您的位置:上海毫米网络优化公司 > 网站优化分享 >
相关推荐recommended
- Elasticsearch:从 ES|QL 到 PHP 对象
- 探索SQL深入理解数据库操作的关键概念与技巧【文末送书】
- 数学建模--评价类模型
- Golang入门基础
- linux:nginx报错,提示host not found in u
- Kubernetes(K8s)与虚拟GPU(vGPU):实现高效管理和
- 关于Node.js作为后端的入门教程
- Spring boot高频面试题及答案,面试官看完也得跪!
- SQLite、MySQL 和 PostgreSQL 数据库速度比较(本
- Springboot利用CompletableFuture异步执行线程
- 基于知识图谱的大学生就业能力评价和职位推荐系统——超详细要点总结(创作
- Java-扑克牌的创建以及发放
- 服务器运行mysql的时候出现:Error response from
- 免费的ChatGPT网站(10个)
- Golang 开发实战day08 - Multiple Return
- MySql 安装,小白也可以学会成功安装的保姆级教程
- 【新知实验室 - TRTC 实践】音视频互动 Demo、即时通信 IM
- Rust面试宝典第6题:快乐数
- Linux系统部署SQL Server结合内网穿透实现公网访问本地数据
- MySQL之窗口函数
- 【Go设置国内代理】
- 解决phpstudy无法启动MySQL服务的问题
- Newspaper库,一个新手也能快速上手的爬虫库
- Springboot 整合 Quartz(定时任务框架)
- FlexLua:简化开发的LoRa无线氨气传感器技术
- 彻底讲透:高并发场景下,MySQL处理并发修改同一行数据的安全方法
- Hive 排名函数ROW
- RabbitMQ五大常用工作模式
- Spring之BeanPostProcessor
- Unity让一辆越野车沿着指定路径自动行驶(非手动操作)
Kubernetes WebHook 入门 -- 入门案例: apiserver 接入 github
作者:mmseoamin日期:2024-01-30
博客原文
文章目录
- k8s 集群配置
- 介绍
- Admission Webhook
- WebHook 入门实践: github 认证接入
- web 服务器
- Dockerfile 镜像制作
- amd64
- x86_64
- 构造镜像
- 检验镜像
- Makefile
- webhook 接入 apiserver
- webhook.yaml
- apiserver 挂载 webconfig
- 在 github 中创建认证 token
- 将 token 添加到 kubeconfig
- 验证
- 授权验证
- deploy spec
- 参考
k8s 集群配置
IP Host 配置 11.0.1.150 master1 (keepalived+haproxy) 2C 4G 30G 11.0.1.151 master2 (keepalived+haproxy) 2C 4G 30G 11.0.1.152 node1 2C 4G 30G vip 地址: https://11.0.1.100:16443
介绍
Webhook就是一种HTTP回调,用于在某种情况下执行某些动作,Webhook不是K8S独有的,很多场景下都可以进行Webhook,比如在提交完代码后调用一个Webhook自动构建docker镜像
K8S中提供了自定义资源类型和自定义控制器来扩展功能,还提供了动态准入控制,其实就是通过Webhook来实现准入控制,分为两种:验证性质的准入 Webhook (Validating Admission Webhook) 和 修改性质的准入 Webhook (Mutating Admission Webhook)
Admission Webhook有哪些使用场景?如下
- 在资源持久化到ETCD之前进行修改(Mutating Webhook),比如增加init Container或者sidecar Container
- 在资源持久化到ETCD之前进行校验(Validating Webhook),不满足条件的资源直接拒绝并给出相应信息
现在非常火热的的 Service Mesh 应用istio就是通过 mutating webhooks 来自动将Envoy这个 sidecar 容器注入到 Pod 中去的:
https://istio.io/docs/setup/kubernetes/sidecar-injection/。
更多详情介绍可参考:
https://kubernetes.io/zh/docs/reference/access-authn-authz/extensible-admission-controllers/
Admission Webhook
上面提到K8S的动态准入控制是通过Webhook来实现的,那么它到底是在哪个环节执行的?请看下图
综上, k8s webhook 可分为两类:
- Mutating Webhook: 这类 webhook 可以更改请求对象
- Validating Webhook: 这类 webhook 不能去更改请求对象, 就算更改也会被忽略, 用于写入 etcd 前的验证逻辑
WebHook 入门实践: github 认证接入
源码地址: https://github.com/Ai-feier/k8s-webhook/tree/main/auth-github
写一个用于认证校验的 mutating webhook
请求流程:
- 拦截 apiserver 请求
- 将请求(TokenReview)中的 token 发送给 github 用于验证
- 将 github 返回的用户信息填入 TokenReview
web 服务器
package main import ( "context" "encoding/json" "github.com/google/go-github/github" "golang.org/x/oauth2" authentication "k8s.io/api/authentication/v1beta1" "log" "net/http" ) func main() { http.HandleFunc("/authenticate", func(writer http.ResponseWriter, request *http.Request) { // 获取请求中的 TokonReview decoder := json.NewDecoder(request.Body) var tokenReview authentication.TokenReview if err := decoder.Decode(&tokenReview); err != nil { log.Println("decode error: ", err) // 响应返回错误 writer.WriteHeader(http.StatusBadRequest) _ = json.NewEncoder(writer).Encode(map[string]interface{}{ "apiVersion": "authentication.k8s.io/v1beta1", "kind": "TokenReview", "status": authentication.TokenReviewStatus{ Authenticated: false, }, }) return } log.Println("receive request") // 检查用户 // 创建 oauth2 对象, 发送给 github oauthToken := oauth2.StaticTokenSource(&oauth2.Token{ AccessToken: tokenReview.Spec.Token, // tokenReview 的 token }) oauthClient := oauth2.NewClient(context.Background(), oauthToken) client := github.NewClient(oauthClient) user, _, err := client.Users.Get(context.Background(), "") if err != nil { log.Println("github auth error: ", err) writer.WriteHeader(http.StatusUnauthorized) _ = json.NewEncoder(writer).Encode(map[string]any{ "apiVersion": "authentication.k8s.io/v1beta1", "kind": "TokenReview", "status": authentication.TokenReviewStatus{ Authenticated: false, // 返回认证失败 }, }) return } // 认证成功 log.Println("github login success, as: ", *user.Login) status := authentication.TokenReviewStatus{ Authenticated: true, User: authentication.UserInfo{ Username: *user.Login, UID: *user.Login, }, } json.NewEncoder(writer).Encode(map[string]any{ "apiVersion": "authentication.k8s.io/v1beta1", "kind": "TokenReview", "status": status, }) }) log.Println(http.ListenAndServe(":3000", nil)) }Dockerfile 镜像制作
本项目是使用 go 作为 web 服务器, go 提供一种非常好用的编译特性 – 交叉编译
在 dockerfile 中我们选择的 busybox 作为基础镜像, 但默认 busybox 架构为 x86_64(uname -m查看), 所以可以使用 amd64/busybox 或交叉编译 go 代码
当出现这类问题 exec /usr/bin/sh: exec format error 多半是架构问题
推荐: Golang交叉编译详解 – CSDN
amd64
FROM golang:1.20 as builder WORKDIR /app COPY . . # go 交叉编译: amd64 RUN go env -w GOPROXY=https://goproxy.cn,direct && go mod tidy && \ CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o main main.go RUN chmod +x /app/main FROM amd64/busybox COPY --from=builder /app/main . EXPOSE 3000/tcp CMD ["/main"]x86_64
FROM golang:1.20 as builder WORKDIR /app COPY . . # go 交叉编译: x86 RUN go env -w GOPROXY=https://goproxy.cn,direct && go mod tidy && \ CGO_ENABLED=0 GOOS=linux GOARCH=386 go build -o main main.go RUN chmod +x /app/main FROM busybox COPY --from=builder /app/main . EXPOSE 3000/tcp CMD ["/main"]构造镜像
$ docker build -t aifeierwithinmkt/auth-github-webhook:amd64 -f Dockerfile_amd64 . $ docker build -t aifeierwithinmkt/auth-github-webhook:x86 -f Dockerfile_x86 . $ docker tag aifeierwithinmkt/auth-github-webhook:amd64 aifeierwithinmkt/auth-github-webhook
检验镜像
$ docker run --rm -p 3000:3000 -d aifeierwithinmkt/auth-github-webhook:amd64 $ docker run --rm -p 3001:3000 -d aifeierwithinmkt/auth-github-webhook:x86 $ curl 127.0.0.1:3000/authenticate {"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"user":{}}} $ curl 127.0.0.1:3001/authenticate {"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"user":{}}}镜像服务正常
Makefile
build_amd64: mkdir -p bin/amd64 CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/amd64/main . build_x86: mkdir -p bin/x86 CGO_ENABLED=0 GOOS=linux GOARCH=386 go build -o bin/x86/main .
