十一,k8s集群访问控制之ServicAccount
目录
认证安全
任何用途操作集群的资源对象是,都要经历三种安全相关的操作:
- 任何用户来访问时, 都需要完成kubernetes系统认证操作
- 认证通过后, 进行授权检查
- 准入控制, 检查是否有权限操作其它的一些资源操作
认证方式:
- 令牌认证:token
- SSL 秘钥认证:也是最常用的方式,能确认服务器身份
- RBAC :全称
Role Base AccessControl,用于授权操作
访问认证流程
客户端 访问 API Server是常用的参数.
user: username, uid
group:
extra:
API
Request path:
http://172.27.1.241:8888/apis/apps/v1/namespaces/default/deployments/myapp-deploy/ # 8888端口是因为之前在master上执行了kubectl proxy --port=8888 ,查询所在组,可kubectl api-versions查看组
HTTP request verb: #请求方法,使用curl需要指定请求方法
get post put delete
API requets verb: #映射到kubernetes请求的动作
get list create update patch watch proxy redirect delete deletecollection
Resource: #请求访问的资源
Subresource: #请求的子资源
API group:
连接Api-Server的两类账号
kubernetes 有两类认证值的用户账号,分别是
ServiceAccountName: 是用于Pod客户端认证使用的账户
UserAccount: 用于真实用户,或者说操作集群资源的人使用的账户
ServiceAccount 创建
可以使用kubectl create serviceaccount USER_NAME 来创建
[root@master manifests]# kubectl create serviceaccount admin -o yaml --dry-run
apiVersion: v1
kind: ServiceAccount
metadata: #可以用来导出标准yaml格式。--dry-run执行但不真实创建sa
creationTimestamp: null
name: admin
[root@master manifests]# kubectl create serviceaccount admin
serviceaccount/admin created
[root@master manifests]# kubectl get sa
NAME SECRETS AGE
admin 1 2s
default 1 37d
[root@master manifests]# kubectl describe sa admin
Name: admin
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: admin-token-48wdj
Tokens: admin-token-48wdj # 自动生产的token
Events: <none>
当创建一个sa后,会自动创建一个secret
[root@master manifests]# kubectl get secret
NAME TYPE DATA AGE
admin-token-48wdj kubernetes.io/service-account-token 3 3m3s # 这里自动创建的是认证信息,但不代表有权限。
default-token-bc86p kubernetes.io/service-account-token 3 37d
[root@master manifests]# kubectl describe secret admin-token-48wdj
Name: admin-token-48wdj
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin
kubernetes.io/service-account.uid: dc343339-8eaf-4022-a03a-4cc8df8c9ebf
Type: kubernetes.io/service-account-token
Data
====
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFkbWluLXRva2VuLTQ4d2RqIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZGMzNDMzMzktOGVhZi00MDIyLWEwM2EtNGNjOGRmOGM5ZWJmIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6YWRtaW4ifQ.xgehKowaM6sHykd6vbfi4hu4M0DxFAYrfuY9fkN_8vkcpi_c4HC8yl0MZD4GQivRVyEPb_7X6A81BkaHLVEHvbt7bl20Gk5F2tnFxWbSGMGNh2pRa0GxtnWEO03EyGHt1Yl_YGdqT13UnwfUFC5302P7dvuC15OKjd3az-vaMu3YgUkAKyceZZRltBasmoWVHdAY1u2kVFpjT60TYPtAyV6eAeDaucB94Ye60EmyhAHBNP8DkdFbWcHT25rdRQa72B_IVZ_ZaeCfJtZkpsg4XplniC1OuXV_25nqXCNRbIqp_yaH7dT0NKhT9_EYEC4b8MYZcL2e_RZyNgBWSUf-9Q
ca.crt: 1025 bytes
namespace: 7 bytes
使用admin 的SA
定义一个清单文件,使用admin的SA
[root@master manifests]# cat pod-sa-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-sa-demo
namespace: default
labels:
app: myapp
tier: frontend
annotations:
jubaozhu.com/created-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
serviceAccountName: admin #在此处给pod定义sa为admin
