2. 程式人生 > 其它 >十六、kubernetes之安全實驗案例

十六、kubernetes之安全實驗案例

阿新 發佈:2021-11-03

實驗環境見:https://www.cnblogs.com/yaokaka/p/15335719.html

實驗案例

1、kubernetes對普通使用者授權

RBAC是基於角色的訪問控制

建立一個kaka使用者來管理namespace=dev的dashboard賬戶

第一步:在指定namespace建立賬戶kaka

root@k8s-master01:/apps/k8s-yaml/auth-case# kubectl create namespace dev
namespace/dev created

root@k8s-master01:/apps/k8s-yaml/auth-case# kubectl create serviceaccount kaka -n dev
serviceaccount
 
/kaka created

第二步:建立kaka-role規則

root@k8s-master01:/apps/k8s-yaml/auth-case# kubectl api-resources 
NAME                              SHORTNAMES   APIVERSION                             NAMESPACED   KIND
bindings                                       v1                                     true         Binding
componentstatuses                 cs           v1                                     
 
false        ComponentStatus
configmaps                        cm           v1                                     true         ConfigMap
endpoints                         ep           v1                                     true         Endpoints
events                            ev           v1                                     
 
true         Event
limitranges                       limits       v1                                     true         LimitRange
namespaces                        ns           v1                                     false        Namespace
nodes                             no           v1                                     false        Node
persistentvolumeclaims            pvc          v1                                     true         PersistentVolumeClaim
persistentvolumes                 pv           v1                                     false        PersistentVolume
pods                              po           v1                                     true         Pod
podtemplates                                   v1                                     true         PodTemplate
replicationcontrollers            rc           v1                                     true         ReplicationController
resourcequotas                    quota        v1                                     true         ResourceQuota
secrets                                        v1                                     true         Secret
serviceaccounts                   sa           v1                                     true         ServiceAccount
services                          svc          v1                                     true         Service
mutatingwebhookconfigurations                  admissionregistration.k8s.io/v1        false        MutatingWebhookConfiguration
validatingwebhookconfigurations                admissionregistration.k8s.io/v1        false        ValidatingWebhookConfiguration
customresourcedefinitions         crd,crds     apiextensions.k8s.io/v1                false        CustomResourceDefinition
apiservices                                    apiregistration.k8s.io/v1              false        APIService
controllerrevisions                            apps/v1                                true         ControllerRevision
daemonsets                        ds           apps/v1                                true         DaemonSet
deployments                       deploy       apps/v1                                true         Deployment
replicasets                       rs           apps/v1                                true         ReplicaSet
statefulsets                      sts          apps/v1                                true         StatefulSet
tokenreviews                                   authentication.k8s.io/v1               false        TokenReview
localsubjectaccessreviews                      authorization.k8s.io/v1                true         LocalSubjectAccessReview
selfsubjectaccessreviews                       authorization.k8s.io/v1                false        SelfSubjectAccessReview
selfsubjectrulesreviews                        authorization.k8s.io/v1                false        SelfSubjectRulesReview
subjectaccessreviews                           authorization.k8s.io/v1                false        SubjectAccessReview
horizontalpodautoscalers          hpa          autoscaling/v1                         true         HorizontalPodAutoscaler
cronjobs                          cj           batch/v1                               true         CronJob
jobs                                           batch/v1                               true         Job
certificatesigningrequests        csr          certificates.k8s.io/v1                 false        CertificateSigningRequest
leases                                         coordination.k8s.io/v1                 true         Lease
endpointslices                                 discovery.k8s.io/v1                    true         EndpointSlice
events                            ev           events.k8s.io/v1                       true         Event
ingresses                         ing          extensions/v1beta1                     true         Ingress
flowschemas                                    flowcontrol.apiserver.k8s.io/v1beta1   false        FlowSchema
prioritylevelconfigurations                    flowcontrol.apiserver.k8s.io/v1beta1   false        PriorityLevelConfiguration
nodes                                          metrics.k8s.io/v1beta1                 false        NodeMetrics
pods                                           metrics.k8s.io/v1beta1                 true         PodMetrics
ingressclasses                                 networking.k8s.io/v1                   false        IngressClass
ingresses                         ing          networking.k8s.io/v1                   true         Ingress
networkpolicies                   netpol       networking.k8s.io/v1                   true         NetworkPolicy
runtimeclasses                                 node.k8s.io/v1                         false        RuntimeClass
poddisruptionbudgets              pdb          policy/v1                              true         PodDisruptionBudget
podsecuritypolicies               psp          policy/v1beta1                         false        PodSecurityPolicy
clusterrolebindings                            rbac.authorization.k8s.io/v1           false        ClusterRoleBinding
clusterroles                                   rbac.authorization.k8s.io/v1           false        ClusterRole
rolebindings                                   rbac.authorization.k8s.io/v1           true         RoleBinding
roles                                          rbac.authorization.k8s.io/v1           true         Role
priorityclasses                   pc           scheduling.k8s.io/v1                   false        PriorityClass
csidrivers                                     storage.k8s.io/v1                      false        CSIDriver
csinodes                                       storage.k8s.io/v1                      false        CSINode
csistoragecapacities                           storage.k8s.io/v1beta1                 true         CSIStorageCapacity
storageclasses                    sc           storage.k8s.io/v1                      false        StorageClass
volumeattachments                              storage.k8s.io/v1                      false        VolumeAttachment

kaka-role.yaml

cat >> kaka-role.yaml << EOF
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: dev
  name: kaka-role
rules:
- apiGroups: ["*"]  #資源的版本資訊,"*"表示所有版本
  resources: ["pods","pods/exec"]  #資源資訊,pods表示pod資源,pods/exec表示可以進入pod執行命令
  verbs: ["*"] #做什麼操作,"*"表示所有操作
  ##RO-Role
  #verbs: ["get", "watch", "list"]
- apiGroups: ["extensions", "apps/v1"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  ##RO-Role
  #verbs: ["get", "watch", "list"]
EOF

root@k8s-master01:/apps/k8s-yaml/auth-case# kubectl apply -f kaka-role.yaml 
role.rbac.authorization.k8s.io/kaka-role created

第三步:將規則與賬戶進行繫結

cat >> kaka-role-bind.yaml << EOF
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: role-bind-kaka
  namespace: dev
subjects:
- kind: ServiceAccount
  name: kaka
  namespace: dev
roleRef:
  kind: Role
  name: kaka-role
  apiGroup: rbac.authorization.k8s.io
EOF

root@k8s-master01:/apps/k8s-yaml/auth-case# kubectl apply -f kaka-role-bind.yaml 
rolebinding.rbac.authorization.k8s.io/role-bind-kaka created

第四步:獲取token名稱

root@k8s-master01:/apps/k8s-yaml/auth-case# kubectl get secrets -n dev | grep kaka
kaka-token-mpbwh      kubernetes.io/service-account-token   3      17m


#root@k8s-master01:/apps/k8s-yaml/auth-case# kubectl get secret kaka-token-mpbwh -o jsonpath={.data.token} -n dev |base64 -d
root@k8s-master01:/apps/k8s-yaml/auth-case# kubectl describe secrets kaka-token-mpbwh -n dev
Name:         kaka-token-mpbwh
Namespace:    dev
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: kaka
              kubernetes.io/service-account.uid: 632d6a30-aa82-4145-9504-f0343f6a71f4

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1350 bytes
namespace:  3 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6InYyWDRVcktKczh1WVJBWUlXcWFZQVdWV1l4a2FwMXRGRURrMGV2RUxmaUUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZXYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoia2FrYS10b2tlbi1tcGJ3aCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrYWthIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNjMyZDZhMzAtYWE4Mi00MTQ1LTk1MDQtZjAzNDNmNmE3MWY0Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRldjprYWthIn0.AL3k4uILRID6eF3Fp2UVrYT7CpaGxX97kJVJeggZdOyqnawTRpg5fmvGkdjm7TmtoKqhzAFYY5cjKe9YD_m8MxXW1YT7-4sFGuuAjLGzHEKcR3kctzUttOSu0SExHEFGAlsciOvq_TfruAoV4k1vG_5TbN9_BJ6bJTppQ8lI4zjToXM3asmGh_OM-wrV97p-YGSBnWnNQqZ6Mz3Vsw4gTwz7Y1z3q9v5FSByWRnSyoZJZaqI9TaBc3jAJg0DHJ4VFPvO8kdWv9_2eqwQ-VGGcdxCK3VDbtIIs98fj_G_G3Vw6zu4EcNV5BLXYX3Lb8rtiJnvml_GkUmoI_5DF7QOCg

第五步:使用token登入dashboard

原因是kaka使用者無獲取pods/exec的許可權

2、kubernetes對普通使用者的認證

基於kube-config檔案登入

第六步到第八步在kubernetes的kubeasz部署機上操作,本實驗為172.168.33.201

第九步及其之後是在k8s-master01上操作,本實驗為172.168.33.207

第六步:建立csr檔案

root@harbor:/apps/certs# pwd
/apps/certs

root@harbor:/apps/certs# cat >> kaka-csr.json << EOF
{
  "CN": "China",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

