更新时间:2023-12-15 GMT+08:00
分享

asm-iam-authenticator使用参考

asm-iam-authenticator作为k8s client端的认证插件,主要提供了generate-kubeconfig和token两个子命令。

A tool to authenticate to ASM using HuaweiCloud IAM credentials

Usage:
  asm-iam-authenticator [command]

Available Commands:
  completion          Generate the autocompletion script for the specified shell
  generate-kubeconfig Generate or modify kubeconfig files based on user configuration
  help                Help about any command
  token               Authenticate using HuaweiCloud IAM and get token for ASM

Flags:
      --alsologtostderr   log to standard error as well as files (no effect when -logtostderr=true)
  -h, --help              help for asm-iam-authenticator
      --log_dir string    If non-empty, write log files in this directory (no effect when -logtostderr=true)
      --log_file string   If non-empty, use this log file (no effect when -logtostderr=true)
      --logtostderr       log to standard error instead of files (default true)
  -v, --v Level           number for the log level verbosity
      --version           version for asm-iam-authenticator

Use "asm-iam-authenticator [command] --help" for more information about a command.

其中,Flags主要为日志选项。

token

token子命令用于获取用户token,获取token的认证方式有用户名/密码、ak/sk两种,选择其中一种即可。

Authenticate using HuaweiCloud IAM and get token for ASM

Usage:
  asm-iam-authenticator token [flags]

Flags:
      --ak string                  IAM access key ID
      --aksk-dir string            The directory of IAM access key(AK) and secret access key(SK)
      --cache                      Cache the token credential on disk until it expires (default true)
      --domain-name string         IAM domain name, typically your account name
  -h, --help                       help for token
      --iam-endpoint string        HuaweiCloud IAM endpoint, i.e. https://iam.cn-north-4.myhuaweicloud.com (default "https://iam.myhuaweicloud.com")
      --insecure-skip-tls-verify   If true, the iam server's certificate will not be checked for validity. (default true)
      --password string            IAM user password
      --project-id string          IAM project id, project id and project name should not be empty at same time
      --project-name string        IAM project name, project id and project name should not be empty at same time
      --sk string                  IAM secret access key
      --token-expired-refresh      Whether refresh the cached token when it may have expired resulting unauthorized. If true, we will use client.authentication.k8s.io/v1alpha1 api version. Otherwise, use client.authentication.k8s.io/v1beta1
      --token-only                 Return token only for other tool integration
      --user-name string           IAM user name. Same as domain-name when using main account, otherwise use iam user name

其中,Flags分为用户名密码、AKSK和公共配置。

表1 用户名/密码配置

Command Flag

Environment Value

Description

domain-name

DOMAIN_NAME

租户名,即账号名,详情请参见https://support.huaweicloud.com/usermanual-ca/ca_01_0001.html

user-name

USER_NAME

子用户名,即IAM用户名。若不配置与domain-name一致。

详情请参见https://support.huaweicloud.com/usermanual-ca/ca_01_0001.html

password

PASSWORD

用户或子用户密码。

表2 AK/SK配置

Command Flag

Environment Value

Description

ak

ACCESS_KEY_ID

ak、sk的获取方法请参见获取AK/SK,ak为文件中Access Key部分,sk为文件中Secret Key部分。

sk

SECRET_ACCESS_KEY

表3 公共配置

Command Flag

Environment Value

Description

iam-endpoint

IAM_ENDPOINT

IAM的Endpoint,必须配置,详情请参见https://developer.huaweicloud.com/endpoint?IAM

project-name

PROJECT_NAME

项目名,详情请参见https://support.huaweicloud.com/usermanual-ca/ca_01_0001.html

project-id

PROJECT_ID

项目ID,详情请参见https://support.huaweicloud.com/usermanual-ca/ca_01_0001.html

insecure-skip-tls-verify

INSECURE_SKIP_TLS_VERIFY

是否跳过对CCI/IAM服务端的校验,默认为true。

cache

CREDENTIAL_CACHE

是否开启将IAM Token缓存到本地,提高访问性能,默认为true。

注意:

在非安全环境,建议关闭此选项。

generate-kubeconfig

为用户直接生成KubeConfig配置,若指定的KubeConfig已存在,则会注入新的server、user、context配置,并将当前的KubeConfig context切换到此次配置的结果。

Generate or modify kubeconfig files based on user configuration.

Sets a cluster entry, a user entry and a context entry in kubeconfig and use this context as the current-context.

  The loading order follows these rules:
	 
   1.  If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once and no merging takes
place.
   2.  If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path delimiting rules for
your system). These paths are merged. When a value is modified, it is modified in the file that defines the stanza. When
a value is created, it is created in the first file that exists. If no files in the chain exist, then it creates the
last file in the list.
   3.  Otherwise, ${HOME}/.kube/config is used and no merging takes place.

 Examples:
   # Generate kubeconfig to ${HOME}/.kube/config using aksk
   asm-iam-authenticator generate-kubeconfig --mesh-endpoint=https://127.0.0.1:5443 --ak=*** --sk=***
   # Generate kubeconfig to ${HOME}/.kube/config using domain name and password
   asm-iam-authenticator generate-kubeconfig --mesh-endpoint=https://127.0.0.1:5443 --domain-name=*** --password=***

Usage:
  asm-iam-authenticator generate-kubeconfig [flags]

Flags:
      --ak string                  IAM access key ID
      --aksk-dir string            The directory of IAM access key(AK) and secret access key(SK)
      --cache                      Cache the token credential on disk until it expires (default true)
      --domain-name string         IAM domain name, typically your account name
  -h, --help                       help for generate-kubeconfig
      --iam-endpoint string        HuaweiCloud IAM endpoint, i.e. https://iam.cn-north-4.myhuaweicloud.com (default "https://iam.myhuaweicloud.com")
      --insecure-skip-tls-verify   If true, the iam server's certificate will not be checked for validity. (default true)
      --kubeconfig string          use a particular kubeconfig file
      --mesh-endpoint string       Mesh server endpoint, i.e. https://127.0.0.1:5443
      --mesh-region string         Mesh region, i.e. cn-north-4
      --password string            IAM user password
      --project-id string          IAM project id, project id and project name should not be empty at same time
      --project-name string        IAM project name, project id and project name should not be empty at same time
      --sk string                  IAM secret access key
      --token-expired-refresh      Whether refresh the cached token when it may have expired resulting unauthorized. If true, we will use client.authentication.k8s.io/v1alpha1 api version. Otherwise, use client.authentication.k8s.io/v1beta1
      --token-only                 Return token only for other tool integration
      --user-name string           IAM user name. Same as domain-name when using main account, otherwise use iam user name
      --validation                 Validate kubeconfig by trying to access Mesh with existing config (default true)

相关文档