一. kubeconfig是什么

kubectl默认会从$HOME/.kube目录下查找文件名为 config 的文件，也能通过设置环境变量 KUBECONFIG 或者通过设置去指定其它 kubeconfig 文件。kubeconfig就是为访问集群所作的配置。

在开启了 TLS 的集群中，每当与集群交互的时候少不了的是身份认证，使用 kubeconfig（即证书） 和 token 两种认证方式是最简单也最通用的认证方式。

二. kubeconfig内容解析

①kubeconfig文件示例

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJSzA3dHVib0JFWHN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpBNU1URXdPREUwTXpKYUZ3MHpNekE1TURnd09ERTVNekphTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUQweUVsd3JCQWp5ejU2T1NqRWxTSFlsczdlSnZZVFZsVE5TV3hEaHZ6UFdSZ2pqZENuYTJ3SVM3NzEKUGsvTG9VSFpLWGFJZ0wxaHpTNkcwQStDRmJJWGE3ellJeWUxRDZobUU4ZHYvUzZwUjA1Y00zWFA2ZXJsV3dtYwovaUtjcTI4NkxGTjZyUjQyMVVRUUIwUzVJYjYzNTMvU3dQZXExYjloQmlkejUxV2syN1FUME0vbXhxZ20xcmxXCjNQYklCSTZHNDdzNk1YS3AxUkUxbE9odzE0NmFUWURqUlJGeDkwcFhjdGlxQjN6NW1SRVk3a0l5ZEMwUmQ2US8KNXYwMUo3ZXN5ekZqRTduY3dNQUZzRUJyeXZmbFZDQlZLbERQVHlGZFIzZHdFam95a2pSbW5mNHVVeGZYSExtdwpNa05uL20zQ012b2xPQlJoM002UzhiZ2djS3BQQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJURDhGSlJDUHRWNkVFcGEvWGk2cFJvN1JpenpEQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1FaZjVkeTJUYwpRYVZLM2tsRExDQVl5QVgwbjRBVlZyVGFDTGszQ2QrV0ovTTM4Y2E0N21xS0RmK042Zjh6NXprbGpoa0xMaFk2CnZlbnRIVlRJUzA2U3h2Y1dzUjJzdzZFRE1JUkJ6RmhTSVlkUEpqeTdmYUlMRVFibUZJUEJXWVlnazFsTTJWdSsKbjQ0ZGt2ZUVLTkw3bEw4TURobmpONS9sN0hrU1NGb0hMdnZSdDErWXh4ZDBkTEsxaTRXVXQwazFTbUl2NnBuYgovMTVHRkEwU3EzMjg0WXkwUTFMUzNRMFhNeTgyNVh2MXRzdkxWWWhsNjVZQkVONWJTcTNTUlFJdDVadzhnVENDCmhBNmsvcU9KTnNITTh0cFVpTVk2U25zUUtLbThSZEo2c3RDdkczWmtnV0lhWWE0Tktob3QxcmJQSWtoYUlWWGoKR2kyYVl3bERaZkJtCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    server: https://10.10.10.10:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJYUhaWjljckJXcXd3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpBNU1URXdPREUwTXpKYUZ3MHlOREE1TVRBd09ERTVNelJhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTBIUXZRNmhMM290UFhMeFYKUlNPR2FLcVdhTllNR2FqRmdBMlZHTzhpNjhCMm83YnBaakhZaGF1WlZIbFU4M3d1R01GbGdFQndXb1h6cVoyNAp6YnBxd1JZY0w2N0JrUTdkeUZTZ1RZVjhac0RQSmlPcjJjYjFQeEs3TytaT2lkVlkxbWNidmk0L1V4ekU1eXV5CjlkVTg5WVFwR1N1Y0lzdU5xNDRWMWhCRlBGWjJrdlV1WjRLOTYwMGJKNnNyVkFycWRJS3NoenRKbVNmNjRkRTAKNnRFM08yTWs0QWFYNU9ZdjNlRzFXcm1td29iU3EyTjhBUm1CRTdtK2llNnFyYktBVFdGanVlSmZJL0xlc0dCRApXa0w0YitBaW44YTRDVWJscGZsZVpOUkNZS1RlZm5aVXI3aXU5VFdmRWl3cHd1VW1jNFdkZ25PdVpieVZDLzI4ClkzT1hKd0lEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JURDhGSlJDUHRWNkVFcGEvWGk2cFJvN1Jpegp6REFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBVXZKZnk3YjlaSGtJTXhVOHNwbGxIYVlweGxjWTFMc0I0WUNyCng3OURhc2NzTitHRlRFWmNtYkdhTndQbS9ydVBJSmdkaXd4UytYMklkaTBpaFZvZTZGenNESm9BbkdnVWkxcVQKSjU3TGV1N3l5Mnc4NDN1RTBsUGhLTUJpWm5VQUR3dzhMMGNpUHZWakpzSTZQc2tQVFRsS25pbE1FSEhPL2pQWQpPdlljeUQ0b0FGTFZjQ0hiTklycElTWlFSY2tEQ2tQYmpIS3VwalpXRXNRSjFJajZkZjJaY3F1Qk5MS2s0NG1XCnNFM3pobTUwdlpaTlZveXlHTVcwbVhCMFBJb1dmL0pNM2pvUjNBVDhRcG16SFp6S2JVeVROdFZUbFF0RXViQlEKTGJYY1JsbnhhdU8vMGgrNThsM0JrMlNlZEdUT0pEMEVIRTFwQ0ZEWC8vT2UyMWtjdVE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBMEhRdlE2aEwzb3RQWEx4VlJTT0dhS3FXYU5ZTUdhakZnQTJWR084aTY4QjJvN2JwClpqSFloYXVaVkhsVTgzd3VHTUZsZ0VCd1dvWHpxWjI0emJwcXdSWWNMNjdCa1E3ZHlGU2dUWVY4WnNEUEppT3IKMmNiMVB4SzdPK1pPaWRWWTFtY2J2aTQvVXh6RTV5dXk5ZFU4OVlRcEdTdWNJc3VOcTQ0VjFoQkZQRloya3ZVdQpaNEs5NjAwYko2c3JWQXJxZElLc2h6dEptU2Y2NGRFMDZ0RTNPMk1rNEFhWDVPWXYzZUcxV3JtbXdvYlNxMk44CkFSbUJFN20raWU2cXJiS0FUV0ZqdWVKZkkvTGVzR0JEV2tMNGIrQWluOGE0Q1VibHBmbGVaTlJDWUtUZWZuWlUKcjdpdTlUV2ZFaXdwd3VVbWM0V2Rnbk91WmJ5VkMvMjhZM09YSndJREFRQUJBb0lCQURxV3JVSWk1MUFoYjZqcwo5anA4aGFhZGE3RURtRnNONkpUWlBITEpvOU1IUVZFNmM5ZFpZellPeVFYSkpHdGJGOG0xY2NYZVZyWGF1R1dRCkF3VXZ4Qm1KRVZzRmp6b3FKNFBLNVZOa2xWWjhFcnp4Z2Jld0IvWTJXWkc0WlpLditFd3FwczJKU2hzZUZ1bXkKaXBZMTNQQlV1UWh1RFhCcUxlTnVDQTBtZlk4N2ErTXhPeC9na0gxZU5lalYyVXFRdHI4Z2pWbjZxTW1qd1Q5TgpVK2VaSEZMa1lIUDB2dWRVaUNXNHhzVHNpYzZBalFmSm1VQWx4ek9TN0l3Z3RLVmlUVERidlFkMWVKS3UzelBGCm5pZy9KUmF4b2VJeHMrUlNlNVZTT281bGRzRWMxcHhiclltckNHdTdqaWhxRlFFbzBJVnNrSUcybzlQZDIzMSsKUzRQTDNpRUNnWUVBMTF1SUNSYjl1RmRzMDErMmJBZmJITmlkWDRlZ01CYjZUcjNkTElEdmppc0cvb3lrTDRIMQp1VitzUjBveDNOT1lJeFNLOXQxdGdjUlBrSjR3Q3lia1ZaWHlobWNOUFlLRzVGZGlJMlZHNzIveUtkemdwa2pmCnhaVms2UjRYQlVMQWVMRDVqejlSd0dzQXhGLzNKWG9TaCtGbnQycEJUeHQrOFpMcVRWMkgzbVVDZ1lFQTk4c2UKT3BjOGxLVFpnaHd1VDQxc2IzNk5rZ0liZW1hWTdLUFZoaVkyVStXMkd6UG5Id0ViRGF2V01jZU1Uek00eTlNOAp5d3lybmdHQVRaOFE4WnRIR1VXOEtwdDB5bGx3TFR1Zysxb0lQeTBXZlhZVG9DWkUva1NJYzdZSW11dDU0MEd5CnF6eVZKN1NSVlNwSUxSbHU2NGpESlcvODdWa0JPQ0ppTVhRNU1Kc0NnWUVBbG1pckhnNGNyajhCRnEvbWJKVWcKQjRtU2dFSHRNeWtaTVIyUjk1OGxzSm1FalF3Vkw4a0lvYXVjV3o0S2pUeUxLUlVUNlU3RlNMaWZDVll5SDlmTgo2YWlNZGlwTEtRYWN4Nlh3T09CbkpwdDgrcGYxbnEyTy9DUlhFaW1kMG1MSW9vS1lDZUFqYk14UEFOZzFlTXRGClhmbWp3b3BIaXNTZGFJTS9lVUUxdjdFQ2dZQkhCb2lPb01UemttRHFJMnUrejdteUo2TXFvOEgranFQc3lIVXUKczR0RTl3WUF2QnJXVHpuUzdGdEQvMytmUC81YXBoeTUwdExxUW1IbFhkKzhjUmFyRHNzRnAzT05nSjlmeDhTMwo1ekdQOGp1TkVLaEZjbEs2VXlpTmlqTGpQUFcrQnhuUWJWZ1BmbmxkNFBXNVA1NEVrem5rWkRvcVNpWElVa3ExCkJDeFVXd0tCZ0RHZDd1b09kQXROVjNOYnI1dGV4VlRRbXNmRzRvSW80Q3ozYVB3dE4zb25KZHoxaHMwSTVUaTgKYWduR1lJSGZlaEtKZCtDZ0NhT3ZkMUlLQnhhOVVoaUdKVW1WNGxzTzFIb0Z1TmNHUlhraFJsMDdHTFpVcThRRAp4ZzBjZGJNOVI5VlBVTTV0MzVYS05BV0M1cGF4YnFLM3RYLzF6NVVUVUZCS0dmT1pzdHRoCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