[root@master manifests]# kubectl apply -f pod-sa-demo.yaml
pod/pod-sa-demo created
[root@master manifests]# kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-sa-demo 1/1 Running 0 3s
查看该Pods的详细信息中servername
[root@master manifests]# kubectl describe pods pod-sa-demo | grep SecretName
SecretName: admin-token-46wdj # 这里已经和admin这个sa对应自动生成的secret名称是一样的。
也可以通过--dry-run 和 -o yaml 来获取yaml配置文件,该命令亦可用于导出标准yaml格式文件
[root@master manifests]# kubectl create serviceaccount admin --dry-run -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: null
name: admin
这样就能把导出的yaml格式的保存到文件中,在使用kubectl apply 来执行。
测试 URL访问kubernetes资源
首先,本地要启动一个proxy代理,之后通过这个代理来访问
[root@master ~]# kubectl proxy --port=8080
Starting to serve on 127.0.0.1:8080
再起一个新的终端进行测试
[root@master pki]# curl http://localhost:8080/apis/apps/v1/namespaces/kube-system/deployments/coredns
{
"kind": "Deployment",
"apiVersion": "apps/v1",
"metadata": {
"name": "coredns",
"namespace": "kube-system",
"selfLink": "/apis/apps/v1/namespaces/kube-system/deployments/coredns",
"uid": "c730eb98-8fe7-47a8-9856-1fc3ff2044aa",
"resourceVersion": "1039",
"generation": 1,
"creationTimestamp": "2019-07-09T08:36:50Z",
"labels": {
"k8s-app": "kube-dns"
},
"annotations": {
"deployment.kubernetes.io/revision": "1"
}
},
"spec": {
"replicas": 2,
"selector": {
"matchLabels": {
"k8s-app": "kube-dns"
... ...
... ...
/apis/apps/v1/namespaces/kube-system/deployments/coredns 这里的访问路径都是固定套路。
这里的路径区别
以 api 其实的资源,均为核心资源
剩下的其他资源,都需要以 apis 为起始路径。
有哪些资源的客户端需要和APIserver有交互
[root@master pki]# kubectl config set-cluster mycluster --kubeconfig=/tmp/test.cnf --server="https://172.27.1.241:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
Cluster "mycluster" set.
[root@master pki]# kubectl config view --kubeconfig=/tmp/test.cnf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.27.1.241:6443
name: mycluster
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
授权插件:
- Node
- ABAC
- RBAC
- Webhook http的回调机制
角色机制: 给特定的角色赋权, 在把对应的角色赋予给用户, 那么该用户就拥有该角色的权限.
APIserver客户端定义的配置文件
包括kubectl、kubelet、kube-controller-manager等在内的API Server的各类客户端都可以使用kubeconfig配置文件提供接入多个集群的相关配置信息,即kubeconfig是用来存放客户端访问认证信息的
包括API Server的URL及认证信息,且可设置不同的上下文,并在各环境之间快速切换
/etc/kubernetes/admin.conf即为kubeconfig格式的配置文件
查看config命令帮助:**
[root@master manifests]# kubectl config --help
Modify kubeconfig files using subcommands like "kubectl config set current-context my-context"
The loading order follows these rules:
1. If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once and no merging takes
place.
2. If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path delimiting rules for
your system). These paths are merged. When a value is modified, it is modified in the file that defines the stanza. When
a value is created, it is created in the first file that exists. If no files in the chain exist, then it creates the
last file in the list.
3. Otherwise, ${HOME}/.kube/config is used and no merging takes place.
Available Commands:
current-context Displays the current-context
delete-cluster Delete the specified cluster from the kubeconfig
delete-context Delete the specified context from the kubeconfig
get-clusters Display clusters defined in the kubeconfig
get-contexts Describe one or many contexts
rename-context Renames a context from the kubeconfig file.
set Sets an individual value in a kubeconfig file
set-cluster Sets a cluster entry in kubeconfig
set-context Sets a context entry in kubeconfig
set-credentials Sets a user entry in kubeconfig
unset Unsets an individual value in a kubeconfig file
use-context Sets the current-context in a kubeconfig file
view Display merged kubeconfig settings or a specified kubeconfig file
Usage:
kubectl config SUBCOMMAND [options]
Use "kubectl <command> --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all commands).
| 名称 | 注解 |
|---|---|
| set-cluster | 设定集群 |
| set-credentials | 设定用户账号 |
| set-context | 设定上下文 |
| use-context | 设定当前上下文 |
可以直接通过命令的方式进行创建,也可以使用配置清单来定义后,使用kubectl apply -f 来执行设定;
查看当前配置文件的示例说明
[root@master manifests]# kubectl config view
apiVersion: v1 # 这里可以看出,config也是一个标准的kubernetes资源对象
clusters: # 集群列表
- cluster: # 定义一个集群,在下面可以定义多个
certificate-authority-data: DATA+OMITTED # 服务器发过来的认证方式
server: https://172.27.1.241:6443 # 访问验证地址
name: kubernetes # 集群名称
contexts: # 上下文列表,即账号访问权限列表
- context:
cluster: kubernetes # 对应用户能访问的集群名称
user: kubernetes-admin # 该上下文对应的用户
name: kubernetes-admin@kubernetes # 此上下文的名称
current-context: kubernetes-admin@kubernetes # 当前定义的哪个账号可以访问哪个集群
kind: Config
preferences: {}
users: # 用户列表
- name: kubernetes-admin # 用户已名称
user:
client-certificate-data: REDACTED # 客户端的认证方式
client-key-data: REDACTED # key信息
kubeconfig配置文件简单来说就是在Api-server上有多个集群(clusters)以及多个账号(users),contents就是定义哪些账号可以访问哪些集群的。
kubernetes 集群相关的私有CA证书
[root@master ~]# ll /etc/kubernetes/pki/
-rw-r--r-- 1 root root 1233 Jul 9 16:36 apiserver.crt
-rw-r--r-- 1 root root 1090 Jul 9 16:36 apiserver-etcd-client.crt
-rw------- 1 root root 1675 Jul 9 16:36 apiserver-etcd-client.key
-rw------- 1 root root 1675 Jul 9 16:36 apiserver.key
-rw-r--r-- 1 root root 1099 Jul 9 16:36 apiserver-kubelet-client.crt
-rw------- 1 root root 1679 Jul 9 16:36 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 Jul 9 16:36 ca.crt
-rw------- 1 root root 1679 Jul 9 16:36 ca.key
drwxr-xr-x 2 root root 162 Jul 9 16:36 etcd
-rw-r--r-- 1 root root 1038 Jul 9 16:36 front-proxy-ca.crt
-rw------- 1 root root 1675 Jul 9 16:36 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 Jul 9 16:36 front-proxy-client.crt
-rw------- 1 root root 1679 Jul 9 16:36 front-proxy-client.key
-rw------- 1 root root 1679 Jul 9 16:36 sa.key
-rw------- 1 root root 451 Jul 9 16:36 sa.pub
创建新的apiserver的账号及证书
新建的密钥对就直接放到kubernetes集群对应的pki目录下
[root@master ~]# cd /etc/kubernetes/pki/
[root@master pki]# ll
total 60
-rw-r--r-- 1 root root 1233 Jul 9 16:36 apiserver.crt
-rw-r--r-- 1 root root 1090 Jul 9 16:36 apiserver-etcd-client.crt
-rw------- 1 root root 1675 Jul 9 16:36 apiserver-etcd-client.key
