Minikube 토큰을 통한 인증/인가

By Bys on July 15, 2022

Minikube

1. Token을 이용한 인증

서비스 어카운트는 파드에서 실행되고 있는 프로세스에 대한 ID를 제공해준다. 이 의미는 파드 내부의 특정 프로세스들도 Kubernetes API-Server로 접근 할 때 인증에 대한 부분을 Service Account의 토큰을 통해 인증받을 수 있다는 의미이다.

A service account provides an identity for processes that run in a Pod. When you (a human) access the cluster (for example, using kubectl), you are authenticated by the apiserver as a particular User Account (currently this is usually admin, unless your cluster administrator has customized your cluster). Processes in containers inside pods can also contact the apiserver. When they do, they are authenticated as a particular Service Account (for example, default).

자세한 내용은 아래 공식홈페이지를 참고한다.
Configure Service Accounts for Pods

이번 실습에서는 Secret에서 생성된 토큰을 통해 인증이 정상적으로 잘 되는지를 확인해보려고 한다.

1.1 Service Account & Secret 생성

우선 아래와 같이 Service Account와 Secret을 생성하여 배포한다.
dev-sa.yml

apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: dev
  name: dev-sa

dev-secret.yml

apiVersion: v1
kind: Secret
metadata:
  namespace: dev
  name: dev-secret
  annotations:
    kubernetes.io/service-account.name: dev-sa
type: kubernetes.io/service-account-token

생성된 dev-secret을 describe 커맨드로 보면 아래와 같이 token 정보가 보인다.

kubectl describe secret dev-secret
##Print
Name:         dev-secret
Namespace:    dev
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: dev-sa
              kubernetes.io/service-account.uid: 6af0a60b-41d9-46f4-a466-95c2fa3694a4

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1111 bytes
namespace:  3 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IjN3cWM2WmtlbWFIQVNtdGY0MGRVckJmUDRFRkdjZFl0T2J3dmV3am5kc2MifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZXYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGV2LXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZXYtc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2YWYwYTYwYi00MWQ5LTQ2ZjQtYTQ2Ni05NWMyZmEzNjk0YTQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGV2OmRldi1zYSJ9.BHE-TNXT01y6v-XTiDuvH6lhUk5yUe1HyiFoyNeF6yP4G8IIUwXeUTwHCP9L55QRvvuRrGH8xrfK7oN38gLgb4NHbTXw9vR95K5e4fTJIFSkxZ6jz1z1ga5E8zPZaVcQ16C0fvSZNm2W9tz1p3cOqXPi60sYedQB_ZcDKZGWTU22T-T8eGROC4veYXHy96A9Qg2sHmdGxQxFoslVm25GNiSvjzj79zC_K84IQ1QX3oECrKu0jJpLWi7wV37djeb8bVoXNGXtRKhboW8rvzegO8V5lskCFaJz_xxrVbo_l_uI4bzcc9ulXMHKyoibN5A2SjyqpKV81_TYNkCo3D7ZRQ


1.2 Role & Rolebinding 생성

ServiceAccount에 어떤 부여할 Role을 생성하고 Binding해준다.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev
  name: dev-reader
rules:
- apiGroups: ["*"] # "" indicates the core API group
  resources: ["*"]
  verbs: ["get", "watch", "list"]

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-reader-rolebinding
  namespace: dev
subjects:
- kind: ServiceAccount
  name: dev-sa
  namespace: dev
roleRef:
  kind: Role
  name: dev-reader
  apiGroup: rbac.authorization.k8s.io


