参考kube-apiserver,访问https端口时,-k允许跳过默认的证书认证,从而实现多种认证方式。
package main
import (
"crypto/tls"
"fmt"
"net/http"
klog "k8s.io/klog/v2"
)
func healthCheck(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "ok")
}
func authCheck(w http.ResponseWriter, r *http.Request) {
token := r.Header.Get("Authorization")
if token == "" {
fmt.Fprintf(w, "fail")
return
}
if token == "abc" {
fmt.Fprintf(w, "ok")
} else {
fmt.Fprintf(w, "fail")
}
}
func main() {
mux := http.NewServeMux()
mux.HandleFunc("/health", healthCheck)
mux.HandleFunc("/auth", authCheck)
srv := &http.Server{
Addr: "127.0.0.1:1000",
Handler: mux,
TLSConfig: &tls.Config{
// 向客户端请求提供证书,非必须且不校验
ClientAuth: tls.RequestClientCert,
},
}
if err := srv.ListenAndServeTLS("/etc/kubernetes/pki/apiserver.crt", "/etc/kubernetes/pki/apiserver.key"); err != nil {
klog.Fatalf("failed to listen server, err is %v", err)
}
}
[root@node1 use-k8s-queue]# curl http://127.0.0.1:1000
Client sent an HTTP request to an HTTPS server.
[root@node1 use-k8s-queue]# curl https://127.0.0.1:1000
curl: (60) Peer's Certificate issuer is not recognized.
[root@node1 use-k8s-queue]# curl https://127.0.0.1:1000/auth
curl: (60) Peer's Certificate issuer is not recognized.
[root@node1 use-k8s-queue]# curl https://127.0.0.1:1000/health
curl: (60) Peer's Certificate issuer is not recognized.
[root@node1 use-k8s-queue]# curl https://127.0.0.1:1000/health -k
ok[root@node1 use-k8s-queue]# curl https://127.0.0.1:1000/auth -k -H 'Authorization:abc'
ok
如果TLSConfig中ClientAuth设置成RequireAndVerifyClientCert,那么访问https时必须通过证书认证,不允许跳过,加-k也不行。
[root@node1 use-k8s-queue]# curl https://127.0.0.1:1000/auth -k -H 'Authorization:abc'
curl: (58) NSS: client certificate not found (nickname not specified)
标签:127.0,0.1,端口,https,go,curl,k8s,1000 From: https://www.cnblogs.com/WJQ2017/p/18033614