第四课:Kubernetes 的 API Spec 以及安全机制


Kubernetes 的 API Spec 以及安全机制

王渊命 @jolestar


  1. Kubernetes 的 API Spec
    • YAML
    • API Spec 概述
    • Label 和 Selector 机制
    • Pod 详解
    • Service/ReplicaSet/Deployment/DaemonSet/StatefulSet/Job/CronJob/ConfigMap
    • Kubernetes API Object 的连带删除机制
  2. Kubernetes 的安全机制
    • 认证(Authentication)
    • 授权(Authorization)
    • Admission Control


YAML is a human-readable data serialization language. It is commonly used for configuration files, but could be used in many applications where data is being stored or transmitted.

  • 空格缩进表示层级关系,不支持 TAB
  • : 用来分割 key/value
  • - 表示数组元素,每行一个,也可以用方括号([] )和 逗号(,)来区分。
  • 字符串可以不用引号,也支持 “ 和 ‘
  • 可以用 -— 区隔文档,把多个文档合并到同一个文件中
  • 支持多行字符输入,通过 | 保留换行符,或者 > 折叠换行
  • 支持锚点标记(&)和参考标记(*)避免重复
  • # 表示注释
  • 是 json 格式的超集

YAML Example

  1. # Invoice example
  2. receipt: Oz-Ware Purchase Invoice
  3. customer:
  4. given: Dorothy
  5. items:
  6. - part_no: A4786
  7. descrip: Water Bucket (Filled)
  8. price: 1.47
  9. quantity: 4
  10. - part_no: E1628
  11. descrip: High Heeled "Ruby" Slippers
  12. price: 133.7
  13. quantity: 1
  14. bill-to: &id001
  15. street: |
  16. 123 Tornado Alley
  17. Suite 16
  18. city: East Centerville
  19. ship-to: *id001
  20. specialDelivery: >
  21. Follow the Yellow Brick
  22. Road to the Emerald City.

Kubernets API Spec 概述

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4. name: nginx
  5. labels:
  6. app: web
  7. env: prod
  8. annotations:
  9. mydomain.com/custom-extend-key: value
  10. spec:
  11. containers:
  12. - name: nginx
  13. image: nginx:1.7.9
  14. ports:
  15. - containerPort: 80

Kubernetes API Spec

  • apiVersion: Object Schema 版本 (v1,batch/v1,storage.k8s.io/v1)
  • kind: Object Schema 类型(List,Pod,Node,Service)
  • metadata:
    • namespace
    • name
    • uid
    • resourceVersion
    • labels
    • annotations

Kubernetes API Spec

  • spec
  • status

Label 和 Selector


  1. environment = production
  2. tier != frontend


  1. environment in (production, qa)
  2. tier notin (frontend, backend)
  3. partition
  4. !partition
  1. kubectl get pods -l environment=production,tier=frontend


  1. Pod 的实现原理(参看预备课)
  2. Pod Spec
  3. Pod 生命周期


  • command/args
  • image/imagePullPolicy: Always, Never, IfNotPresent
  • livenessProbe/readinessProbe: exec,httpGet,tcp
  • resources
  • volumeMounts

Pod Spec

  • apiVersion: core/v1
  • activeDeadlineSeconds/terminationGracePeriodSeconds
  • dnsPolicy: ClusterFirst,ClusterFirstWithHostNet,Default
  • hostNetwork/hostPID/hostIPC
  • initContainers/containers
  • imagePullSecrets
  • serviceAccountName
  • lifecycle: Hooks: postStart/preStop
  • restartPolicy: Always, OnFailure, Never
  • nodeName/nodeSelector
  • tolerations
  • affinity
  • volumes

Pod 生命周期

  • PodStatus
    • phase Pending/Running/Succeeded/Failed/Unknown
    • conditions PodScheduled,Initialized,Ready
    • containerStatuses

Pod 生命周期-创建

第四课:Kubernetes 的 API Spec 以及安全机制 - 图2



  • metadata
  • spec(PodSpec)