第七步:使用cfssl簽發證書

#安裝cfssl命令
root@harbor:/etc/kubeasz# apt install golang-cfssl -y
#生成證書
root@harbor:/etc/kubeasz# cfssl gencert -ca=/etc/kubeasz/clusters/k8s-ywx/ssl/ca.pem  -ca-key=//etc/kubeasz/clusters/k8s-ywx/ssl/ca-key.pem -config=/etc/kubeasz/clusters/k8s-ywx/ssl/ca-config.json -profile=kubernetes kaka-csr.json | cfssljson -bare  kaka

root@harbor:/apps/certs# ls
kaka-csr.json  kaka-key.pem  kaka.csr  kaka.pem

第八步:將kaka的證書拷貝到k8s-master節點

root@harbor:/apps/certs# scp -r ./* 172.168.33.207:/etc/kubernetes/ssl/
kaka-csr.json                                                              100%  218   230.1KB/s   00:00    
kaka-key.pem                                                               100% 1679     2.8MB/s   00:00    
kaka.csr                                                                   100%  993     1.2MB/s   00:00    
kaka.pem                                                                   100% 1383     2.3MB/s   00:00

第九步:生成普通使用者kaka的kubeconfig檔案

root@k8s-master01:/etc/kubernetes/ssl# kubectl config set-cluster k8s-ywx --certificate-authority=/etc/kubernetes/ssl/ca.pem --embed-certs=true --server=https://172.168.33.50:6443 --kubeconfig=kaka.kubeconfig 
#--embed-certs=true 為嵌入證書資訊

第十步:設定客戶端認證引數

root@k8s-master01:/etc/kubernetes/ssl# kubectl config set-credentials kaka \
--client-certificate=/etc/kubernetes/ssl/kaka.pem \
--client-key=/etc/kubernetes/ssl/kaka-key.pem \
--embed-certs=true \
--kubeconfig=kaka.kubeconfig

第十一步:設定上下文引數(多叢集使用上下文區分)

https://kubernetes.io/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/

root@k8s-master01:/etc/kubernetes/ssl# kubectl config set-context k8s-ywx \
--cluster=k8s-ywx \
--user=kaka \
--namespace=dev \
--kubeconfig=kaka.kubeconfig

第十二步:設定預設上下文

root@k8s-master01:/etc/kubernetes/ssl# kubectl config use-context k8s-ywx --kubeconfig=kaka.kubeconfig