1.3 Config설정

위에서 조회된 토큰 값을 가지고

kubectl config set-credentials devreaduser --token eyJhbGciOiJSUzI1NiIsImtpZCI6IjN3cWM2WmtlbWFIQVNtdGY0MGRVckJmUDRFRkdjZFl0T2J3dmV3am5kc2MifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZXYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGV2LXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZXYtc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2YWYwYTYwYi00MWQ5LTQ2ZjQtYTQ2Ni05NWMyZmEzNjk0YTQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGV2OmRldi1zYSJ9.BHE-TNXT01y6v-XTiDuvH6lhUk5yUe1HyiFoyNeF6yP4G8IIUwXeUTwHCP9L55QRvvuRrGH8xrfK7oN38gLgb4NHbTXw9vR95K5e4fTJIFSkxZ6jz1z1ga5E8zPZaVcQ16C0fvSZNm2W9tz1p3cOqXPi60sYedQB_ZcDKZGWTU22T-T8eGROC4veYXHy96A9Qg2sHmdGxQxFoslVm25GNiSvjzj79zC_K84IQ1QX3oECrKu0jJpLWi7wV37djeb8bVoXNGXtRKhboW8rvzegO8V5lskCFaJz_xxrVbo_l_uI4bzcc9ulXMHKyoibN5A2SjyqpKV81_TYNkCo3D7ZRQ

kubectl config set-context devreaduser --cluster=minikube --user=devreaduser

kubectl config use-context devreaduser


1.4 Check

확인을 해보면 현재 devreaduser는 dev namespace에 있는 리소스만 조회 가능하며 다른 namespace에 대해서는 조회권한이 없는 것을 확인 할 수 있다.

kubectl get pods -n dev
##Print
NAME                                READY   STATUS    RESTARTS   AGE
nginx-deployment-544dc8b7c4-hcn8g   1/1     Running   0          2d20h
nginx-deployment-544dc8b7c4-rsfkw   1/1     Running   0          2d20h
[minikube@kyle-docker ~]$ k get all -n dev
NAME                                    READY   STATUS    RESTARTS   AGE
pod/nginx-deployment-544dc8b7c4-hcn8g   1/1     Running   0          2d20h
pod/nginx-deployment-544dc8b7c4-rsfkw   1/1     Running   0          2d20h

NAME                    TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE
service/nginx-service   NodePort   10.100.191.220   <none>        80:30000/TCP   2d20h

NAME                               READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/nginx-deployment   2/2     2            2           2d20h

NAME                                          DESIRED   CURRENT   READY   AGE
replicaset.apps/nginx-deployment-544dc8b7c4   2         2         2       2d20h

kubectl get all -A
##Print
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:dev:dev-sa" cannot list resource "pods" in API group "" at the cluster scope
Error from server (Forbidden): replicationcontrollers is forbidden: User "system:serviceaccount:dev:dev-sa" cannot list resource "replicationcontrollers" in API group "" at the cluster scope
Error from server (Forbidden): services is forbidden: User "system:serviceaccount:dev:dev-sa" cannot list resource "services" in API group "" at the cluster scope
Error from server (Forbidden): daemonsets.apps is forbidden: User "system:serviceaccount:dev:dev-sa" cannot list resource "daemonsets" in API group "apps" at the cluster scope
Error from server (Forbidden): deployments.apps is forbidden: User "system:serviceaccount:dev:dev-sa" cannot list resource "deployments" in API group "apps" at the cluster scope
Error from server (Forbidden): replicasets.apps is forbidden: User "system:serviceaccount:dev:dev-sa" cannot list resource "replicasets" in API group "apps" at the cluster scope
Error from server (Forbidden): statefulsets.apps is forbidden: User "system:serviceaccount:dev:dev-sa" cannot list resource "statefulsets" in API group "apps" at the cluster scope
Error from server (Forbidden): horizontalpodautoscalers.autoscaling is forbidden: User "system:serviceaccount:dev:dev-sa" cannot list resource "horizontalpodautoscalers" in API group "autoscaling" at the cluster scope
Error from server (Forbidden): cronjobs.batch is forbidden: User "system:serviceaccount:dev:dev-sa" cannot list resource "cronjobs" in API group "batch" at the cluster scope
Error from server (Forbidden): jobs.batch is forbidden: User "system:serviceaccount:dev:dev-sa" cannot list resource "jobs" in API group "batch" at the cluster scope




Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

Tag: [ kubernetes  minikube  csr  crt  authentication  ]