minikube token 생성

minikube token 생성

2024. 2. 18. 23:03ㆍk8s

bootsrap token

https://kubernetes.io/ko/docs/reference/access-authn-authz/bootstrap-tokens/

부트스트랩 토큰을 사용한 인증

기능 상태: Kubernetes v1.18 [stable] 부트스트랩 토큰은 새 클러스터를 만들거나 새 노드를 기존 클러스터에 결합할 때 사용되는 간단한 전달자 토큰이다. kubeadm을 지원하도록 구축되었지만 kubeadm 없

kubernetes.io

# token 조회
kubeadm token list

# token 생성
kubeadm token create

# token 생성 extra group 설정
kubeadm token create --groups system:bootstraps:xxx

# token 생성 duration 설정
kubeadm token create --ttl 1h --groups --groups system:bootstrappers:test2

# token 조회
kubeadm token 
------------------
TOKEN                     TTL         EXPIRES                USAGES                   DESCRIPTION  EXTRA GROUPS
test12.abcdefg123456789   1h         2024-02-19T13:29:40Z   authentication,signing   <none>       system:bootstrappers:test2
------------------

# secret 확인
kubectl get secret -A
-------------------------
NAMESPACE       NAME                      TYPE                                  DATA   AGE
kube-system     bootstrap-token-test12    bootstrap.kubernetes.io/token         6      11m
-------------------------

kubectl get secret  bootstrap-token-test12 -o yaml -n kube-system
-------------------------
NAME                     TYPE                            DATA   AGE
bootstrap-token-test12  bootstrap.kubernetes.io/token   6      17m
-------------------------

kubectl get secret  bootstrap-token-test12 -o yaml -n kube-system
-------------------------
apiVersion: v1
data:
  auth-extra-groups: xxx
  expiration: xxx
  token-id: xxx
  token-secret: xxx
  usage-bootstrap-authentication: xxx
  usage-bootstrap-signing: xxx
kind: Secret
metadata:
  creationTimestamp: "2024-02-25T07:47:08Z"
  name: bootstrap-token-test12
  namespace: kube-system
  resourceVersion: "2316542"
  uid: xxx
type: bootstrap.kubernetes.io/token
-------------------------

# secret group 확인
kubectl get secret bootstrap-token-test12 -n kube-system -o jsonpath='{.data.auth-extra-groups}' | base64 -d
-------------------------
system:bootstrappers:test2
-------------------------

# ClusterRoleBinding
vi ClusterRoleBinding.yaml
---------------------------
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: temp-role-binding
subjects:
- kind: Group
  name: system:bootstrappers:test2
  apiGroup: ""
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
---------------------------

kubectl apply -f ClusterRoleBinding.yaml
---------------------------
Name:         temp-role-binding
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind   Name                                Namespace
  ----   ----                                ---------
  Group  system:bootstrappers:default:test1
---------------------------

curl 접속 테스트

# curl 호출
curl --cacert ./.minikube/ca.crt https://{minikube proxy IP}:8443/api/v1/namespaces/sample/pods?limit=500 -H 'Authorization: Bearer test12.abcdefg123456789'

kubectl 접속 테스트

# 환경설정
vi ./kube/config
------------------------------
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /home/barisein/.minikube/ca.crt
    extensions:
    - extension:
        last-update: Tue, 06 Feb 2024 18:43:22 KST
        provider: minikube.sigs.k8s.io
        version: v1.32.0
      name: cluster_info
    server: https://192.168.49.2:8443
  name: minikube
- cluster:
    certificate-authority: /home/barisein/.minikube/ca.crt
    server: https://{minikube proxy IP}:8443
  name: proxy
contexts:
- context:
    cluster: minikube
    extensions:
    - extension:
        last-update: Tue, 06 Feb 2024 18:43:22 KST
        provider: minikube.sigs.k8s.io
        version: v1.32.0
      name: context_info
    namespace: default
    user: minikube
  name: minikube
- context:
    cluster: proxy
    namespace: default
    user: test
  name: test
current-context: test
kind: Config
preferences: {}
users:
- name: minikube
  user:
    client-certificate: {설치위치}/.minikube/profiles/minikube/new/server.crt
    client-key: {설치위치}/.minikube/profiles/minikube/new/server.key
- name: test
  user:
    token: test12.abcdefg123456789
------------------------------

# 명령 실행
kubectl config use-context test
kubectl get pods -A

ca.crt 파일이 아닌, 데이터로 변경

# secret엣에서 ca.crt 확인
kubectl get secret test-secret -o yaml
----------------------------------
apiVersion: v1
data:
  ca.crt: xxx-xxx
  token: xxx
kind: Secret
----------------------------------

# config 수정
vi ./.kube/config
-----------------------------
- cluster:
    certificate-authority-data: xxx-xxx
    server: https://{minikube proxy IP}:8443
  name: proxy
-----------------------------

'k8s' 카테고리의 다른 글

kubectl apply -f yaml 파일 사용법 (0)	2024.03.02
minikube ServiceAccount 생성 (0)	2024.02.21
minikube apiserver nginx proxy curl 호출 (0)	2024.02.18
minikube Client 인증서 생성하기 (0)	2024.02.18
minikube apiserver curl 호출 (0)	2024.02.18

취미생활

취미생활

태그

최근글

댓글

공지사항

아카이브

'k8s' 카테고리의 다른 글

관련글

티스토리툴바