asm-iam-authenticator使用参考
asm-iam-authenticator作为k8s client端的认证插件,主要提供了generate-kubeconfig和token两个子命令。
A tool to authenticate to ASM using HuaweiCloud IAM credentials Usage: asm-iam-authenticator [command] Available Commands: completion Generate the autocompletion script for the specified shell generate-kubeconfig Generate or modify kubeconfig files based on user configuration help Help about any command token Authenticate using HuaweiCloud IAM and get token for ASM Flags: --alsologtostderr log to standard error as well as files (no effect when -logtostderr=true) -h, --help help for asm-iam-authenticator --log_dir string If non-empty, write log files in this directory (no effect when -logtostderr=true) --log_file string If non-empty, use this log file (no effect when -logtostderr=true) --logtostderr log to standard error instead of files (default true) -v, --v Level number for the log level verbosity --version version for asm-iam-authenticator Use "asm-iam-authenticator [command] --help" for more information about a command.
其中,Flags主要为日志选项。
token
token子命令用于获取用户token,获取token的认证方式有用户名/密码、ak/sk两种,选择其中一种即可。
Authenticate using HuaweiCloud IAM and get token for ASM Usage: asm-iam-authenticator token [flags] Flags: --ak string IAM access key ID --aksk-dir string The directory of IAM access key(AK) and secret access key(SK) --cache Cache the token credential on disk until it expires (default true) --domain-name string IAM domain name, typically your account name -h, --help help for token --iam-endpoint string HuaweiCloud IAM endpoint, i.e. https://iam.cn-north-4.myhuaweicloud.com (default "https://iam.myhuaweicloud.com") --insecure-skip-tls-verify If true, the iam server's certificate will not be checked for validity. (default true) --password string IAM user password --project-id string IAM project id, project id and project name should not be empty at same time --project-name string IAM project name, project id and project name should not be empty at same time --sk string IAM secret access key --token-expired-refresh Whether refresh the cached token when it may have expired resulting unauthorized. If true, we will use client.authentication.k8s.io/v1alpha1 api version. Otherwise, use client.authentication.k8s.io/v1beta1 --token-only Return token only for other tool integration --user-name string IAM user name. Same as domain-name when using main account, otherwise use iam user name
其中,Flags分为用户名密码、AKSK和公共配置。
Command Flag |
Environment Value |
Description |
---|---|---|
domain-name |
DOMAIN_NAME |
租户名,即账号名,详情请参见https://support.huaweicloud.com/usermanual-ca/ca_01_0001.html。 |
user-name |
USER_NAME |
子用户名,即IAM用户名。若不配置与domain-name一致。 详情请参见https://support.huaweicloud.com/usermanual-ca/ca_01_0001.html。 |
password |
PASSWORD |
用户或子用户密码。 |
Command Flag |
Environment Value |
Description |
---|---|---|
ak |
ACCESS_KEY_ID |
ak、sk的获取方法请参见获取AK/SK,ak为文件中Access Key部分,sk为文件中Secret Key部分。 |
sk |
SECRET_ACCESS_KEY |
Command Flag |
Environment Value |
Description |
---|---|---|
iam-endpoint |
IAM_ENDPOINT |
IAM的Endpoint,必须配置,详情请参见https://developer.huaweicloud.com/endpoint?IAM。 |
project-name |
PROJECT_NAME |
项目名,详情请参见https://support.huaweicloud.com/usermanual-ca/ca_01_0001.html。 |
project-id |
PROJECT_ID |
项目ID,详情请参见https://support.huaweicloud.com/usermanual-ca/ca_01_0001.html。 |
insecure-skip-tls-verify |
INSECURE_SKIP_TLS_VERIFY |
是否跳过对CCI/IAM服务端的校验,默认为true。 |
cache |
CREDENTIAL_CACHE |
是否开启将IAM Token缓存到本地,提高访问性能,默认为true。
注意:
在非安全环境,建议关闭此选项。 |
generate-kubeconfig
为用户直接生成KubeConfig配置,若指定的KubeConfig已存在,则会注入新的server、user、context配置,并将当前的KubeConfig context切换到此次配置的结果。
Generate or modify kubeconfig files based on user configuration. Sets a cluster entry, a user entry and a context entry in kubeconfig and use this context as the current-context. The loading order follows these rules: 1. If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once and no merging takes place. 2. If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path delimiting rules for your system). These paths are merged. When a value is modified, it is modified in the file that defines the stanza. When a value is created, it is created in the first file that exists. If no files in the chain exist, then it creates the last file in the list. 3. Otherwise, ${HOME}/.kube/config is used and no merging takes place. Examples: # Generate kubeconfig to ${HOME}/.kube/config using aksk asm-iam-authenticator generate-kubeconfig --mesh-endpoint=https://127.0.0.1:5443 --ak=*** --sk=*** # Generate kubeconfig to ${HOME}/.kube/config using domain name and password asm-iam-authenticator generate-kubeconfig --mesh-endpoint=https://127.0.0.1:5443 --domain-name=*** --password=*** Usage: asm-iam-authenticator generate-kubeconfig [flags] Flags: --ak string IAM access key ID --aksk-dir string The directory of IAM access key(AK) and secret access key(SK) --cache Cache the token credential on disk until it expires (default true) --domain-name string IAM domain name, typically your account name -h, --help help for generate-kubeconfig --iam-endpoint string HuaweiCloud IAM endpoint, i.e. https://iam.cn-north-4.myhuaweicloud.com (default "https://iam.myhuaweicloud.com") --insecure-skip-tls-verify If true, the iam server's certificate will not be checked for validity. (default true) --kubeconfig string use a particular kubeconfig file --mesh-endpoint string Mesh server endpoint, i.e. https://127.0.0.1:5443 --mesh-region string Mesh region, i.e. cn-north-4 --password string IAM user password --project-id string IAM project id, project id and project name should not be empty at same time --project-name string IAM project name, project id and project name should not be empty at same time --sk string IAM secret access key --token-expired-refresh Whether refresh the cached token when it may have expired resulting unauthorized. If true, we will use client.authentication.k8s.io/v1alpha1 api version. Otherwise, use client.authentication.k8s.io/v1beta1 --token-only Return token only for other tool integration --user-name string IAM user name. Same as domain-name when using main account, otherwise use iam user name --validation Validate kubeconfig by trying to access Mesh with existing config (default true)