Search

[CKA] 44. KubeConfig

Date
2025/01/14
Category
Devops
Tag
Kubernetes
CKA
Security
๋ชฉ์ฐจ

ย KubeConfig

ย Default Authentication

ํด๋ผ์ด์–ธํŠธ๊ฐ€ ์ธ์ฆ์„œ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ Kubernetes REST API๋ฅผ ์ฟผ๋ฆฌํ•˜๊ธฐ ์œ„ํ•ด curl์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋‹ค. API Server์— ๋Œ€ํ•œ ์‚ฌ์šฉ์ž ์ธ์ฆ์„ ์œ„ํ•ด ์ธ์ฆ์„œ์™€ ํ‚ค๋ฅผ ์˜ต์…˜์œผ๋กœ ์ „๋‹ฌํ•œ๋‹ค.
curl https://my-kube-playground:6443/api/v1/pods \ --key=admin.key --cert=admin.crt --cacert=ca.crt
Bash
๋ณต์‚ฌ
kubectl ๋ช…๋ น์€ ์–ด๋–ป๊ฒŒ API Server์— ๋Œ€ํ•ด ์ธ์ฆ๋  ์ˆ˜ ์žˆ์„๊นŒ?
curl์—์„œ ์ „๋‹ฌํ•œ ์˜ต์…˜๊ณผ ๊ฐ™์ด ์ธ์ฆ์„œ์™€ ํ‚ค๋ฅผ ์˜ต์…˜์œผ๋กœ ์ œ๊ณตํ•  ์ˆ˜ ์žˆ๋‹ค.
kubectl get pods \ --server my-kube-playground:6443 \ --client-key admin.key \ --client-certificate admin.crt \ --certificate-authority ca.crt
Bash
๋ณต์‚ฌ

ย KubeConfig

kubectl ๋ช…๋ น์„ ์‹คํ–‰ํ•  ๋•Œ๋งˆ๋‹ค ๋งค๋ฒˆ ์ธ์ฆ ๊ด€๋ จ ์˜ต์…˜๋“ค์„ ์ž…๋ ฅํ•˜๋Š” ๊ฒƒ์„ ํ•œ ํŒŒ์ผ์„ ํ†ตํ•ด ํ•ด๋‚ผ ์ˆ˜ ์žˆ๋‹ค. ๊ทธ ์—ญํ• ์„ ์ˆ˜ํ–‰ํ•˜๋Š” ๊ฒƒ์ด kubeconfig์ด๋‹ค. kubeconfig ํŒŒ์ผ์—๋Š” ์˜ต์…˜์œผ๋กœ ์ž…๋ ฅํ–ˆ๋˜ ๊ฐ’๋“ค์ด ์ž…๋ ฅ๋˜์–ด kubectl ๋ช…๋ น์„ ์‚ฌ์šฉํ•  ๋•Œ๋Š” ํ•ด๋‹น config๋ฅผ ์‚ฌ์šฉํ•œ๋‹ค๋Š” ์˜ต์…˜๋งŒ ๋ช…์‹œํ•˜๋ฉด ๋œ๋‹ค.
๊ธฐ๋ณธ์ ์œผ๋กœ kubectl์€ $HOME/.kube/ ๋””๋ ‰ํ† ๋ฆฌ ๋‚ด์— config๋ผ๋Š” ํŒŒ์ผ์„ ์ฐพ๋Š”๋‹ค. ํ•ด๋‹น ์œ„์น˜์— config ํŒŒ์ผ์„ ์œ„์น˜ํ•ด๋‘๋ฉด --kubeconfig ์˜ต์…˜์„ ์ฃผ์ง€ ์•Š์•„๋„ ๋œ๋‹ค.
kubectl get pods --kubeconfig config
Bash
๋ณต์‚ฌ
# config --server my-kube-playground:6443 --client-key admin.key --client-certificate admin.crt --certificate-authority ca.crt
Bash
๋ณต์‚ฌ

