替换apiserver参数--basic-auth-file为--token-auth-file

2020-11-05 10:36:45 +08:00 · 2020-11-05 10:36:45 +08:00 · d7613a2091
parent af9d7e972b
commit d7613a2091
6 changed files with 10 additions and 5 deletions
--- a/docs/guide/dashboard.1.6.3.md
+++ b/docs/guide/dashboard.1.6.3.md
@ -42,7 +42,7 @@ kubectl logs kubernetes-dashboard-86bd8778bf-w4974 -n kube-system
 + 启用 `TLS认证` `RBAC授权`等安全特性
 + 关闭 apiserver非安全端口8080的外部访问`--insecure-bind-address=127.0.0.1`
 + 关闭匿名认证`--anonymous-auth=false`
-+ 补充启用基本密码认证 `--basic-auth-file=/etc/kubernetes/ssl/basic-auth.csv`，[密码文件模板](../../roles/kube-master/templates/basic-auth.csv.j2)中按照每行(密码,用户名,序号)的格式，可以定义多个用户
+ 补充启用基本密码认证 `--token-auth-file=/etc/kubernetes/ssl/basic-auth.csv`，[密码文件模板](../../roles/kube-master/templates/basic-auth.csv.j2)中按照每行(密码,用户名,序号)的格式，可以定义多个用户

 #### 1. 临时访问：使用 `http://NodeIP:NodePort` 方式直接访问 dashboard，生产环境建议关闭该途径

--- a/docs/guide/dashboard.md
+++ b/docs/guide/dashboard.md
@ -50,7 +50,7 @@ kubectl logs kubernetes-dashboard-7c74685c48-9qdpn -n kube-system
 + 启用 `TLS认证` `RBAC授权`等安全特性
 + 关闭 apiserver非安全端口8080的外部访问`--insecure-bind-address=127.0.0.1`
 + 关闭匿名认证`--anonymous-auth=false`
-+ 可选启用基本密码认证 `--basic-auth-file=/etc/kubernetes/ssl/basic-auth.csv`，[密码文件模板](../../roles/kube-master/templates/basic-auth.csv.j2)中按照每行(密码,用户名,序号)的格式，可以定义多个用户；kubeasz 1.0.0 版本以后默认关闭 basic-auth，可以在 roles/kube-master/defaults/main.yml 选择开启
+ 可选启用基本密码认证 `--token-auth-file=/etc/kubernetes/ssl/basic-auth.csv`，[密码文件模板](../../roles/kube-master/templates/basic-auth.csv.j2)中按照每行(密码,用户名,序号)的格式，可以定义多个用户；kubeasz 1.0.0 版本以后默认关闭 basic-auth，可以在 roles/kube-master/defaults/main.yml 选择开启

 新版 dashboard可以有多层访问控制，首先与旧版一样可以使用apiserver 方式登录控制：

--- a/docs/setup/04-install_kube_master.md
+++ b/docs/setup/04-install_kube_master.md
@ -97,7 +97,7 @@ ExecStart={{ bin_dir }}/kube-apiserver \
  --kubelet-client-certificate={{ ca_dir }}/admin.pem \
  --kubelet-client-key={{ ca_dir }}/admin-key.pem \
  --anonymous-auth=false \
-  --basic-auth-file={{ ca_dir }}/basic-auth.csv \
+  --token-auth-file={{ ca_dir }}/basic-auth.csv \
  --service-cluster-ip-range={{ SERVICE_CIDR }} \
  --service-node-port-range={{ NODE_PORT_RANGE }} \
  --tls-cert-file={{ ca_dir }}/kubernetes.pem \
--- a/roles/kube-master/defaults/main.yml
+++ b/roles/kube-master/defaults/main.yml
@ -11,6 +11,11 @@ MASTER_CERT_HOSTS:
  #- "www.test.com"

 # apiserver 基础认证（用户名/密码）配置，详见 master 节点文件‘/etc/kubernetes/ssl/basic-auth.csv’
+# the first three values can be anything;
+# These tokens are arbitrary but should represent at least 128 bits of entropy derived from
+# a secure random number generator, for example:
+# head -c 16 /dev/urandom | od -An -t x | tr -d ' '
+# 例子： 02b50b05283e98dd0fd71db496ef01e8,kubelet-bootstrap,10001,"system:bootstrappers"
 # 是否启用基础认证 yes/no
 BASIC_AUTH_ENABLE: 'no'
 # 用户名：
--- a/roles/kube-master/tasks/main.yml
+++ b/roles/kube-master/tasks/main.yml
@ -32,7 +32,7 @@

 - block:
  - name: 生成 basic-auth 随机密码
-    shell: 'PWD=`date +%s%N|md5sum|head -c16`; \
+    shell: 'PWD=`head -c 16 /dev/urandom | od -An -t x | tr -d ' '`; \
 	sed -i "s/_pwd_/$PWD/g" {{ base_dir }}/roles/kube-master/defaults/main.yml; \
 	echo $PWD;'
    connection: local
--- a/roles/kube-master/templates/kube-apiserver.service.j2
+++ b/roles/kube-master/templates/kube-apiserver.service.j2
@ -10,7 +10,7 @@ ExecStart={{ bin_dir }}/kube-apiserver \
  --anonymous-auth=false \
  --authorization-mode=Node,RBAC \
 {% if BASIC_AUTH_ENABLE == "yes" %}
-  --basic-auth-file={{ ca_dir }}/basic-auth.csv \
+  --token-auth-file={{ ca_dir }}/basic-auth.csv \
 {% endif %}
  --bind-address={{ inventory_hostname }} \
  --client-ca-file={{ ca_dir }}/ca.pem \