-rw------- 1 root root 1675 Jul 9 16:36 apiserver.key
-rw-r--r-- 1 root root 1099 Jul 9 16:36 apiserver-kubelet-client.crt
-rw------- 1 root root 1679 Jul 9 16:36 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 Jul 9 16:36 ca.crt
-rw------- 1 root root 1679 Jul 9 16:36 ca.key
drwxr-xr-x 2 root root 162 Jul 9 16:36 etcd
-rw-r--r-- 1 root root 1038 Jul 9 16:36 front-proxy-ca.crt
-rw------- 1 root root 1675 Jul 9 16:36 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 Jul 9 16:36 front-proxy-client.crt
-rw------- 1 root root 1679 Jul 9 16:36 front-proxy-client.key
-rw------- 1 root root 1679 Jul 9 16:36 sa.key
-rw------- 1 root root 451 Jul 9 16:36 sa.pub
新创建私钥
# 创建过程均在/etc/kubernetes/pki/目录下
[root@master pki]# (umask 077; openssl genrsa -out jerry.key 2048)
Generating RSA private key, 2048 bit long modulus
.........................+++
.....................................................+++
e is 65537 (0x10001)
[root@master pki]# ll jerry.key
-rw------- 1 root root 1679 Aug 19 16:07 jerry.key
然后基于jerry.key私钥来生成证书使用kubernetes集群的ca.crt来签署
生成证书签署请求
[root@master pki]# openssl req -new -key jerry.key -out jerry.csr -subj "/CN=jerry"
# 注意,最后的 "/CN=jerry" 中的jerry,就是用户名
用ca.crt 来签署
[root@master pki]# openssl x509 -req -in jerry.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out jerry.crt -days 365
Signature ok
subject=/CN=jerry
Getting CA Private Key
[root@master pki]# ll jerry.*
-rw-r--r-- 1 root root 973 Aug 19 16:14 jerry.csr
-rw------- 1 root root 1679 Aug 19 16:07 jerry.key
验证查看生成的证书
[root@master pki]# openssl x509 -in jerry.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
ea:48:9e:47:1b:2e:19:ac
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes # 这里可以看到是kubernetes自己的ca.crt证书签署的
Validity
Not Before: Aug 19 08:14:53 2019 GMT # 证书有效期限起始
Not After : Aug 18 08:14:53 2020 GMT # 证书有效期限结束
Subject: CN=jerry # 作为用户账号连入kubernetes用户
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cd:e3:a1:7a:db:17:70:57:16:b3:f6:6a:6c:87:
50:5f:2f:38:86:67:93:fc:b2:ba:5f:c4:60:16:66:
2f:67:29:01:c7:f0:b5:d8:ca:c6:db:ca:42:8a:a8:
ce:17:ac:d1:43:64:eb:a8:1b:34:6c:97:d9:49:dc:
24:b9:ab:8c:cd:be:6a:ad:ff:70:64:40:51:40:0f:
16:d5:61:73:dc:3f:aa:57:4f:7a:c8:60:a7:37:ee:
53:d0:ec:25:78:fc:4a:af:81:67:2c:d8:08:0f:a0:
4d:38:0f:28:36:4b:f7:c6:bb:a2:0f:4b:33:e4:77:
44:83:4d:14:2e:ef:ce:d4:6a:47:37:09:0b:9d:41:
ad:07:62:8e:06:94:71:04:f7:1b:a2:e7:6a:d6:86:
8e:7c:45:69:5e:a2:74:22:6a:8f:47:c8:ef:ba:f7:
d4:08:05:6e:c0:ae:36:bc:68:4b:7f:a5:c8:1c:87:
c4:34:a7:28:94:96:49:b1:cc:53:c0:75:7b:c9:44:
f4:78:c9:f4:fa:e2:5a:55:64:0d:dd:0a:40:31:19:
4e:80:f2:cf:02:f4:48:ae:65:93:a9:e7:41:d7:0b:
e1:7a:27:38:dc:4f:9d:12:be:8e:62:2b:73:98:0c:
45:07:c5:ad:43:91:06:0e:30:4c:5c:63:9d:25:de:
bb:29
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
74:7b:c9:fd:9e:2d:4e:84:c1:f8:83:8d:9a:37:c1:50:27:e3:
f6:1c:d4:ea:ae:4f:83:f3:dc:23:81:01:fd:3d:02:e1:26:7c:
8a:94:a7:dd:0a:3c:86:52:45:2a:25:b3:63:3f:51:15:87:0f:
f9:25:8b:eb:b0:7e:0f:7c:4a:f1:23:b9:72:7e:c6:87:55:16:
7a:bf:29:2e:da:5f:3c:4c:f2:b2:77:09:fb:fe:5a:38:67:1b:
db:c5:db:4b:64:87:1c:c7:e8:71:84:92:fd:39:17:9d:7b:b3:
dc:4b:1a:56:a8:75:63:1e:be:80:ac:98:a6:d7:41:96:8d:44:
b4:13:79:c6:08:07:b8:4a:8c:5b:04:09:a6:8d:73:47:b5:a8:
0b:97:40:66:cf:04:bc:01:93:4a:6a:ed:b2:91:94:51:12:0e:
dd:c9:70:c9:fd:65:ed:49:c2:1a:89:0f:6e:ed:69:1c:d5:2c:
cb:42:f4:ce:69:bd:99:a2:ff:ea:a7:69:5f:f7:43:b5:c3:03:
86:67:95:6e:1e:80:c7:8c:35:ac:7f:e6:e2:4e:11:08:dc:cd:
16:02:e1:cd:59:4d:70:e8:fe:5a:85:4a:18:97:bb:97:f4:6a:
82:ee:e3:c1:73:b4:2a:24:73:bd:f1:fc:08:02:6c:5d:e1:53:
设定用户账号
[root@master pki]# kubectl config set-credentials jerry --client-certificate=jerry.crt --client-key=jerry.key --embed-certs=true
User "jerry" set.
[root@master pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.27.1.241:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: jerry # 这里可以看到刚刚设定的用户账号
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
给jerry用户加入上下文
[root@master pki]# kubectl config set-context jerry@kubernetes --cluster=kubernetes --user=jerry
Context "jerry@kubernetes" created.
[root@master pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.27.1.241:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context: # 这里开始向下就是jerry的上下文相关的配置了
cluster: kubernetes
user: jerry
name: jerry@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: jerry
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
切换至刚刚增加的jerry用户的对应的
[root@master pki]# kubectl config use-context jerry@kubernetes
Switched to context "jerry@kubernetes".
[root@master pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.27.1.241:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: jerry
name: jerry@kubernetes
current-context: jerry@kubernetes # 看到当前上下文已经切换到 jerry@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: jerry
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
测试jerry用户权限
由于jerry@kubernetes 没有赋予任何角色,所以对集群是没有任何操作权限
[root@master pki]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "jerry" cannot list resource "pods" in API group "" in the namespace "default"
这里报错意思是 default 名称空间中,不能获取数据
重新切换至kubernetes-admin@kubernetes测试
[root@master pki]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@master pki]# kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-sa-demo 1/1 Running 0 3d3h
保存配置文件
默认 kubernetes-admin 的配置文件保存目录是~/.kube/config文件中。
也可以保存到别的目录下:
[root@master ~]# kubectl config set-cluster test --kubeconfig=/tmp/test.conf --server="https://172.27.1.241:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
Cluster "test" set.
[root@master ~]# kubectl config view --kubeconfig=/tmp/test.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.27.1.241:6443
name: test
contexts: []
十一,k8s集群访问控制之ServicAccount的更多相关文章
- 十二,k8s集群访问控制之RBAC授权
目录 角色访问控制RBAC (Role-Based Access Control) 常用的授权插件: RBAC控制: role 和 clusterrole rolebinding 和 clusterr ...
- 使用Kubeadm创建k8s集群之节点部署(三十一)
前言 本篇部署教程将讲述k8s集群的节点(master和工作节点)部署,请先按照上一篇教程完成节点的准备.本篇教程中的操作全部使用脚本完成,并且对于某些情况(比如镜像拉取问题)还提供了多种解决方案.不 ...
- Randcher 2.0部署K8s集群(一)
环境准备 1.系统版本 CentOS7.5 + docker ee 2.配置阿里云yum源 wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirro ...
- 使用kubectl管理k8s集群(二十九)
前言 在搭建k8s集群之前,我们需要先了解下kubectl的使用,以便在集群部署出现问题时进行检查和处理.命令和语法记不住没有关系,但是请记住主要的语法和命令以及帮助命令的使用. 在下一篇,我们将讲述 ...
- k8s集群部分常见问题处理
目录 部分常见问题处理 Coredns CrashLoopBackOff 导致无法成功添加工作节点的问题 添加工作节点时提示token过期 kubectl 执行命令报“The connection t ...
- Kubernetes(k8s)集群安装
一:简介 二:基础环境安装 1.系统环境 os Role ip Memory Centos 7 master01 192.168.25.30 4G Centos 7 node01 192.168.25 ...
- K8s集群认证之RBAC
kubernetes认证,授权概括总结: RBAC简明总结摘要:API Server认证授权过程: subject(主体)----->认证----->授权[action(可做什么)]--- ...
- k8s集群搭建笔记(细节有解释哦)
本文中所有带引号的命令,请手动输入引号,不知道为什么博客里输入引号,总是自动转换成了中文 基本组成 pod:k8s 最小单位,类似docker的容器(也许) 资源清单:资源.资源清单语法.pod生命周 ...
- 整理全网最全K8S集群管理工具、平台
整理常见的整理全网最全K8S集群管理工具.平台解决方案. 1 Rancher Rancher中文官网:https://docs.rancher.cn/ 2 KubeSphere 官网:https:// ...
随机推荐
- powerDesigner关联数据库显示中文注释
最近使用powerdesigner,遇到些问题,记录一下[安装过程就略过了] 一.安装odbc驱动 分享下驱动,百度网盘链接:https://pan.baidu.com/s/1UYPq_PEQkDOJ ...
- CF444A DZY Loves Physics【结论】
题目传送门 话说这道题不分析样例实在是太亏了...结论题啊... 但是话说回来不知道它是结论题的时候会不会想到猜结论呢...毕竟样例一.二都有些特殊. 观察样例发现选中的子图都只有一条边. 于是猜只有 ...
- 【VS开发】【编程开发】【C/C++开发】结构体中的数组与指针的内存分配情况说明
[VS开发][编程开发][C/C++开发]结构体中的数组与指针的内存分配情况说明 标签:[VS开发] [编程开发] 主要是疑惑在结构体定义的数组的内存空间与指针动态分配的内存空间,在地址上连续性.以及 ...
- 【VS开发】list控件的InsertColumn方法出错
今天在写一个获取磁盘信息的小程序,通过list控件显示各磁盘信息.我在属性页(CPropertyPage)的构造函数中,调用list控件的InsertColumn方法,编译链接都通过了,但运行时冒出了 ...
- BandingList 泛型集合数据绑定
public IList<Student> IStudent = new List<Student>(); public BindingList<Student> ...
- Resistors in Parallel(找规律+大数)
题意:https://codeforces.com/group/ikIh7rsWAl/contest/254825/problem/E 给你一个n,计算n / Sigma(1~n)的d(是n的只出现一 ...
- php+lottery.js制作九宫格抽奖实例
php+lottery.js制作九宫格抽奖实例,本抽奖功能效果表现好,定制方便简单,新手学习跟直接拿来用都非常不错,兼容IE.火狐.谷歌等浏览器. 引入抽奖插件lottery.js <scrip ...
- Win32汇编语言语法基础
汇编语言(assembly language)是一种用于电子计算机.微处理器.微控制器或其他可编程器件的低级语言,亦称为符号语言.在汇编语言中,用助记符(Mnemonics)代替机器指令的操作码,用地 ...
- k8s之statefulSet-有状态应用副本集控制器
1.概述 无状态应用更关注群体,任何一个成员都可以被取代,有状态应用关注的是个体.用deployment控制器管理的nginx.myapp等都属于无状态应用,像mysql.redis.zookeepe ...
- 使用kafka-eagle监控Kafka
# 监控kafka集群,开启监控趋势图使用 # 有一个问题,需要在kafka-server-start.sh文件中配置端口,有如下三种办法 # 第一种:复制并修改kafka目录,比如kafka-1,k ...