ย Structure and Role

kubeconfig ํŒŒ์ผ์€ ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค ํด๋Ÿฌ์Šคํ„ฐ์— ๋Œ€ํ•œ ์ ‘๊ทผ ์ •๋ณด๋ฅผ ๋‹ด๊ณ  ์ด๋Š” ํŠน์ • ํ˜•์‹์˜ ํŒŒ์ผ์ด๋‹ค. ์ด ํŒŒ์ผ์€ ํฌ๊ฒŒ ์„ธ ๊ฐ€์ง€ ์„น์…˜, clusters, users, contexts ์œผ๋กœ ๋‚˜๋ˆŒ ์ˆ˜ ์žˆ๋‹ค.

ย Cluster

clusters ์„น์…˜์—๋Š” ์ ‘๊ทผํ•ด์•ผ ํ•˜๋Š” ๋‹ค์–‘ํ•œ ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค ํด๋Ÿฌ์Šคํ„ฐ์— ๋Œ€ํ•œ ์ •๋ณด๊ฐ€ ํฌํ•จ๋œ๋‹ค. ๊ฐœ๋ฐœ ํ™˜๊ฒฝ, ํ…Œ์ŠคํŠธ ํ™˜๊ฒฝ, ํ”„๋กœ๋•์…˜ ํ™˜๊ฒฝ ๋“ฑ ์—ฌ๋Ÿฌ ํด๋Ÿฌ์Šคํ„ฐ๊ฐ€ ์žˆ์„ ์ˆ˜ ์žˆ์œผ๋ฉฐ, ์„œ๋กœ ๋‹ค๋ฅธ ์กฐ์ง์ด๋‚˜ ํด๋ผ์šฐ๋“œ ์ œ๊ณต์ž์— ๋”ฐ๋ผ ํด๋Ÿฌ์Šคํ„ฐ๋ฅผ ์ƒ์„ฑํ•  ์ˆ˜๋„ ์žˆ๋‹ค. ์ด ๋ชจ๋“  ํด๋Ÿฌ์Šคํ„ฐ ์ •๋ณด๊ฐ€ ์ด ์„น์…˜์— ๊ธฐ๋ก๋œ๋‹ค.

ย Users

users ์„น์…˜์€ ํด๋Ÿฌ์Šคํ„ฐ์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๋Š” ์‚ฌ์šฉ์ž ๊ณ„์ • ์ •๋ณด๋ฅผ ๋‹ด๊ณ  ์žˆ๋‹ค. ์˜ˆ๋ฅผ ๋“ค์–ด, ๊ด€๋ฆฌ์ž์ธ admin user, ๊ฐœ๋ฐœ์ž์ธ dev user, ํ”„๋กœ๋•์…˜ ํ™˜๊ฒฝ์˜ prod user ๋“ฑ์ด ์žˆ์„ ์ˆ˜ ์žˆ๋‹ค. ๊ฐ ์‚ฌ์šฉ์ž๋Š” ์„œ๋กœ ๋‹ค๋ฅธ ํด๋Ÿฌ์Šคํ„ฐ์—์„œ ์„œ๋กœ ๋‹ค๋ฅธ ๊ถŒํ•œ์„ ๊ฐ€์งˆ ์ˆ˜ ์žˆ๋‹ค.

