用于自动化的为一个容器申请jwt token,并关联到此容器上,可以代表该容器身份。kubelet负责申请,挂载,以及更新该token。
要实现该功能需要:
k8s 版本v1.12以上
kube-apiserver 中启用如下flag,具体key文件位置,以及audiences要根据实际情况配置
|
1 2 3 4 |
--service-account-issuer=kubernetes.default.svc \ --api-audiences=api,istio-ca \ --service-account-key-file=/srv/kubernetes/server.key \ --service-account-signing-key-file=/srv/kubernetes/server.key |
pod里的容器spec定义需要包含如下volumemount以及volumes定义,注意volumes定义使用的是serviceAccountToken (projectedVolume类型)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
volumeMounts: - mountPath: /var/run/secrets/tokens name: istio-token volumes: - name: istio-token projected: defaultMode: 420 sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token |
这样当此pod启动,kubelet利用相应的信息申请并注入jwt到容器里(上面例子中挂到/var/run/secrets/tokens目录下)
可以查看对应容器中的token文件:
|
1 2 |
[root@am-primary aspenmesh-1.6.5-am1]# kubectl exec -it aspen-mesh-metrics-collector-6cfd7bbc7c-tkrbp -c istio-proxy -n istio-system -- cat /var/run/secrets/tokens/istio-token eyJhbGciOiJSUzI1NiIsImtpZCI6Iks3eG5DSFF3M0tqN2hRMFAySmVYblQtd1haUExJTlBGMkpDM1doQmZBencifQ.eyJhdWQiOlsiaXN0aW8tY2EiXSwiZXhwIjoxNjAwMjg2MzEyLCJpYXQiOjE2MDAyNDMxMTIsImlzcyI6Imt1YmVybmV0ZXMuZGVmYXVsdC5zdmMiLCJrdWJlcm5ldGVzLmlvIjp7Im5hbWVzcGFjZSI6ImlzdGlvLXN5c3RlbSIsInBvZCI6eyJuYW1lIjoiYXNwZW4tbWVzaC1tZXRyaWNzLWNvbGxlY3Rvci02Y2ZkN2JiYzdjLXRrcmJwIiwidWlkIjoiZDcxYzU1OTktZmE0Ny00ZDNjLWJhMmMtMzVmNjYwMTdjZDZiIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJhc3Blbi1tZXNoLW1ldHJpY3MtY29sbGVjdG9yIiwidWlkIjoiZDJmYzJjMGQtYjk2Yi00Nzc3LTlkMTctNjdmMWM1ODM0NmJjIn19LCJuYmYiOjE2MDAyNDMxMTIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDppc3Rpby1zeXN0ZW06YXNwZW4tbWVzaC1tZXRyaWNzLWNvbGxlY3RvciJ9.Pdm1vstGFuAxr8DVamOQ37b8NJWb968dVmT7xr1HP1s8V4lN1eMYUr02piHpxKsSPGrQVybuA21ZnvGdhbol77qnuD_O_CezCYNjIlGDT8ugcS7-5dsulFAyZB4wIoq26K4KIprQvO4dFG8TPekgd5Zm1pGs2IVGArOySyrVq3QlOCn8Cu8V2GumhTQLY6TMmjoUopsWoYCON2uNAfkCEpXllA2_0BiEdQ9Rn2Ka-eli7DmWuoZB2QGSIUb5DS6_I_LsO0NyPVEYq7V-uH120KRXIaJOb8USCvgbGlFLqrpeIA2fkrwbmxB2-XRt2eX_e7eSHBCT1Xi_ubhEq4jJTg |
这个token,通过jwt.io解开,可以看到payload是
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
{ "aud": [ "istio-ca" ], "exp": 1600286312, "iat": 1600243112, "iss": "kubernetes.default.svc", "kubernetes.io": { "namespace": "istio-system", "pod": { "name": "aspen-mesh-metrics-collector-6cfd7bbc7c-tkrbp", "uid": "d71c5599-fa47-4d3c-ba2c-35f66017cd6b" }, "serviceaccount": { "name": "aspen-mesh-metrics-collector", "uid": "d2fc2c0d-b96b-4777-9d17-67f1c58346bc" } }, "nbf": 1600243112, "sub": "system:serviceaccount:istio-system:aspen-mesh-metrics-collector" } |
该pod的sa是aspen-mesh-metrics-collector,audiences是istio-ca,是可以通过api-server的核查的(api-server的audience配置中包含了istio-ca)
容器内的应用可以直接使用该token与其它service(容器)通信,其它容器收到该jwt后对其进行验证(如果jwt是k8s系统平台自己签发的,则验证也通过k8s的tokenreview api来进行)
参考:
https://jpweber.io/blog/a-look-at-tokenrequest-api/#:~:text=service%2Daccount%2Dsigning%2Dkey%2Dfile%3A%20Path%20to,tokens%20with%20this%20private%20key.&text=The%20service%20account%20token%20authenticator,least%20one%20of%20these%20audiences.
https://github.com/jpweber/tokenrequest-demo
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection
文章评论