VJdUJkK1ZVdEhnQzU5d0ZhankxclEyCnhBeElPMDkrb2IxbjhzV0RINnl6cmVsV016dHBXNnRQWjNCTzlsWGsvL1Rzc2R5SkxzOFFWY1hiQjROaWh3bncKV24rdEZrRTdRS243V0pQcEVsdFMvUlhLY3VJTXVXZDdVc0QrTmdyYTlMVjdkc3dIWFdkVS9FMFFNZTFCQW5IdAp4WEhNaGNGUFQrOTMwQVRIQi9CNUJJbk5IVlVpaUhIcCs2N254c2cyM2d2MDJHRWNINVdHbk4rTkZXT3Bkek54Ckt3cGJVV2FQY3JIQk1BUVk2RXY1ZUxoRityZ2JqOFpOa3lhdzlrcXpuNmVoQ3RVMUk5Vjhvb1lGTHVreUlVcUoKTkFPL0ZOSXlKL1pjL1dqTXhXWVRJWUpGUHAyTmM4U1VCVkFoR3dJREFRQUJBb0lCQUNQbDV2WTFuanhUZEhBMQpCaFVYVElHSnNuaWdHL2pyczJBb244SU9xRE9saXYvVkNBSFZ5cy8wM2NBekdGbUJXb3hzb1l2d2pHWHY0TUxQClQ4cktpR3IrRkZXMjhhWCttUTgrUE5LbnFnOXoycmNUMDFldEtmQWdlUjNtak5wS09sbVErY2U5UURZMGJUZlAKSGpwUkpmQ3VKVE1NbFVCMEd0em9OeXZ5cWdhb0JlaWV6SFIwY2J6TE1qRnVMM3pkbFQ0RGhrR3pFMUJBb21zdwplaE8wbkhyMHBnTkxvSEJhS0tnTjhQM3FTSjJVcWVyTjVmT0VyUG9YVCt4UWdSZnFSODUzdWI2UUpFN2xUazBzCnM2VlU2aktndDdOd3l0M2o2T0hJZnNPNk9CNVNZQ2ZvaFRFRkFRei9xMmtSNXVwNUhHYkR3VlNnU1VId3FIUjAKWFl1TkU4a0NnWUVBNjhEOWFGZ3FqdDhVcGNlSHQzY3d0bzkzMXJ3bllqQ1VOTWsxa1hqcjF6Zm5lSjVhVlpCRQpmeXRoaCtaVEc1a1gwRWFaMEl1WW9hSkJEeTBjQU5QQkxURmJNcjJUVjNqNTl5NTFaMkRLalIvUy82ZTJ2dWRPCjdWcTBNQTFHUTY5N3E2dm9IQ21IUUgvUVFlZFV3cUtrZXUzTnJkVUlxS2dXNFIrcmpjTFNXaTBDZ1lFQSt0UXoKWG8vUStjNURoZG03amJMY05KTVlWYjIwejFTMm0wSWtOWjVyRm1aN2sxaENnY3lDQ0ZtMVZxbi8weU52NFNWWQpJYnNhSkgwWWJqV0p3SE5OQWNPcnJNSmkwVGs4NndqOTFTRVQvVDNzNWpXY0h0S1lid0VGVmRPOExaQ090M0NFCk5ITFJHTnhTbGgvNUdTYTJLLzN5aHdVenFmUkJzVnBKRlNSSjNXY0NnWUVBeUtCb0J0QmhCMHpZNld1d0YzV2IKUXdFODNzVW9UdXRBZE50MmR1SU04ZzVsTWNTdzQzZnVrcnA4T1liTTJ3T2h2R0VZck56ZmUwMzFSOUQvcjhTRQo5TXkzNjZwaEpXT1NkY1JYclM0MXNYdVB1SGtsajdpUTluVG1PcTVSU1hDaE1pc05VRW9YQzlDNWpod3JpYWVYCmlmV3R2MjAzL1M5dXFRNm1rL0ZqeWRFQ2dZQnI0eXc1UjBqT3VoNm5DeEUyRUxIUTExaEhRUEx0bnZWd2NKR2MKa29oak9TOThJQ0Z6TFNEZE1LRGtKdmtIdXgxYlRUSE1TR3NsT0wxeVlncmZRWGpsQW1Ic1RDd3U3Qnk4eDhCTwpsUXpCQjRySE5sWHhtQW5DN1VCN096aWNyS29HVXhvNmFReHhVZ3NmMFo3V1o2VkI1TmdWcFhJa2J4QjJsV3dMCjhQRG9qd0tCZ0MrTWJDUTRFUEVUcEoxWnVNUmJ5c1NyR0JBRWh0OWVFRmNpakhyYU12b280Y0wvWHdHYmgzVlMKS3k5eU8rNUVSRzcvQzl0Rk9qMGpMWWh2LzlhM25MYVNUTnQvaXZFWGRWbjRHZGhQaEVkeXo5OHUwd1Z3WGFSYwpIL042dS90aEplUldJTmxubVNyb3FxWXJnMGR1QmxvZ01ZOWdXTjZldkVKVzM1NnRvOXIzCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== |
大家要注意,这个name仅仅是一个标识,并不代表kubernetes集群中的用户。
真正的用户身份是谁呢?其实秘密藏在client-certificate-data和client-key-data中,前者是kubernetes签发的客户端证书(里面记录着真正的用户名),后者是客户端私钥。