ย Contexts

contexts ์„น์…˜์€ ํด๋Ÿฌ์Šคํ„ฐ์™€ ์‚ฌ์šฉ์ž ๊ณ„์ •์„ ์—ฐ๊ฒฐํ•˜๋Š” ์—ญํ• ์„ ํ•œ๋‹ค. ๊ฐ context๋Š” ์–ด๋–ค ์‚ฌ์šฉ์ž ๊ณ„์ •์ด ์–ด๋–ค ํด๋Ÿฌ์Šคํ„ฐ์— ์ ‘๊ทผํ• ์ง€๋ฅผ ์ •์˜ํ•œ๋‹ค. ์˜ˆ๋ฅผ ๋“ค์–ด, admin@production์ด๋ผ๋Š” ์ด๋ฆ„์˜ context๋ฅผ ์ƒ์„ฑํ•˜์—ฌ admin ๊ณ„์ •์„ ์‚ฌ์šฉํ•ด ํ”„๋กœ๋•์…˜ ํด๋Ÿฌ์Šคํ„ฐ์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๋‹ค. ๋˜๋Š” dev@google์ด๋ผ๋Š” context๋กœ Google์— ์„ค์ •ํ•œ ํด๋Ÿฌ์Šคํ„ฐ์— ๊ฐœ๋ฐœ์ž ๊ณ„์ •์œผ๋กœ ์ ‘๊ทผํ•˜์—ฌ ๋‚ด๊ฐ€ ๋งŒ๋“  ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์„ ๋ฐฐํฌํ•  ์ˆ˜ ์žˆ๋‹ค.

Privileges

์ด ๊ณผ์ •์—์„œ ์ƒˆ๋กœ์šด ์‚ฌ์šฉ์ž๋ฅผ ์ƒ์„ฑํ•˜๊ฑฐ๋‚˜ ํด๋Ÿฌ์Šคํ„ฐ ๋‚ด์—์„œ ์‚ฌ์šฉ์ž ์ ‘๊ทผ ๊ถŒํ•œ์„ ๊ตฌ์„ฑํ•˜๋Š” ๊ฒƒ์ด ์•„๋‹ˆ๋‹ค. ์ด๋ฏธ ์กด์žฌํ•˜๋Š” ์‚ฌ์šฉ์ž์™€ ๊ทธ ๊ถŒํ•œ์„ ์‚ฌ์šฉํ•ด ์–ด๋–ค ์‚ฌ์šฉ์ž๊ฐ€ ์–ด๋–ค ํด๋Ÿฌ์Šคํ„ฐ์— ์ ‘๊ทผํ• ์ง€๋ฅผ ์ •์˜ํ•˜๋Š” ๊ฒƒ์ด๋‹ค. ์ด๋ฅผ ํ†ตํ•ด kubectl ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ํ•  ๋•Œ๋งˆ๋‹ค ์‚ฌ์šฉ์ž ์ธ์ฆ์„œ์™€ ์„œ๋ฒ„ ์ฃผ์†Œ๋ฅผ ๋ช…์‹œํ•  ํ•„์š”๊ฐ€ ์—†๋‹ค.

ย KubeConfig File

์œ„์—์„œ ์‚ฌ์šฉํ–ˆ๋˜ ์˜ต์…˜์„ config ํŒŒ์ผ๋กœ ๊ตฌ์„ฑํ•˜๋ฉด ๊ฐ๊ฐ์˜ ์˜ต์…˜๋“ค์€ ์–ด๋””์— ๋ฐฐ์น˜๋˜์–ด์•ผ ํ• ๊นŒ?
--server my-kube-playground:6443 --client-key admin.key --client-certificate admin.crt --certificate-authority ca.crt
Bash
๋ณต์‚ฌ
โ€ข
--server my-kube-playground:6443, --certificate-authority ca.crt ์˜ต์…˜์€ Clusters ์„น์…˜์— ๋ฐฐ์น˜๋œ๋‹ค
โ€ข
--client-key admin.key, --client-certificate admin.crt ์˜ต์…˜์€ Users ์„น์…˜์— ๋ฐฐ์น˜๋œ๋‹ค
โ€ข
๋‘˜ ๊ฐ„์˜ ์•ก์„ธ์Šค๋ฅผ ์ง€์ •ํ•˜๊ธฐ ์œ„ํ•ด MyKubeAdmin@MyKubePlayground ๋ผ๋Š” ์ปจํ…์ŠคํŠธ๋ฅผ ์ƒ์„ฑํ•  ์ˆ˜ ์žˆ๋‹ค
์ด๋ฅผ yaml ํฌ๋งท์˜ kubeconfig ํŒŒ์ผ๋กœ ๊ตฌ์„ฑํ•˜๋ฉด ์•„๋ž˜์™€ ๊ฐ™๋‹ค:
apiVersion: v1 kind: Config clusters: - name: my-kube-playground cluster: certificate-authority: ca.crt server: https://my-kube-playground:6443 contexts: - name: my-kube-admin@my-kube-playground context: cluster: my-kube-playground user: my-kube-admin users: - name: my-kube-admin user: client-certificate: admin.crt client-key: admin.key
YAML
๋ณต์‚ฌ
kubeconfig ํŒŒ์ผ์ด ์ค€๋น„๋˜๋ฉด kubectl ๋ช…๋ น์— ์˜ํ•ด ์ฝํžˆ๊ธฐ ๋•Œ๋ฌธ์— ์ถ”๊ฐ€์ ์ธ ์ž‘์—…์„ ํ•˜์ง€ ์•Š์•„๋„ ๋œ๋‹ค.