webhook 接入 apiserver
webhook.yaml
apiVersion: v1 clusters: - cluster: server: http://192.168.1.7:3000/authenticate name: github-authn contexts: - context: cluster: github-authn user: authn-apiserver name: webhook current-context: webhook kind: Config preferences: {} users: - name: authn-apiserver user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJRlYrSjRRNm1heUF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpFeU16QXdPVE16TVRkYUZ3MHlOREV5TWprd09UTTRNVGxhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTQ2NTQzOWp6cVpqcldXd3EKMkloeWtQcjREb3MySnNTM0JrUlhJTzY2UnhhbmxqVGszWlBka21oaUFvRldHTHI5VitwTUdwTytVYzhmbHhDKwoyZVc3QmVwelhzVjd2Y1RRZ25RMVlnVGh2bldRdkxVVFJuUXhoUHhYS2RGNzBEL2RISkxjMGxyVHhjZ2JNUUVTCmdPZWZZQm03dWdBdEJ0RDg3MitrdWVuV3RIc201a09nd0l0N3EzbjVvQ1huZWd4VHBFTHFtcmhtQTYrUXcrNXkKbEg1bG5LdzlFdUJmYmVqY0ZOaEd2UVNFSmFNZ2s0Z2h4bUNQWHJUcFZ0bmRkMHJQMGc4dzkvQ0NKU1owdDV6TApHMk5idFlqQzRRK2tyQXZoSllIUGRzVkRtWTFpMkZsSmsyZGgyU0RzbzJLMGNldmMvRGpUaTdhbGNpTlQwU05ICjFoVXpsd0lEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JRU1oxaVlWKzlQNTRiNHB3UU9QVkI0TklXYgp3REFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBV3pmWXJMWUd5ZGJoM0hpRmxVMWhuR2ZYeGxDMGk3VDBNMmZ1CnZMUkJBM1lYelRMQmNJeFhjT3J2R2Z1OGp3ZE1qY1VmZ2tuQ0JOL2VrN2lqSDF6ZmxmRkVwK0JiWHE2WFpUQWQKTkh1aGdKVG5SRUV4OURHNldtLy9wNnpZOExEVU1ZekZwZGYyYkt2ZWdkQ0NaT3R5OTJ2eFZmbUJ5THJnUHYwRQpGSEZhR1ZCQ083Z012VnFCN05rMGxVN3Axdjg3YzVBTmJxUHI2YjYyZmMzbE9XcGQ2bUN0bDFjdms1QWROczJlCnBRVlFBRnhGR1o3WGFDaU9waFM3L2M1Vm1MUk9lWERHZ1BjUnNjdEtZL0VybXNqQ2JrYnpobnUydk85dnJPRVQKZEh0QlBYRlBYV29PWTVsZWlQa29WRUs4S1FFMmhPWVBpZDhIVHNhZzl1ZGc2Zkwvenc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNDY1NDM5anpxWmpyV1d3cTJJaHlrUHI0RG9zMkpzUzNCa1JYSU82NlJ4YW5salRrCjNaUGRrbWhpQW9GV0dMcjlWK3BNR3BPK1VjOGZseEMrMmVXN0JlcHpYc1Y3dmNUUWduUTFZZ1Rodm5XUXZMVVQKUm5ReGhQeFhLZEY3MEQvZEhKTGMwbHJUeGNnYk1RRVNnT2VmWUJtN3VnQXRCdEQ4NzIra3Vlbld0SHNtNWtPZwp3SXQ3cTNuNW9DWG5lZ3hUcEVMcW1yaG1BNitRdys1eWxINWxuS3c5RXVCZmJlamNGTmhHdlFTRUphTWdrNGdoCnhtQ1BYclRwVnRuZGQwclAwZzh3OS9DQ0pTWjB0NXpMRzJOYnRZakM0UStrckF2aEpZSFBkc1ZEbVkxaTJGbEoKazJkaDJTRHNvMkswY2V2Yy9EalRpN2FsY2lOVDBTTkgxaFV6bHdJREFRQUJBb0lCQUJIaWRxUSt5b1ViK2dEQQpPbTFmNm4vdzl1Tk5sQ2RmZEhFTmxUcUZCaVRuWnFxcDVRQnl5UWpqSWkvSU1SY29PUlphMVRlUk8zWDVxeVdXCnJ5YzJvSVpLY0YyVmJhN3VjdUtNZGxVSXhTTE00VjJ4YTU0eEttS2ozOFR0SzZpa0c1NU8rd0diR04rRVpINW8KOHljbENxUGw0WlV1eGxxdXQrK20rVzJSTE1ob2JoOG1mb1RDNGExczJlMEdpM3lkdE16SjNXZnczcUUvUlRGbQoyYm0rMHd6bFlUaXB2cmo4OEJ0aHBQUDlrTmJyVEs4WFNROXUzMnNjS3VWVllpcUJpeStMVUhMek5GY09ZbkpPCjBtdUFsTTFhTmh2WXJQMnI4QThkLzZtays5eDN6THVlM1NVYm1BdTJFUFdMKzZneUxiRHIrV1RJeHYxRVNQS0EKZW5TcWRRRUNnWUVBNVZZMGloY3I2Y0pGbkZZUnBJTjRSUjVrejBhdE12RUZmQWhIbERoUVQrUmpCTXRkVHlFSApNQVFqdXlZaDhReEh0TmxEQzBJTFJTdWpPSWdhZHFsMlBmbzNwR1RmM0xlbExkbGx4amRsVTZJc0lLYVVDdWw5CndPcTBmbkVTbUVUdGdxZS9nazFMS01ZMXUyOXg2S2FkZ25RSlBybFlQT21idW1SY3pydHc3N2NDZ1lFQS9pY0EKcnhDODcvc3VDQS9HUXpRdWlvVWphd0NXSEgyVnE2eUlSNDRVWXJaNWMwRXl1OU5jOFhoQVhTbGJxNzF6NkNDMgpFQVE4cm8weWFWTFB2TDFWeDB2aDVKUjVnaHVkMkcvMFdPbzFVR0l1SFhPaGpSeWR3UDlzZ2NZRGpUaitHYlJNCjlkSWJrWi9YcWx3Uzh2aVJHQ1BaN3hjVm5pTlJ5RzJ5N3BxeUd5RUNnWUIxNDdlRVdONzQvaVc4ZEw0Qy9KWWgKcWJzV2xmVkluMzg3UUNKVGZoTkN6bHRjUnBJRHNDMjZzQllTQ1VzZlZ6bXhMSkg3UW9yNmxyRUR5V3NaSG9tcQoyR29yOXJMaENnSStMR2ZWMmZvYllOMGdONkVZYnVoMjkrK3FvOE4wUk5KMi9IWkVyQ2o3bjlCVk5yZXVhWi9FClJKUFFDNFRoWXhEcll0WVdhMkpseHdLQmdRRFh3SjU0LzNtVk5DTkFucnVOZzNmYkNla21SZ29veDRmT2hCbncKdkxHYmx4S0ZBQjBraStyRDVuU2xZWjI3cm9uOXpmOGdtNmd6K2hPSWk4OWtoMHFSZEY2Z29GYUNXQlZvanFuYwo3WDR5N2hYOTFKS1phMmlVVllGMHJYZUlaSkI1bTdFVm9iYmJxZGo0ZTA5dXlncktkbXprNWpEbzNVenBIQThoCk5WdnJZUUtCZ1FDNDRreXNsRlBUVkNlbkp5SDFHLy82VmQ0aXRFaFlYQVllYWJUdU15eVlkZFlxcnJYTTFUS1QKL24wRHQrQXFIa0dmU2pvUExCa3NITkNDZWZnZSt0dDRxVmFPNjJyWkhRRTQ0TXVueHhxRXBNdmxFeUNEVUM4cApTaUF6bW9XaDR4R2tUdkpLUlBLWGlPNEdjbk5wZVNuUVY5RjJSY01ocllCUVZjTzJLb2N1Umc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=该配置与 kubeconfig 配置相同, 直接在 kubeconfig 的基础上修改就行, 重要的是 cluster 的 server (即提供服务的地址
