minikube ServiceAccount 생성

2024. 2. 21. 00:50k8s

https://devocean.sk.com/blog/techBoardDetail.do?ID=165215&boardType=techBlog

 

RBAC 과 Service Accounts 를 사용하여 사용자 권한 제어하기

 

devocean.sk.com

ServiceAccount 생성

# ServiceAccount 생성
kubectl create serviceaccount test -n {namespace}

# ServiceAccount Token 생성
# ServiceAccount와 namespace가 맞아야 함
vi secret.yaml
-----------------------
apiVersion: v1
kind: Secret
metadata:
  name: test-secret
  namespace: {namespace}
  annotations:
    kubernetes.io/service-account.name: test
type: kubernetes.io/service-account-token
-----------------------

Role 생성

# yaml 파일 생성
vi role.yaml
-----------------------
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: test-role
  namespace: default
rules:
- apiGroups: ["", "*"]
  resources: ["*"]
  verbs: ["*"]
-----------------------

# role 생성
kubectl apply -f role.yaml

# role 내용 조회
kubectl describe role test-role
-----------------------
Name:         test-role
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  *.*        []                 []              [*]
  *          []                 []              [*]
-----------------------

RoleBinding 생성

# yaml 파일 생성
vi rolebinding.yaml
----------------------
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: temp-role-binding
subjects:
- kind: ServiceAccount
  name: test
roleRef:
  kind: Role
  name: test-role
  apiGroup: rbac.authorization.k8s.io
----------------------

# rolebinding 생성
kubectl apply -f rolebinding.yaml

# rolebinding 조회
kubectl get rolebinding -A
kubectl describe rolebinding temp-role-binding
----------------------
Name:         temp-role-binding
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  test-role
Subjects:
  Kind            Name  Namespace
  ----            ----  ---------
  ServiceAccount  test
----------------------

curl을 통하여 접속

# Token 정보 가져오기
kubectl get secret test-secret -o jsonpath='{.data.token}' | base64 -d
#또는
kubectl describe secret test-secret
------------------------------
Name:         test-secret
Namespace:    default
Labels:       kubernetes.io/legacy-token-last-used=2024-02-20
Annotations:  kubernetes.io/service-account.name: test
              kubernetes.io/service-account.uid: 34541fdb-f416-407b-b9c0-1f0b9d4b0f03

Type:  kubernetes.io/service-account-token

Data
====
token:      {Token}
ca.crt:     1111 bytes
namespace:  7 bytes
------------------------------

# ServiceAccount를 사용할 경우, client 인증서는 필요 없음
curl --cacert ca.crt  https://{minikube PC IP}:8443/api/v1/namespaces/default/pods?limit=500 -H 'Authorization: Bearer {Token}'
------------------------------
{
  "kind": "PodList",
  "apiVersion": "v1",
  "metadata": {
    "resourceVersion": "1940465"
  },
  "items": []
}
------------------------------

ClusterRoleBinding 생성

# yaml 파일 생성
vi rolebinding.yaml
----------------------
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: temp-role-binding
subjects:
- kind: ServiceAccount
  name: test
  # namespace가 없으면 생성 안됨
  namespace: default
  apiGroup: ""
roleRef:
  kind: ClusterRole
  name: test-role
  apiGroup: rbac.authorization.k8s.io
----------------------

# rolebinding 생성
kubectl apply -f rolebinding.yaml

# rolebinding 조회
kubectl get rolebinding -A
kubectl describe rolebinding temp-role-binding
----------------------
Name:         temp-role-binding
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  test-role
Subjects:
  Kind            Name  Namespace
  ----            ----  ---------
  ServiceAccount  test
----------------------

