k8s 认证
av_timer2018年05月16日 star Kubernetes

https://kubernetes.io/docs/admin/authentication/

一、Authenticating Proxy

通过客户端证书 + HTTP requet header 认证用户,Authenticating Proxy需要在检查请求header之前,向API服务器提交有效的客户端证书,以针对指定的CA进行验证。

1.1.修改API Server配置文件并重启

配置文件路径: /etc/kubernetes/manifests/kube-apiserver.yaml

API Server配置项

1.2.使用front-proxy-ca.crt签发客户端证书供ProxyServer使用

    openssl genrsa -out client.key 2048
    openssl req -new -key client.key -subj "/CN=front-proxy-client" -out client.csr
    openssl x509 -req -sha256 -in client.csr -CA front-proxy-ca.crt -CAkey front-proxy-ca.key -CAcreateserial -days 3650 -out client.crt

1.3.客户端在向k8s发起请求时附带客户端证书和Request Header以区分不同用户

    var http = require("https");
    
    var options = {
      "method": "GET",
      "hostname": [
        "139",
        "198",
        "120",
        "249"
      ],
      "port": "6443",
      "path": [
        "api",
        "v1",
        "namespaces",
        "default",
        "services"
      ],
      "headers": {
        "X-Remote-User": "pod-reader"
      },
      "key": fs.readFileSync('client-key.pem'), 
      "cert": fs.readFileSync('client-crt.pem')
    };
    
    var req = http.request(options, function (res) {
      var chunks = [];
    
      res.on("data", function (chunk) {
        chunks.push(chunk);
      });
    
      res.on("end", function () {
        var body = Buffer.concat(chunks);
        console.log(body.toString());
      });
    });
    
    req.end();

二、Webhook Token Authentication

使用webhook校验bearer tokens

2.1 修改API Server配置文件并重启

配置文件路径: /etc/kubernetes/manifests/kube-apiserver.yaml

API Server配置项

webhook配置文件示例

    # clusters refers to the remote service.
    clusters:
      - name: name-of-remote-authn-service
        cluster:
          certificate-authority: /path/to/ca.pem         # CA for verifying the remote service.
          server: https://authn.example.com/authenticate # URL of remote service to query. Must use 'https'.
    
    # users refers to the API server's webhook configuration.
    users:
      - name: name-of-api-server
        user:
          client-certificate: /path/to/cert.pem # cert for the webhook plugin to use
          client-key: /path/to/key.pem          # key matching the cert
    
    # kubeconfig files require a context. Provide one for the API server.
    current-context: webhook
    contexts:
    - context:
        cluster: name-of-remote-authn-service
        user: name-of-api-sever
      name: webhook

当客户端使用如上所述的bearer token与API服务器进行认证时,认证webhook通过一个包含token的review 对象来查询远程服务。Kubernetes不会对缺少这样的头的请求提出质疑。

请求主体采用的格式:

    {
      "apiVersion": "authentication.k8s.io/v1beta1",
      "kind": "TokenReview",
      "spec": {
        "token": "(BEARERTOKEN)"
      }
    }

远程服务预计将填写请求的TokenAccessReviewStatus字段,以示登录成功。 响应主体体的“spec”字段被忽略。 bearer token认证成功将返回:

    {
      "apiVersion": "authentication.k8s.io/v1beta1",
      "kind": "TokenReview",
      "status": {
        "authenticated": true,
        "user": {
          "username": "janedoe@example.com",
          "uid": "42",
          "groups": [
            "developers",
            "qa"
          ],
          "extra": {
            "extrafield1": [
              "extravalue1",
              "extravalue2"
            ]
          }
        }
      }
    }

不成功的请求将返回:

    {
      "apiVersion": "authentication.k8s.io/v1beta1",
      "kind": "TokenReview",
      "status": {
        "authenticated": false
      }
    }
linux ss proxy
av_timer2018年05月09日 star 创新创意
apt install shadowsocks-libev
create config.json
{
        "server":"",
        "server_port":,
        "local_port":,
        "password":"",
        "timeout":,
        "method":""
}
ss-local -c config.json
export http_proxy=socks5://127.0.0.1:1080;
Gradle Proxy
av_timer2018年04月19日 star 创新创意

gradle 代理设置这样设置并不生效

#systemProp.socks.proxyHost=127.0.0.1
#systemProp.socks.proxyPort=7077

systemProp.https.proxyHost=127.0.0.1
systemProp.https.proxyPort=7077

正确姿势

org.gradle.jvmargs=-DsocksProxyHost=127.0.0.1 -DsocksProxyPort=7077
Git 多账户
av_timer2018年04月12日 star Shell

~/.ssh/config

Host d.code.aliyun.com
HostName code.aliyun.com
PreferredAuthentications publickey
IdentityFile ~/.ssh/duoke_alicode_rsa

测试

ssh -T git@d.code.aliyun.com