第十三步:將第四步中獲取的token值寫入kaka.kubeconfig的最後

root@k8s-master01:/etc/kubernetes/ssl# vim kaka.kubeconfig 

  name: k8s-ywx
contexts:
- context:
    cluster: k8s-ywx
    namespace: dev
    user: kaka
  name: k8s-ywx
current-context: k8s-ywx
kind: Config
preferences: {}
users:
- name: kaka
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQwRENDQXJpZ0F3SUJBZ0lVQ09naVNmSkMvb1BITkFWY2liTFpValBoYkVzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdUQ0VoaGJtZGFhRzkxTVFzd0NRWURWUVFIRXdKWQpVekVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WlRlWE4wWlcweEV6QVJCZ05WQkFNVENtdDFZbVZ5CmJtVjBaWE13SUJjTk1qRXhNVEF4TVRVd09EQXdXaGdQTWpBM01URXdNakF4TlRBNE1EQmFNR0F4Q3pBSkJnTlYKQkFZVEFrTk9NUkF3RGdZRFZRUUlFd2RDWldsS2FXNW5NUkF3RGdZRFZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRApWUVFLRXdOck9ITXhEekFOQmdOVkJBc1RCbE41YzNSbGJURU9NQXdHQTFVRUF4TUZRMmhwYm1Fd2dnRWlNQTBHCkNTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFETVZMQVJZMHJmREVuWWJ0N05ONUNrR3VxVWhBSGgKRnhkRHBLVWRsS3dQeXdNZWZFcEN6UVgyb05YSmpvMXJBa09DNHdaYVgzZnJaRjVnTENUNTVyaWVZc0N1MVlzVwoySVFOeGdqRHU3YWw2NE44MElZdUpZU09XOFk5ZFQwY0h3OFdjRWgzNW5ZWDg5dU9RT00wVkRaSUtRV1g2SFhSCnZjMVhkVm9WMDIvZXZDbzZ1cXZJNFBxUXJDbjdSYkhDRVZUWDBLQXdIVUJidzlkMDFwZ01tSllmU1ExU1BGTjUKR25pc1BKRktzeXVUY2IyeE5rTVRWSEUvK3RVZTV1elVsb0xpRWNFK2hDcjVBaUI3UEpJcnBsODlOUlhCZXRSNwpBblA0N1UrNDlSOWZDZDRoYStreWhNN1gzaEI3cEk1bjQ0V3ZPOXNwakRuM3NNZFlUMGN4RllDZEFnTUJBQUdqCmZ6QjlNQTRHQTFVZER3RUIvd1FFQXdJRm9EQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFkQmdOVkhRNEVGZ1FVSlVETVlWRGNkL2RZc3FTR1VZNmRHTFBZSlNndwpId1lEVlIwakJCZ3dGb0FVWE5RTHROY2ljSVRMNjlqbUlVRU9QR0dMWStBd0RRWUpLb1pJaHZjTkFRRUxCUUFECmdnRUJBSXovUGFGcG01UFFqb2VIaXJBaWFvZ0ZFT1NvanN0ZkxPMmtVMlB1WTF5a2ZwNXgxK3VrUG8rWFJjdUcKYnFUN2x4WkNkZ1BDWEV5TENqMHU5NjJ5TUdlOUdaSGp1c0VmSnJRdGg3TXpKNnJ6ak1lMlVWMXUyTnoyYndiKwovRGIvd1BHNHN2WXpMZW9yNjFLaDNwNXdPYWJLR1QxemJTQ1cvTWFja0s1L0ZkQXdqU3IrL2pWSXIyb1RkUkF3CnRCWVBySkN3WURFdjBxaEtrbjlqZ0ZXN3c0NTVZU052L2hrYkdaaDJ2d2IwL1htQ2VoTXRCc1RlU0J1QUkvME0KNzNqZ3pidVp3T203Sk5pTkV6dWd2NFVmLzlSa3VBZHU3dnN5dVZiaHFyMVpsamRXdG5sMThyQityMmI4NDl1Two0RFFIblJhS3Qwejc3eXJYd2tzSHdrUjNjYVk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBekZTd0VXTkszd3hKMkc3ZXpUZVFwQnJxbElRQjRSY1hRNlNsSFpTc0Q4c0RIbnhLClFzMEY5cURWeVk2TmF3SkRndU1HV2w5MzYyUmVZQ3drK2VhNG5tTEFydFdMRnRpRURjWUl3N3UycGV1RGZOQ0cKTGlXRWpsdkdQWFU5SEI4UEZuQklkK1oyRi9QYmprRGpORlEyU0NrRmwraDEwYjNOVjNWYUZkTnYzcndxT3Jxcgp5T0Q2a0t3cCswV3h3aEZVMTlDZ01CMUFXOFBYZE5hWURKaVdIMGtOVWp4VGVScDRyRHlSU3JNcmszRzlzVFpECkUxUnhQL3JWSHViczFKYUM0aEhCUG9RcStRSWdlenlTSzZaZlBUVVZ3WHJVZXdKeitPMVB