Kubernetes学习笔记 – authentication

Source: 概述

Wed, 14 May 2025 00:00:00 +0000

介绍

authentication API 的核心功能是处理 Kubernetes 集群的身份认证，确保请求来源的合法性。

主要职责包括：

验证请求者身份：
- 确认用户、ServiceAccount 或外部系统的身份凭证
支持多种认证机制：
- X.509 客户端证书
- Bearer Token（如 ServiceAccount Token）
- 身份代理（OIDC、LDAP 等）
提供认证配置管理：
- 管理 TLS 证书配置
- 管理 ServiceAccount 的 Token 签发

核心 API 资源类型

在 authentication.k8s.io/v1 和核心 API 组中定义了以下关键资源：

(1) TokenReview

// 用于验证 Bearer Token 的有效性
type TokenReview struct {
    metav1.TypeMeta `json:",inline"`
    Spec   TokenReviewSpec   `json:"spec"`
    Status TokenReviewStatus `json:"status,omitempty"`
}

关键字段：

spec.token：待验证的 Token 字符串
status.authenticated：验证结果（true/false）
status.user：认证通过后的用户信息（用户名、组等）

(2) CertificateSigningRequest (CSR)

// 在 certificates.k8s.io/v1 中定义，但用于认证流程
type CertificateSigningRequest struct {
    metav1.TypeMeta `json:",inline"`
    Spec   CertificateSigningRequestSpec `json:"spec"`
}

关键字段：

spec.request：PEM 编码的证书签名请求
spec.signerName：指定签名用途（如 kubernetes.io/kube-apiserver-client）

(3) ServiceAccount

// 在核心 v1 API 中定义，用于 Pod 身份认证
type ServiceAccount struct {
    metav1.TypeMeta `json:",inline"`
    Secrets []ObjectReference `json:"secrets,omitempty"` // 关联的 Token Secret
}

Source: types.go

Wed, 14 May 2025 00:00:00 +0000

TokenReview

type TokenReview struct {
	metav1.TypeMeta `json:",inline"`
	// Standard object's metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
	// +optional
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

	// Spec holds information about the request being evaluated
	Spec TokenReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`

	// Status is filled in by the server and indicates whether the request can be authenticated.
	// +optional
	Status TokenReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
}

TokenRequest

// TokenRequest requests a token for a given service account.
type TokenRequest struct {
	metav1.TypeMeta `json:",inline"`
	// Standard object's metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
	// +optional
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

	// Spec holds information about the request being evaluated
	Spec TokenRequestSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`

	// Status is filled in by the server and indicates whether the token can be authenticated.
	// +optional
	Status TokenRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
}

SelfSubjectReview

// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request.
// When using impersonation, users will receive the user info of the user being impersonated.  If impersonation or
// request header authentication is used, any extra keys will have their case ignored and returned as lowercase.
type SelfSubjectReview struct {
	metav1.TypeMeta `json:",inline"`
	// Standard object's metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
	// +optional
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	// Status is filled in by the server with the user attributes.
	Status SelfSubjectReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"`
}

Source: register.go

Wed, 14 May 2025 00:00:00 +0000

注册类型：

func addKnownTypes(scheme *runtime.Scheme) error {
	scheme.AddKnownTypes(SchemeGroupVersion,
		&TokenReview{},
		&TokenRequest{},
		&SelfSubjectReview{},
	)
	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
	return nil
}