Django-写一个k8s用户管理系统一

46次阅读
没有评论
Django-写一个k8s用户管理系统一

最近人员变动频繁,相应的账号/权限什么的新增/删除/更改也变的频繁,尤其是k8s的用户和服务账号以及相应的角色的创建,极其繁琐且黑屏操作。我用双手成就梦想,但是面对这么多集群,这么多项目,这么多人,这种N*N*N的事有点废手。看来我得解放自己写一个用户管理系统,又是一场头脑风暴(●ˇ∀ˇ●)

k8s API调试

调试集群接口前需要安装kubernetes SDK包:

# 博主此处用的集群版本是1.18,请确保自身集群版本和SDK版本不要差太多,避免有些API会找不到~
pip3 install kubernetes==18.17.0a1

角色(集群)API

角色(集群)绑定API

服务账号API

Secret API

用户相关的API

create_certificate_signing_request

K8s中本没有用户资源API,但是它可以识别由集群签署认证过的x509客户证书中的subject(包含了用户名和组织),所以我们得研究下如何生成客户端证书?又如何发起证书签署请求?最后生成kubeconfig返回用户。

1.使用openssl生成客户端私钥
from OpenSSL import crypto
psec = crypto.PKey()
res = psec.generate_key(crypto.TYPE_RSA,2048)
private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM,psec)
print(private_key.decode('utf-8'))

会输出以下内容

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC4nrFpyKLdsCja
p2Ib1TOuCNiIVO/LmJ2/NjH5kIolg6N+3iuO14R902l8zTzUMsT04BoMLW2I/6ZU
I1u9TvbpdONuoRp/OzV1ZINXttyEip09UASjpiJcKbUfrnLv18GBB7I8wsmqb7jW
fDsBQoe8FerZy4DWsUpYtzBpI4XCxj8QPVp6mcO0SPyAKB0QpCdPeC1/5fuBBBov
tl0znCvo+tr92VNGZcZfVRdJTJCSZzgJnvfo8MjO3XLE4kgZU2e01E5yDgNtvHiL
WO9XkyLk3LGtYgW15H3rBGvTA4Nvn9R6SgplMybgH6+uMjRKr45ZRTHm83aGqCG8
PPEshJ2rAgMBAAECggEAQBg0Dr4tsNpGLLccy/3mPb7rcdVPFPdsmKQ3kGV6WJDN
k6+NHr+6yzY48q+MNT1U/JDK6jxhQUVEGQTXhi8icKV4igFbYh2LrzBQmwSspUU8
VrtviOMWHboLHC8jzxmwH9wsqISVn9q+qJQjpgnTdtyDFs7ccWzGm2sp3u6KszYo
cRTxb+OHpdutAPwm2mCF57nxl3T0LNSJFD3CJL4CW1veIdQl+hEThhoz5Mh43iZX
jvGapJe6Q1QvfjXIiGsZFvHQEWodZI/dx3H/UvHL0f1YpDL7GkgGf2x+z7ZuemTj
JaGt6ruNAoT+C3fJNUPtSGs961nc8j2AOeyDX7lLyQKBgQC5VlSwvZ+W5v1s3MPm
wA7hfbWqyDGo6lVvhu8rT7n2xjpnMEdzgeboostiJdrgDOs/4zcXULE3/lSkF1Bs
m+qCsqMoGw5H7tO7gGORmEG1gXqIk9eWvJsoVcgZ6+c0Szs8MVthV2J6q5EN+Hz/
nXJNYPgPA2gZCacKqyfcW5mniQKBgQD/Aljsviomql3oganN+Tu/NYjGiYWk7IjZ
8M51gwGjNfSgLrCQlSd8ZFt2wp7oXH4dtFBJnTYwbYnfYz6qpoKSBzeGCuoHyNzG
NZN5m1K5T2j+jqroV0NlYAE638zMVvVw01yPF5OASMPMytK9L2JMgSRUMSGy63vC
lHmMXzmakwKBgQCd8JUBfMbISRaEM+n59Yd437D11d6D7RZbkWi1xx5ZzvmsP/dT
1sqZS0n43PuV3UyIyC+Ffe1YIzOsFnYh6AjD0km5/rx/zmW/Lp0rUM4GSE3Mn/ij
6xxqFhgNBvyjkszq8cDGxjoVAan+dtjG2Dy09kLOQH/wfkpMjCjO33ykyQKBgCyj
bI2EfDxodifNCrxTdHH0HQ0j5ZEJFquPy5QmapL3Tur7QU0NzuunZZtUVhy2lBz/
A07fhizT/95qsP2OSCzntoBwSKc0MfFAT6Bp4AEwNWDZ+HDTVajZNV3o7yCV2ED3
vqwNpHRASIYAuwMC2GIr+QAD2bJIJlHZS62Wva6hAoGBALBv6O+gdU/nenjAqnWY
hqPLwMiqmWrkmDVII+dbPqgoKTgfbt3ZdTss5KJJACyBQqjIyCVJomXdU2WFqLw6
cmlv+oww6gFRsIIm8hpC9vpV0lYD3/26iIoRgNfs2Vh2Ph3v7bW/7b6/1G6Frr1u
89gugOueKR8FUA1LVqzimYVc
-----END PRIVATE KEY-----
2.创建证书签署请求信息
from OpenSSL import crypto