客户端调用apiserver时提交自己的证书给apiserver,那么apiserver将用自己的CA验证客户端证书是否有效,一旦确认有效则完成”认证”,apiserver也就知道了客户端的username。
实际上,kubernetes集群搭建的时候,会生成一个CA,给所有其他组件签发证书,这样客户端的身份安全性就可以得到检验。
具体怎么用openssl生成RSA公私钥,并使用kubernetes的CA签发证书,大家参考这个链接即可:https://zhuanlan.zhihu.com/p/43237959。
至于username到底能不能操作对应资源,那是serviceaccount以及role/rolebinding做的事情了,大家只需要在kubernetes中做好配置即可。
clusters
users中的配置是为了认证客户端身份,而clusters板块的配置则为了验证服务端身份。
这里只配置了1个cluster:
|
1 2 3 4 |
- cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwdGFXNXAKYTNWaVpVTkJNQjRYRFRJd01ESXdPREV5TXpJME5Wb1hEVE13TURJd05qRXlNekkwTlZvd0ZURVRNQkVHQTFVRQpBeE1LYldsdWFXdDFZbVZEUVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDRzCllLcEY2WHVCN3dBRkRXNHNhTDNIaFJXRHo5d3ZTdFBvek9jOVFLTnRlT3dZVmtHenB4amh2RmpHUWo4c0V3TE8KcFhEVlFsTlhRa3RUSjFFOEhzVzA5VzRUWDBhWUdlTWlVUk1kbmZ5YmNCcUhaMy9MN3dIMmIyaDZJZUwvRkdpaQpsalBQQ1AwSnluL0VoNTVEa1UzRENWcndvYTVYa1p5RFhvalNJUkE3NklpOFEyTkRtNk96cTdaaUUvVzBLS3JuCjdhdFhOTXdBRnRyelEwTVlQRVZ5L1Exd3piRnY1RFZwT1BOSkVTQ21zZDZQTGcvc3ZFaG5nbEY4QjBoM0p6S24KWEk0L0FJSnR1MGxBanhkbyswd1VOaEdqaEVod25CTFhRUTZYU3NNa2I3NDhZalcxYWt4UUlqUzhYVW9jbFphZApCWGtKeDRzRm5nUlplZGNqd0hjQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUIwR0ExVWRKUVFXCk1CUUdDQ3NHQVFVRkJ3TUNCZ2dyQmdFRkJRY0RBVEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFDS1N5czdzZUhseTVwL3JXNG82M0NyU3o3dXQ2WmVNWnJTeUd6VXlFM0ZsbHhNazJCRwptUzVhSUlIRktia2pUdFF3ZUgwcG9zbDVSRzZaM2tlWUZIMlBZS0tidGM3MS9PVSszbXFJdGJtc1lQUWFyM3FhClJHQWcvTzZ6SzIrM0xOVnMxZ2FrWXZEK3ZYOUxucXg5RGV5d29mUFhTcDUzVDFWdHJ6aHRMNDhTcW5rV3ZkZVAKZFM1NHVOUGpXK1FWOG9XdEs2U3pwRm5lNkVWL1FYZDZETUFKU0NWSCtBTVJCeW1KcnU0Zm1xSE12REt3NVBqMgptQ3NnOVBCcm4wL0QvUjhVZW9NdjM1TXNFOUpkZ0hXb1VmaitPSDBvRWVNRkFMVStab3NpU3kxYkd1eDVvSTN4ClZmMUN1T3ovMmZmOTlhTmN6em5qVGZtQXdHTjdqanZkZ0VVSgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== server: https://localhost:8443 name: kubernetes |
name仅仅是kubeconfig文件内的集群标识,用在context配置里面。
server指定了apiserver的访问地址,它通常是一个负载均衡地址,因为kubenetes master是分布式部署的。
certificate-authority-data是kubernetes的CA证书自身(注意:CA密钥不会公开),这样TLS握手的时候客户端可以判断出服务端是否合法(服务端CA密钥加密,客户端CA证书解密)。
其实user部分除了CA客户端证书认证的方式之外还支持bearer token或者basic auth的认证方式,但是据我了解python sdk仅支持user采用CA客户端证书进行身份验证,所以大家需要注意kubeconfig里面到底采用了什么认证方式。
如果文章帮助您解决了工作难题,您可以帮我点击屏幕上的任意广告,或者赞助少量费用来支持我的持续创作,谢谢~