主要组成部分 clusters、contexts、current-context、users

②clusters

是一个数组结构，里面可以定义多个集群数据。 name：集群的名字 certificate-authority-data：表示服务端的 CA 证书，base64 编码，用于验证服务端证书 apiserver.crt 的正确性（当 kubectl 开启 --insecure-skip-tls-verify=true 时，表示不校验服务端证书，随意这个时候 certificate-authority-data 即使证书是错误的，也可以和集群通信） server：集群地址

例如客户端是kubectl（当然也可以是go client、其他客户端等） 验证大概流程：

1. 当 kubectl 发送消息给 apiserver 时，apiserver 先返回 master 节点上的 /etc/kubernetes/pki/apiserver.crt 服务端证书给 kubectl
2. kubectl 校验 apiserver.crt 的正确性，会获取 apiserver.crt 中的 Issuer CA，发现 CA 的 CN 是 Kubernetes
3. certificate-authority-data 证书的 CN 也是 Kubernetes，利用 certificate-authority-data 对 apiserver.crt 验证通过
4. kubectl 通过 apiserver.crt 对发送给 apiserver 的消息加密发送，apiserver 收到消息通过 /etc/kubernetes/pki/apiserver.key 解密消息

③users

name：用户名称 client-certificate-data 表示客户端证书，base64 编码，会发送给 apiserver，用于加密 apiserver 发送给 kubectl 的消息 client-key-data 表示客户端私钥，用于解密 apiserver 通过 client-certificate-data 加密过的内容 整个加解密过程和上述服务端验证过程类似

#

④context

用于组合user和cluster，并形成name工current-context使用。

⑤current-context

表示当前的kubeconfig使用哪个用户连接到哪个集群

三. 证书相关

如何查看某个证书的签发者CA、允许的DNS域名、过期时间等信息

openssl x509 -in client.crt -noout -text

kubeconfig 中为什么可以通过客户端证书来表示一个用户？ 如上面通过 openssl 解析证书文件，可以看到证书的拥有者 Subject 主体信息，这里面的 O = system:masters, CN = kubernetes-admin 分别表示 group 和 user 因此 kubeconfig 中的 client 证书不仅可以用于加密服务端发送的信息，也可以表示一个具体的用户，apiserver 会通过证书中的 group/user 查看 关联的 role/clusterrole、rolebinding/clusterrolebinding 资源判断权限信息

备注：

1. 这里客户端表示为 kubeclt、client-go sdk 等，服务端表示为 apiserver
2. 证书可以理解为签发方信息、拥有者信息、公钥以及签名（由签发方私钥签名，因此签发者背书）的集合
3. 消息发送方使用证书里面的公钥对消息加密，消息接受方使用自己的私钥解密
4. 单向验证过程如下，双向验证即是指客户端和服务端同时作为消息发送方和接收方，利用对方的证书加密消息

四. kubeconfig举例

例如我们go开发中使用k8s-client-go来操作k8s集群，这时候需要进行认证，会使用到kubeconfig文件，代码如下：

var kubeconfig *string
	if home := homedir.HomeDir(); home != "" {
		kubeconfig = flag.String("kubeconfig", filepath.Join(home, ".kube", "config"), "(optional) absolute path to the kubeconfig file")
	} else {
		kubeconfig = flag.String("kubeconfig", "", "absolute path to the kubeconfig file")
	}
	flag.Parse()

	config, err := clientcmd.BuildConfigFromFlags("", *kubeconfig)
	if err != nil {
		panic(err)
	}
	clientset, err := kubernetes.NewForConfig(config)
	if err != nil {
		panic(err)
	}

参考： https://www.cnblogs.com/orchidzjl/p/17306985.html (opens new window) https://www.infoq.cn/article/7mi54dka1jmhrju2nexr (opens new window) https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/ (opens new window) https://kubernetes.io/docs/reference/access-authn-authz/authentication/ (opens new window)