apiserver 挂载 webconfig
# 修改 apiserver 配置参数, 增加: - --authentication-token-webhook-config-file=/etc/config/webhook.yaml # 相应增加挂载卷 volumes: - hostPath: path: /etc/config type: DirectoryOrCreate name: auth-webhook volumeMounts: - mountPath: /etc/config name: auth-webhook readOnly: true- 修改 manifest 后 apiserver 理论上会自动重启, 如果没有则 systemctl restart kubelet
- 本文实验主题为认证 webhook 可直接使用 --authentication-token-webhook-config-file, 如需自定义 mutatingwebhook 请参考: mutatingwebhook
在 github 中创建认证 token
setting -> Developer Settings -> Personal access tokens (classic)
将 token 添加到 kubeconfig
# 在 kubeconfig 下增加一个 user - name: githubuser user: token: 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验证
$ k get po --user githubuser Error from server (Forbidden): pods is forbidden: User "Ai-feier" cannot list resource "pods" in API group "" in the namespace "default"
授权验证
$ k create clusterrolebinding testview --clusterrole view --user Ai-feier $ k get po --user githubuser NAME READY STATUS RESTARTS AGE nginx-kusc00401 0/1 Pending 0 4d23h testnginx-5cdb847cd9-7nm4k 1/1 Running 1 (29h ago) 43h testnginx-5cdb847cd9-llmxf 1/1 Running 1 (29h ago) 43h testnginx-5cdb847cd9-qfsdn 1/1 Running 1 (29h ago) 43h web-server 0/1 Pending 0 4d22h
deploy spec
apiVersion: apps/v1 kind: Deployment metadata: labels: app: auth-webhook name: auth-webhook namespace: default spec: replicas: 3 selector: matchLabels: app: auth-webhook strategy: {} template: metadata: labels: app: auth-webhook spec: containers: - image: aifeierwithinmkt/auth-github-webhook name: auth-github-webhook resources: {} ports: - containerPort: 3000 --- apiVersion: v1 kind: Service metadata: name: auth-svc namespace: default spec: selector: app: auth-webhook ports: - name: auth protocol: TCP port: 80 targetPort: 3000参考
- https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/
- 关注我们
- 扫描二维码
- 获取更多信息
- 精彩一手掌握
Copyright © 2014-2019 seo,上海网站优化_网络制作_网站seo排名_网站建设推广_上海网络公司 版权所有
沪ICP备19022315号
沪ICP备19022315号 