  1. apiVersion: policy/v1beta1
  2. kind: PodDisruptionBudget
  3. metadata:
  4. name: zk-pdb
  5. spec:
  6. selector:
  7. matchLabels:
  8. app: zk
  9. maxUnavailable: 1


  • apiVersion: v1
  • spec
    • clusterIP: None/IP
    • externalIPs
    • ports
    • selector
    • externalName
    • type: ExternalName, ClusterIP, NodePort, LoadBalancer


  1. apiVersion: v1
  2. kind: Service
  3. metadata:
  4. labels:
  5. k8s-app: kube-dns
  6. name: kube-dns
  7. namespace: kube-system
  8. spec:
  9. clusterIP:
  10. ports:
  11. - name: dns
  12. port: 53
  13. protocol: UDP
  14. targetPort: 53
  15. selector:
  16. k8s-app: kube-dns
  17. type: ClusterIP

selector 只支持 equality-based


  • addresses
  • notReadyAddresses
  • ports
  1. apiVersion: v1
  2. kind: Endpoints
  3. metadata:
  4. name: helloworld
  5. namespace: default
  6. subsets:
  7. - addresses:
  8. - ip:
  9. nodeName: i-0elqbqzu
  10. - ip:
  11. nodeName: i-7d7zqw6x
  12. ports:
  13. - port: 80
  14. protocol: TCP

ReplicaSet (ReplicationController)

  • apiVersion: apps/v1beta2 (1.8 以前是 extensions/v1beta1)
  • spec
    • minReadySeconds
    • replicas
    • selector
    • template: PodTemplateSpec


  • apiVersion: apps/v1beta2 (1.8以前是 apps/v1beta1)
  • spec
    • minReadySeconds
    • paused
    • replicas
    • selector
    • strategy: Recreate/RollingUpdate
      • rollingUpdate.maxSurge
      • rollingUpdate.maxUnavailable
    • revisionHistoryLimit
    • template: PodTemplateSpec


  1. apiVersion: apps/v1beta2
  2. kind: Deployment
  3. metadata:
  4. name: nginx-deployment
  5. labels:
  6. app: nginx
  7. spec:
  8. replicas: 3
  9. selector:
  10. matchLabels:
  11. app: nginx
  12. template:
  13. metadata:
  14. labels:
  15. app: nginx
  16. spec:
  17. containers:
  18. - name: nginx
  19. image: nginx:1.7.9
  20. ports:
  21. - containerPort: 80

Deployment Rolling updates

  1. kubectl set image deployment <deployment> <container>=<image>
  2. kubectl rollout status deployment <deployment>
  3. kubectl rollout pause deployment <deployment>
  4. kubectl rollout resume deployment <deployment>
  5. kubectl rollout undo deployment <deployment>



  • apiVersion: apps/v1beta2 (1.8以前是 extensions/v1beta1)
  • spec
    • minReadySeconds
    • revisionHistoryLimit
    • selector
    • template
    • updateStrategy: RollingUpdate,OnDelete


  • apiVersion: apps/v1beta2 (1.8以前是 apps/v1beta1)
  • spec
    • podManagementPolicy: OrderedReady,Parallel
    • serviceName
    • replicas
    • revisionHistoryLimit
    • selector
    • template
    • updateStrategy: OnDelete,RollingUpdate
      • rollingUpdate.partition
    • volumeClaimTemplates: PersistentVolumeClaim


  • Pod Identity
    • ordinal: [0,N)
    • pod name: \$(statefulset name)-\$(ordinal)
    • pod dns: \$(pod name).\$(service name).\$(namespace).svc.cluster.local
  • Storage
    • PersistentVolume Provisioner
    • volumeClaimTemplates 的定义优先级高于 PodTemplate 中的定义
    • PVC 的生命周期独立于 StatefulSet


  • apiVersion: batch/v1
  • spec
    • activeDeadlineSeconds
    • backoffLimit: default 6
    • completions
    • parallelism
    • selector
    • manualSelector
    • template: PodTemplateSpec
      • RestartPolicy: Never,OnFailure