# 创建私钥
psec = crypto.PKey()
res = psec.generate_key(crypto.TYPE_RSA,2048)
private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM,psec)
# print(private_key.decode('utf-8'))

# 使用私钥创建证书签署请求
cs_req = crypto.X509Req()

# 设置用户名
cs_req.get_subject().CN = "xadocker"
cs_req.get_subject().ST = "normal"

# 设置组织
cs_req.get_subject().O = "it"
cs_req.get_subject().OU = "it-1"
cs_req.get_subject().emailAddress = 'xadocker@xaodkcer.cn'
cs_req.set_pubkey(psec)
cs_req.sign(psec,'sha256')
csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM,cs_req)
print(csr.decode('utf-8'))

输出如下

-----BEGIN CERTIFICATE REQUEST-----
MIICqjCCAZICAQAwZTERMA8GA1UEAwwIeGFkb2NrZXIxDzANBgNVBAgMBm5vcm1h
bDELMAkGA1UECgwCaXQxDTALBgNVBAsMBGl0LTExIzAhBgkqhkiG9w0BCQEWFHhh
ZG9ja2VyQHhhb2RrY2VyLmNuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAuJ6xacii3bAo2qdiG9UzrgjYiFTvy5idvzYx+ZCKJYOjft4rjteEfdNpfM08
1DLE9OAaDC1tiP+mVCNbvU726XTjbqEafzs1dWSDV7bchIqdPVAEo6YiXCm1H65y
79fBgQeyPMLJqm+41nw7AUKHvBXq2cuA1rFKWLcwaSOFwsY/ED1aepnDtEj8gCgd
EKQnT3gtf+X7gQQaL7ZdM5wr6Pra/dlTRmXGX1UXSUyQkmc4CZ736PDIzt1yxOJI
GVNntNROcg4Dbbx4i1jvV5Mi5NyxrWIFteR96wRr0wODb5/UekoKZTMm4B+vrjI0
Sq+OWUUx5vN2hqghvDzxLISdqwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBABI0
Eb9g4yppv9IS040yqq4fbKAiEc4NHgFPuBHk4cJ/qQFHb+dsWSZ6SVLGaCQd3394
5LwZHEfcSC9Opq29yQMEydsG8zk2/zdshqCv2h0wErrdk0rBRTnYh0FaLYFhYaEZ
/n3nWK4t9npTISdJsB5grzhAqdioqX2eUswaEZygx1yANuOYn422c2cKlR81U7ty
Pd5UUclu/Y/6a2lyu4Yv5gMFXrwNynBDqmnXZtvO64Uo27RpC0IH9/Of0w21yteO
gGz/hks0VoOJU79WH6fAIH+sbo0tDyDkkgjrW/OTslcCdJGXmvnQaJNVHskF2zw2
ZOC0a+vs/fINEfF7Z8U=
-----END CERTIFICATE REQUEST-----
3.调用CertificateSigningRequest发起签署请求
from OpenSSL import crypto

psec = crypto.PKey()
res = psec.generate_key(crypto.TYPE_RSA, 2048)
private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, psec)
print(private_key.decode('utf-8'))
username = "xadocker4"
cs_req = crypto.X509Req()
cs_req.get_subject().CN = username
cs_req.get_subject().ST = "normal"
cs_req.get_subject().O = "it"
cs_req.get_subject().OU = "it-1"
cs_req.get_subject().emailAddress = username + '@xadocker.cn'
cs_req.set_pubkey(psec)
cs_req.sign(psec, 'sha256')
csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, cs_req)
print(csr.decode('utf-8'))

import base64
import yaml
from kubernetes import client, config
config.load_kube_config('config')
csr = base64.b64encode(csr)
body = {
    "api_version": "certificates.k8s.io/v1beta1",
    "kind": "CertificateSigningRequest",
    "metadata": {"name": username},
    "spec":
        {
            "request": csr.decode('utf-8'),
            "signerName": "kubernetes.io/kube-apiserver-client",
            "usages": ["client auth"],
        }
}
print(body)
csr_req = client.CertificatesV1beta1Api()
resp = csr_req.create_certificate_signing_request(body=body)
print(resp.metadata.name,resp.status)

执行后我们可以在k8s集群中用命令查看该csr请求

[root@k8s-master ~]# kubectl get csr
NAME        AGE     SIGNERNAME                            REQUESTOR          CONDITION
xadocker2   6m10s   kubernetes.io/kube-apiserver-client   kubernetes-admin   Pending
xadocker3   28s     kubernetes.io/kube-apiserver-client   kubernetes-admin   Pending
xadocker4   6s      kubernetes.io/kube-apiserver-client   kubernetes-admin   Pending

list_certificate_signing_request()

read_certificate_signing_request()

read_certificate_signing_request_status()

patch_certificate_signing_request()

replace_certificate_signing_request()

delete_certificate_signing_request()

其他可能用到的API

xadocker
版权声明:本站原创文章,由 xadocker 2022-07-26发表,共计5457字。
转载说明:除特殊说明外本站文章皆由CC-4.0协议发布,转载请注明出处。
评论(没有评论)
验证码
载入中...