ย Context

kubectl์€ ์–ด๋–ค context๋ฅผ ์‚ฌ์šฉํ•ด์•ผ ํ• ์ง€ ์–ด๋–ป๊ฒŒ ํŒ๋‹จํ• ๊นŒ

ย Current-Context

Config ํŒŒ์ผ์— current-context ํ•„๋“œ๋ฅผ ํ†ตํ•ด ๊ธฐ๋ณธ์œผ๋กœ ์‚ฌ์šฉํ•  context๋ฅผ ์ง€์ •ํ•  ์ˆ˜ ์žˆ๋‹ค.
# values hidden apiVersion: v1 kind: Config current-context: dev-user@google # ์‚ฌ์šฉํ•  Context ์ง€์ • clusters: - name: my-kube-playground - name: development - name: production - name: google contexts: - name: my-kube-admin@my-kube-playground - name: dev-user@google - name: prod-user@production users: - name: my-kube-admin - name: admin - name: dev-user - name: prod-user
YAML
๋ณต์‚ฌ

ย Config View

kubectl config view ๋ช…๋ น์„ ํ†ตํ•ด Cluster์™€ Context, User, ๊ทธ๋ฆฌ๊ณ  ํ˜„์žฌ ์„ค์ •๋œ context๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. kubeconfig ํŒŒ์ผ์„ ์ง€์ •ํ•˜์ง€ ์•Š์œผ๋ฉด ๊ธฐ๋ณธ์ ์œผ๋กœ $HOME/.kube/ ๋””๋ ‰ํ† ๋ฆฌ์˜ ๊ธฐ๋ณธ ํŒŒ์ผ์„ ์‚ฌ์šฉํ•˜๋Š” ๋ฐ, ๋‹ค๋ฅธ config ํŒŒ์ผ์ด ์žˆ๋‹ค๋ฉด --kubeconfig ์˜ต์…˜์„ ์ฃผ์–ด ๋‹ค๋ฅธ kubeconfig ํŒŒ์ผ์„ ํ™•์ธํ•  ์ˆ˜๋„ ์žˆ๋‹ค.

ย Use-Context

ํ˜„์žฌ Context๋ฅผ ๋‹ค๋ฅธ Context๋กœ ๋ณ€๊ฒฝํ•˜๊ธฐ ์œ„ํ•ด์„  use-context ๋ช…๋ น์„ ์‚ฌ์šฉํ•ด์•ผ ํ•œ๋‹ค. use-context๋ฅผ ์‚ฌ์šฉํ•ด ๋ณ€๊ฒฝ๋œ Context๋Š” config ํŒŒ์ผ์˜ current-context์—๋„ ๋ฐ˜์˜๋œ๋‹ค.
kubectl config use-context <context>
Bash
๋ณต์‚ฌ