  1. apiVersion: batch/v1
  2. kind: Job
  3. metadata:
  4. name: pi
  5. spec:
  6. template:
  7. metadata:
  8. name: pi
  9. spec:
  10. containers:
  11. - name: pi
  12. image: perl
  13. command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"]
  14. restartPolicy: Never
  15. backoffLimit: 4


  • apiVersion: batch/v1beta1
  • spec
    • concurrencyPolicy: Allow, Forbid, Replace
    • startingDeadlineSeconds
    • successfulJobsHistoryLimit: default 3
    • failedJobsHistoryLimit: default 1
    • jobTemplate: JobTemplateSpec
    • schedule: Cron format
    • suspend


  1. apiVersion: batch/v1beta1
  2. kind: CronJob
  3. metadata:
  4. name: hello
  5. spec:
  6. schedule: "*/1 * * * *"
  7. jobTemplate:
  8. spec:
  9. template:
  10. spec:
  11. containers:
  12. - name: hello
  13. image: busybox
  14. args:
  15. - /bin/sh
  16. - -c
  17. - date; echo Hello from the Kubernetes cluster
  18. restartPolicy: OnFailure


  • apiVersion: v1
  • data: object
    1. kind: ConfigMap
    2. apiVersion: v1
    3. metadata:
    4. name: example-config
    5. namespace: default
    6. data:
    7. examplekey: hello
    8. example.property: |-
    9. property.1=value-1
    10. property.2=value-2
    11. property.3=value-3
  • 使用:env,volume

Kubernetes API Object 的连带删除机制

  • Label/Selector
  • metadata.ownerReferences
  • kubectl delete —cascade=false

Kubernetes 安全机制

  1. 认证(Authentication):Client Certificates, Password, and Plain Tokens, Bootstrap Tokens, JWT Tokens
  2. 授权(Authorization):ABAC, RBAC, Webhook
  3. Admission Control

Kubernetes 安全机制

第四课:Kubernetes 的 API Spec 以及安全机制 - 图3

Kubernetes 的认证(Authentication)

  1. user (normal users, service accounts)
  2. group

Kubernetes 的认证(Authentication)

  • X509 Client Certs
    1. openssl req -new -key jbeda.pem -out jbeda-csr.pem -subj "/CN=jbeda/O=app1/O=app2"
  • Static Token File
    • apiserver —token-auth-file=SOMEFILE
      1. token,user,uid,"group1,group2,group3"
      1. Authorization: Bearer token-xxxx
  • Static Password File
    • apiserver —basic-auth-file=SOMEFILE
      1. password,user,uid,"group1,group2,group3"
      1. Authorization: Basic BASE64ENCODED(USER:PASSWORD)

Kubernetes 的认证(Authentication)

  • OpenID Connect Tokens
  • Webhook Token Authentication
    • apiserver
      • —authentication-token-webhook-config-file
      • —authentication-token-webhook-cache-ttl
  • Authenticating Proxy
    • —requestheader-username-headers
    • —requestheader-group-headers


  • 一种将身份和资源绑定的机制(AWS Role, GCE ServiceAccount)
  • 通过以下机制实现
    • ServiceAccount admission
      • 自动检查或者设置 pod 的 serviceAccountName
      • 增加 token volume 并且挂载(/var/run/secrets/kubernetes.io/serviceaccount)
    • Token controller
    • Service account controller
    • client sdk 自动读取固定路径下的 token
      • 支持关联 imagePullSecret

Kubernetes 的授权(Authorization)


  • User
  • Group
  • Verb: get, list, create, update, patch, watch, proxy, redirect, delete, deletecollection
  • Resource
  • Namespace
  • API
  • API Group

Kubernetes Authorization Modules

  • Node
  • ABAC
    1. {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy",
    2. "spec": {"user": "alice", "namespace": "*", "resource": "*", "apiGroup": "*"}}
  • RBAC
  • Webhook