1UFVmWHduZUlXdnAKTW9UTzE5NFFlNlNPWitPRnJ6dmJLWXc1OTdESFdFOUhNUldBblFJREFRQUJBb0lCQVFDaGxHSzdEVXJhd1V2dwpGQlNxTWNOMmtqWm9oVTg3SVZoclRGcXAzclNGdEtOZHl5bXFVNWpnbytVTGcyZi9kQVhSRGhnckJRMitubHNuCk1DRjVZT01qbExJTVQ1K3l6RHI0N1Y1bThoMEliZ3BIZkZwdlNZbmVUV0toblFGYktKQjB6UXZ4ak5SY01xR3YKaDA1a1JpZTZ2bjNHMTdPN3paMEJDVExZeVovUWdJL0p3RUVGLzAzU3d2ZllPSDNtYlZiRG9vajY4bVVBUXJQSQorV1RsTlJGUVB3eTZrd0dTOEUxZXVMUTRMRVY0NC9MRDRJUGJUcmdPUmV0VmpZNFNsa0Q2TUlzQnprVUZYZ3VsCkR1cGNVcXZSbkkrdUFVUjZpcEhFam1yd3drSElySkh6UUJOZ0grNnBUU2VQVVdGL2JSUWN6blFmdVdmMDZaZDIKOVBBS3NTNmRBb0dCQU5xb3VZcjZ0OTA1NkJVZDBSclVCS0xvK2V2MkhGaHloaGJYQ3hHWDE2RXFKZm44bm5sTwpDNml3UWF5WlpiNTdGemJXZGdxSEhPaTJOWmpHUk1jMURmTkdOenI5aG9LRzhEMGhxMW1uTktXRzdMK2h1U0tCCjh2VEMzeU1ENVJLV0swdGplWDl4aFlZTDJNbWtQZ3NlTS8yZDVMcWMyMnZBYUczRnlLQlZScTFIQW9HQkFPODUKa0ZUSTJBZkJ6aXVhQUl6cTRjN0FWYm15aDhlZDlpNU1raFVEU3o4RVZ2RklNUnFkNHdLMXdJQmM2UUQ0SHJmMAp1M2hmM1k0T1REMWNpVXJRUUltUGQ1c2ZWSktvaWlVaG9KaVMxK003MkdMMFlGMnEvNHBIeUhWTG1WNzJPK0JLCmppMjB0ZTBKTWR6M2FqazFSYUJwUVJ4NmR5a3FCWkYyWGlHbGg0VDdBb0dBYnVTRS9PUDhYWGpocDl2d1VZL1gKTGh2RHJCU3IrWHRUWDcvOXdCVm02VGhyL0NWTzVheGNJMWdJWnBXQlVTSXgrc0MzS3MydExxUkIrRklOVFk0dApuZ1F0UElDWk9CZGhQVStYRENmTmZtazRKbFBKaGFPcjZNL3Z4RjFVVHFIVUlTNjR6cFp2SmpWWjQ2R2xTWlF1CnY5L1V3WU9Oa0U4TFp5aVlnQi9mY1Q4Q2dZQmdHbWY1SjVaaHgySGo4a0kyV2tYTW9VZlBDZ0d5RjZ0R2ZreFIKVkxsdDMzaHVCZXAwSHVtTHRTaFlhUHJTQU51V1d5TFZBTzRvbTJYVllNOW0xcktXa0tRa0ZUb01rTml1Z2d2YQpQMk9yVGVkb0dYUjlMS3pzQ0ZwbmhLOWdqdHNQQitTR1NBcXQ1dnU1SVV2ekg0dVJIYmVpa1RBOXdUdnJhL24wCjJtTE84UUtCZ1FESnU2S290SjdLWmpHbmx4Q1FYdVBMZlRQN0FNbko0NDQyR0JJVTVETHhhUkt2dkV5dTErQWkKUFRSMmJSQUN1MDVqRlNZT2JvTVdqSFBxYUFMUUo5N1JvTmtXNmJ4c1o0eGlVdEt6WXhNQ2dqQW42OXZldFNSdQpaRUgydy96Q25YNFdIeFFxNWhvY2QrUXpWcmQrREJXM0NVZnZNWkJwcFloMFRBQUF2em9sVVE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6InYyWDRVcktKczh1WVJBWUlXcWFZQVdWV1l4a2FwMXRGRURrMGV2RUxmaUUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZXYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoia2FrYS10b2tlbi1tcGJ3aCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrYWthIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNjMyZDZhMzAtYWE4Mi00MTQ1LTk1MDQtZjAzNDNmNmE3MWY0Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRldjprYWthIn0.AL3k4uILRID6eF3Fp2UVrYT7CpaGxX97kJVJeggZdOyqnawTRpg5fmvGkdjm7TmtoKqhzAFYY5cjKe9YD_m8MxXW1YT7-4sFGuuAjLGzHEKcR3kctzUttOSu0SExHEFGAlsciOvq_TfruAoV4k1vG_5TbN9_BJ6bJTppQ8lI4zjToXM3asmGh_OM-wrV97p-YGSBnWnNQqZ6Mz3Vsw4gTwz7Y1z3q9v5FSByWRnSyoZJZaqI9TaBc3jAJg0DHJ4VFPvO8kdWv9_2eqwQ-VGGcdxCK3VDbtIIs98fj_G_G3Vw6zu4EcNV5BLXYX3Lb8rtiJnvml_GkUmoI_5DF7QOCg