curl을 통하여 접속: rolebindin과 동일한 방법으로 접속

kubectl로 접속

# ca.crt 데이터 확인
# '.'은 특수문자이기 때문에 앞에 '\'이 있어야 함
kubectl get secret test-secret -o jsonpath='{.data.ca\.crt}'

# token 확인
# 위에서 test-secret token 가져오는 방법 참조

# config 수정
vi {계정 home}/.kube/config
----------------------------
apiVersion: v1
clusters:
- cluster:
    certificate-authority: {계정 home}/.minikube/ca.crt
    server: https://{minikube node IP}:8443
  name: minikube
- cluster:
    certificate-authority-data: {ca.crt 데이터}
    server: https://{minikube 설치 PC IP}:8443
  name: proxy
contexts:
- context:
    cluster: minikube
    namespace: default
    user: minikube
  name: minikube
- context:
    cluster: proxy
    namespace: default
    user: test
  name: test
current-context: test
kind: Config
preferences: {}
users:
- name: minikube
  user:
    client-certificate: {계정 home}/.minikube/profiles/minikube/client.crt
    client-key: {계정 home}/.minikube/profiles/minikube/client.key
- name: test
  user:
    token: {token}
----------------------------

# 현재 사용할 context 교체
kubectl config use-context test
----------------------------
Switched to context "test".
----------------------------

# 명령어 수행
kubectl get pods -A

ca.crt 파일이 아닌 데이터로 적용

https://leejinae.tistory.com/95

 

base64명령어 사용법

□ base64 명령어 decoding, encoding ## cat으로 certificate file 보면, decoding 된 data 확인 [node2 pki]$ cat front-proxy-ca.crt -----BEGIN CERTIFICATE----- MIIC7zCCAdegAwIBAgIBADANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5mcm9u -----END CERTIFICATE----

leejinae.tistory.com

# ca.crt를 data로 변환
cat ca.crt | base64 -w 0  
# config
---------------------------
clusters:
- cluster:
    certificate-authority-data: {data}
---------------------------

Trouble Shooting

  • serviceaccounts is forbidden: User "system:serviceaccount:default:test" cannot list resource "service accounts" in API group "" at the cluster scope

subjects의 apiGroup를 제거하면 해결됨

하지만, 다시 넣어도 잘 작동함: 정확한 원인을 모르겠음

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: temp-role-binding
subjects:
- kind: ServiceAccount
  name: test
  namespace: default
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
  • Unable to connect to the server: x509: certificate is valid for {인증서에 허용한 IP}, not 192.168.22.5

인증서에 192.168.22.5를 포함해줘야 함

# 인증서에서 허용한 IP와 다른 IP에서 호출한 경우 발생
couldn't get current server API group list: Get "https://192.168.22.5:8443/api?timeout=32s": x509: certificate is valid for {인증서에 허용한 IP}, not 192.168.22.5
Unable to connect to the server: x509: certificate is valid for {인증서에 허용한 IP}, not 192.168.22.5

https://barisein.tistory.com/394

 

minikube Client 인증서 생성하기

CA인증서 위치 : /home/{계정}/.minikube/ Client인증서 위치: /home/{계정}/.minikube/profiles/minikube/ Client 인증서 내용 확인 # Client인증서 내용 확인 openssl x509 -in client.crt -nout -text ---------------------------------- Dat

barisein.tistory.com

  • Unable to connect to the server: x509: certificate is not valid for any names, but wanted to match gift1000.co.kr

인증서에 도메인을 추가해줘야 함

https://barisein.tistory.com/394

 

minikube Client 인증서 생성하기

CA인증서 위치 : /home/{계정}/.minikube/ Client인증서 위치: /home/{계정}/.minikube/profiles/minikube/ Client 인증서 내용 확인 # Client인증서 내용 확인 openssl x509 -in client.crt -nout -text ---------------------------------- Dat

barisein.tistory.com

 

'k8s' 카테고리의 다른 글

Dockerizing  (0) 2024.03.02
kubectl apply -f yaml 파일 사용법  (0) 2024.03.02
minikube token 생성  (0) 2024.02.18
minikube apiserver nginx proxy curl 호출  (0) 2024.02.18
minikube Client 인증서 생성하기  (0) 2024.02.18

관련글

티스토리툴바