Kubernetes RBAC Authorization


  1. kind: Role
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. metadata:
  4. namespace: default
  5. name: pod-reader
  6. rules:
  7. - apiGroups: [""]
  8. resources: ["pods"]
  9. verbs: ["get", "watch", "list"]
  1. kind: ClusterRole
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. metadata:
  4. name: secret-reader
  5. rules:
  6. - apiGroups: [""]
  7. resources: ["secrets"]
  8. verbs: ["get", "watch", "list"]

Kubernetes RBAC Authorization


  1. kind: RoleBinding/ClusterRoleBinding
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. metadata:
  4. name: read-pods
  5. namespace: default
  6. subjects:
  7. - kind: User/Group/ServiceAccount
  8. name: jane
  9. apiGroup: rbac.authorization.k8s.io
  10. roleRef:
  11. kind: Role/ClusterRole
  12. name: pod-reader
  13. apiGroup: rbac.authorization.k8s.io

Admission Control


  1. DaemonSet https://github.com/QingCloudAppcenter/kubernetes/blob/master/k8s/addons/kube-proxy
  2. Service 以及 Deployment 滚动升级
    1. wget https://raw.githubusercontent.com/jolestar/kubernetes-complete-course/master/example/helloworld.yaml
    2. kubectl apply -f helloworld.yaml
    3. kubectl scale --replicas=6 deployment/helloworld
    4. curl -H "accept: application/yaml" helloworld/status
    5. kubectl get replicaset
    6. kubectl set image deployment/helloworld web=jolestar/go-probe:v0.2
    7. kubectl rollout status deployment/helloworld
    8. kubectl rollout pause deployment/helloworld
    9. kubectl get replicaset
    10. kubectl rollout resume deployment/helloworld
    11. kubectl rollout undo deployment/helloworld
    12. curl -H "accept: application/yaml" helloworld/status
  3. 将 pod 从 Deployment 摘除
  4. RBAC 以及 ServiceAccount 的使用 https://github.com/QingCloudAppcenter/kubernetes/tree/master/k8s/addons/dashboard


  • 通过 StatefulSet 部署 zookeeper 集群
    1. wget https://raw.githubusercontent.com/jolestar/kubernetes-complete-course/master/example/zookeeper_mini.yaml
    2. kubectl apply -f zookeeper_mini.yaml
    3. kubectl exec zk-0 -- cat /opt/zookeeper/conf/zoo.cfg
    4. kubectl exec zk-0 -- /opt/zookeeper/bin/zkCli.sh create /test "test"
    5. kubectl exec zk-0 -- cat /opt/zookeeper/bin/start-zookeeper|less
    6. kubectl exec zk-0 -- /opt/zookeeper/bin/zkCli.sh create ls /
    7. kubectl exec zk-1 -- /opt/zookeeper/bin/zkCli.sh create ls /
    8. kubectl delete -f zookeeper_mini.yaml
    9. kubectl get pvc
    10. kubectl get pv
    11. kubectl apply -f zookeeper_mini.yaml
    12. kubectl exec zk-0 -- /opt/zookeeper/bin/zkCli.sh create ls /


对 Kubernetes 的 Spec 以及安全机制有一个整体的理解

  1. Kubernetes 的描述文件能做什么,如何将当前系统组件通过 Kubernetes 中的对象描述出来
  2. Kubernetes 提供了哪些安全机制,如何和当前内部权限系统整合
  3. Kubernetes 提供的扩展插件能做什么,如何通过插件在集群全局配置策略,约束和规范应用的部署行为

关于 API Spec 中的版本以及支持的属性,参看 Api Reference 1.7 1.8
下节课:通过应用案例解析 kubernetes 中的 pod 放置策略,autoscale 等。


  1. 通过 StatefulSet 部署 kafka,参看 https://github.com/kow3ns/kubernetes-kafka, 并理解如何利用 Kubernetes 的能力部署分布式系统。
  2. 通过证书生成工具,生成一个普通用户证书并让 Kubernetes 批准,然后使用该证书操作集群,而不是默认的 admin 账号。
  3. 思考并尝试通过 Kubernetes 搭建一个日志收集分析系统。