第十四步:使用kaka.kubeconfig登入dashboard並測試

I have a dream so I study hard!!!

相關推薦

kubernetes安全實驗案例

實驗環境見:https://www.cnblogs.com/yaokaka/p/15335719.html 實驗案例 1kubernetes對普通使用者授權

Kubernetes安全配置

本章實驗為kubeadm安裝k8s叢集 在任何將資源或服務提供給有限使用者的系統上,認證和授權是兩個必不可少的功能,前者用於身份鑑別,負責驗證“來者是誰”,而後者則實現許可權分派,負責鑑證“他有權做哪些事”。Ku

KubernetesConfigMap和Secret

容器化應用配置 應用程式是可執行程式檔案,它含有指令列表,CPU通過執行這些指令完成程式碼執行。例如,Linux工程師最常用的命令之一cat對應於/usr/bin/cat程式檔案,該檔案含有按特定目的組織的機器指令列表,

Kubernetes資源限制

1準備工作--metrics-server 官方程式碼倉庫地址:https://github.com/kubernetes-sigs/metrics-server

Kubernetes資源限制

1安裝metrics-server 官方程式碼倉庫地址:https://github.com/kubernetes-sigs/metrics-server

KubernetesStatefulset控制器

statefulset簡介 從前面的學習我們知道使用Deployment建立的pod是無狀態的,當掛載了Volume之後,如果該pod掛了,Replication Controller會再啟動一個pod來保證可用性,但是由於pod是無狀態的,pod掛了就會和

Redis三種特殊型別三Bitmap

BitMap是什麼 通過一個bit位來表示某個元素對應的值或者狀態,其中的key就是對應元素本身,value對應0或1,我們知道8個bit可以組成一個Byte,所以bitmap本身會極大的節省儲存空間。

Kubernetes的資源物件Pod控制器的基礎

pod控制器的說明 1什麼是pod控制器? 自主式Pod物件由排程器繫結至目標工作節點後即由相應節點上的kubelet負責監控其容器的存活性,容器主程序崩潰後,kubelet能夠自動重啟相應的容器。不過,kubelet對非主程

java版 SpringCloud分散式微服務雲架構Java 陣列

Java 陣列 陣列對於每一門程式語言來說都是重要的資料結構之一,當然不同語言對陣列的實現及處理也不盡相同。需要框架原始碼的朋友可以看我個人簡介聯絡我,推薦分散式架構原始碼地址

Python資料庫基礎PyMysql

資料庫概述 資料儲存階段 【1】 人工管理階段 缺點 : 資料無法共享,不能單獨保持,資料儲存量有限

併發程式設計學習筆記(二ConcurrentHashMap,Java8 HashMap簡述)

目錄: 學習準備 類核心屬性內部類建構函式介紹 雜湊衝突(雜湊碰撞) put()方法原始碼分析

IO多路複用,非同步非阻塞

總結: 與實現twisted或tornado的原理類似,通過理解這個程式碼,能實現其他非同步框架的理解

效能測試

1.效能測試型別和相關術語 負載:模擬業務操作對伺服器造成壓力的過程,比如模擬100個使用者發帖。

獲取每日格言

大致瀏覽了一下,書中的網站是可以訪問的,先按書中的例子來。 看了一下,中文的每日格言都是寫好了的,可以先產生一個一定範圍的隨機數,然後使用sed或gawk篩選出隨機數的位置末尾使用句號或者感嘆號結束,再這樣輸

Shellfor迴圈

for迴圈介紹 for迴圈語句和while迴圈語句類似,但for迴圈語句主要用於執行次數有限的迴圈,而不是用於守護程序及無限迴圈。

python高階特性-閉包

文章目錄 三python高階特性-閉包36.1 概念36.2 閉包的實現36.3 閉包實現的三個條件36.4 閉包的優點

Mysql延時從庫

延時從庫的介紹 MySQL從5.6版本開始就支援主從延遲複製,這個功能主要解決的問題是,當主庫有邏輯的資料刪除或者錯誤更新時,所有的從庫都會進行錯誤的更新,從而導致資料庫的所有資料都異常,即使有定時的備份資

MysqlMHA

MHA介紹 MHA(Master High Availability)是用Perl編寫的一套非常流行和實用的MySQL高可用解決方案軟體,它的作用是保證MySQL主從複製叢集中主庫的高可用性,同時保證整個叢集業務服務不受影響。當主庫異常宕機

【Linux學習筆記()】幫助命令man,info等, 搜尋命令find,grep等

技術標籤:Linux學習筆記linuxshell 本文章由公號【開發小鴿】釋出!歡迎關注!!!

MySQL VIP漂移Atlas 讀寫分離配置

MySQL VIP漂移 1.VIP漂移的兩種方式 1.通過keepalived的方式2.使用MHA自帶的指令碼