ย Namespaces

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค ํด๋Ÿฌ์Šคํ„ฐ๋Š” ์—ฌ๋Ÿฌ ๊ฐœ์˜ ๋„ค์ž„์ŠคํŽ˜์ด์Šค๋กœ ๊ตฌ์„ฑ๋  ์ˆ˜ ์žˆ๋‹ค. ๋„ค์ž„์ŠคํŽ˜์ด์Šค๋Š” ํด๋Ÿฌ์Šคํ„ฐ ๋‚ด์—์„œ ๋ฆฌ์†Œ์Šค๋ฅผ ๊ตฌ๋ถ„ํ•˜๊ณ  ๊ด€๋ฆฌํ•  ์ˆ˜ ์žˆ๋Š” ๋…ผ๋ฆฌ์  ๋‹จ์œ„์ด๋‹ค. ๊ฐ ํด๋Ÿฌ์Šคํ„ฐ์— ์—ฌ๋Ÿฌ ๋„ค์ž„์ŠคํŽ˜์ด์Šค๊ฐ€ ์„ค์ •๋  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ํŠน์ • ๋„ค์ž„์ŠคํŽ˜์ด์Šค๋กœ ์ „ํ™˜ํ•˜๋Š” Context๋ฅผ ์„ค์ •ํ•  ์ˆ˜ ์žˆ๋‹ค.

Configuration

kubeconfig ํŒŒ์ผ์˜ contexts ์„น์…˜์—์„œ namespace๋ผ๋Š” ์ถ”๊ฐ€ ํ•„๋“œ๋ฅผ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋‹ค. ์ด ํ•„๋“œ์— ํŠน์ • ๋„ค์ž„์ŠคํŽ˜์ด์Šค๋ฅผ ์ง€์ •ํ•˜๋ฉด, ํ•ด๋‹น ์ปจํ…์ŠคํŠธ๋กœ ์ „ํ™˜ํ•  ๋•Œ ์ž๋™์œผ๋กœ ์ง€์ •๋œ ๋„ค์ž„์ŠคํŽ˜์ด์Šค๋กœ ์„ค์ •๋œ๋‹ค.
apiVersion: v1 kind: Config ... contexts: - name: admin@production context: cluster: production user: admin namespace: finance ...
YAML
๋ณต์‚ฌ
admin@production์œผ๋กœ context๋ฅผ ์ „ํ™˜ํ•˜๊ฒŒ ๋˜๋ฉด ๊ธฐ๋ณธ ๋„ค์ž„์ŠคํŽ˜์ด์Šค๊ฐ€ finance ๋กœ ์„ค์ •๋œ๋‹ค. ์ด๋กœ ์ธํ•ด kubectl ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ํ•  ๋•Œ ๋ณ„๋„์˜ ๋„ค์ž„์ŠคํŽ˜์ด์Šค๋ฅผ ์ง€์ •ํ•˜์ง€ ์•Š์•„๋„ finance ๋„ค์ž„์ŠคํŽ˜์ด์Šค์—์„œ ์ž‘์—…์ด ์ˆ˜ํ–‰๋œ๋‹ค.

ย Certificates in KubeConfig

Path

kubeconfig์—๋Š” ์ธ์ฆ์„œ ํŒŒ์ผ์— ๋Œ€ํ•œ ๊ฒฝ๋กœ๋ฅผ ๋ช…์‹œํ•˜๋Š”๋ฐ, ์ƒ๋Œ€ ๊ฒฝ๋กœ๋ณด๋‹ค๋Š” ์ ˆ๋Œ€ ๊ฒฝ๋กœ๋ฅผ ์‚ฌ์šฉํ•˜๋Š”๊ฒŒ ์ข‹๋‹ค.

Data

kubeconfig์— ์ธ์ฆ์„œ๋ฅผ ๊ฒฝ๋กœ ํ˜•ํƒœ๊ฐ€ ์•„๋‹Œ ๋ฐ์ดํ„ฐ ์ž์ฒด๋ฅผ ์ž…๋ ฅํ•˜์—ฌ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋‹ค. ํ•„๋“œ๋Š” certificate-authority ๋Œ€์‹  certificate-authority-data๋ฅผ ์‚ฌ์šฉํ•œ๋‹ค.