关于 Kubernetes 的搭建的账户的认证问题

2022-10-02 22:05:46 +08:00
 aqua02

开启了一个api-server,如何具有权限访问这个服务

开启api-server

开启的api-server 脚本如下

/root/k8s/kubernetes/server/bin/kube-apiserver  \
--log-dir=/root/k8s/kubernetes/log/kube-apiserver  \
--log-file=/root/k8s/kubernetes/log/kube-apiserver/log.log \
--logtostderr=true  \
--allow-privileged=true  \
--bind-address=0.0.0.0  \
--secure-port=6443  \
--advertise-address=192.168.123.78 \
--service-cluster-ip-range=10.96.0.0/12  \
--service-node-port-range=30000-32767  \
--etcd-servers=https://192.168.123.78:2379,https://192.168.123.79:2379,https://192.168.123.80:2379 \
--etcd-cafile=/root/certs/ca.pem \
--etcd-certfile=/root/certs/etcd.pem \
--etcd-keyfile=/root/certs/etcd-key.pem \
--tls-cert-file=/root/certs/api-server.pem  \
--tls-private-key-file=/root/certs/api-server-key.pem \
--client-ca-file=/root/certs/ca.pem  \
--kubelet-client-certificate=/root/certs/client.pem  \
--kubelet-client-key=/root/certs/client-key.pem  \
--service-account-key-file=/root/certs/api-server.pem  \
--service-account-signing-key-file=/root/certs/api-server-key.pem  \
--service-account-issuer=https://kubernetes.default.svc.cluster.local \
--kubelet-preferred-address-types=Hostname,InternalDNS,InternalIP,ExternalDNS,ExternalIP \
--authorization-mode=RBAC,Node  \
--enable-bootstrap-token-auth=true  \
--requestheader-client-ca-file=/root/certs/ca.pem  \
--proxy-client-cert-file=/root/certs/proxy.pem  \
--proxy-client-key-file=/root/certs/proxy-key.pem  \
--requestheader-allowed-names=""  \
--requestheader-group-headers=X-Remote-Group  \
--requestheader-extra-headers-prefix=X-Remote-Extra-  \
--requestheader-username-headers=X-Remote-User

尝试访问

利用其中的 --kubelet-client-certificate--kubelet-client-key

生成了一个config

/root/k8s/kubernetes/server/bin/kubectl config set-cluster kubernetes --certificate-authority=/root/certs/ca.pem --embed-certs=true --server=https://192.168.123.78:6443 --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig


/root/k8s/kubernetes/server/bin/kubectl config set-credentials kubernetes-admin --client-certificate=/root/certs/client.pem --client-key=/root/certs/client-key.pem --embed-certs=true  --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig


/root/k8s/kubernetes/server/bin/kubectl config set-context kubernetes-admin@kubernetes --cluster=kubernetes --user=kubernetes-admin --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig


/root/k8s/kubernetes/server/bin/kubectl config use-context kubernetes-admin@kubernetes --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig

然后当我用admin.kubeconfig进行访问的时候,出现了 403 的问题 ./kubectl get cs --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig -v=9

<<<<<

Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/api\"","reason":"Forbidden","details":{},"code":403}
I1002 21:44:12.604038  227095 round_trippers.go:466] curl -v -XGET  -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.25.2 (linux/amd64) kubernetes/5835544" 'https://192.168.123.78:6443/apis?timeout=32s'

有大佬知道是什么原因吗, 或者说一个新开的 API-SERVER 的所谓的管理员账号密码是在哪里= =,如何访问api-server

1600 次点击
所在节点    Kubernetes
3 条回复
aqua02
2022-10-02 23:57:48 +08:00
解决了 如果通过证书访问的话 证书的 CN 一定要携带 system:xxx 之类的 恕我直言。真恶心
plko345
2022-10-03 21:18:28 +08:00
文档里 best practice 里写的很清楚了,说恶心不合适吧
aqua02
2022-10-08 16:25:23 +08:00
@plko345 嗯,之前没看到。网上的教程资料太少了, 只有脚本,但没有说明为什么这么做

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/884409

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX