V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
aqua02
V2EX  ›  Kubernetes

关于 Kubernetes 的搭建的账户的认证问题

  •  
  •   aqua02 · 2022-10-02 22:05:46 +08:00 · 1635 次点击
    这是一个创建于 830 天前的主题,其中的信息可能已经有所发展或是发生改变。

    开启了一个api-server,如何具有权限访问这个服务

    开启api-server

    开启的api-server 脚本如下

    /root/k8s/kubernetes/server/bin/kube-apiserver  \
    --log-dir=/root/k8s/kubernetes/log/kube-apiserver  \
    --log-file=/root/k8s/kubernetes/log/kube-apiserver/log.log \
    --logtostderr=true  \
    --allow-privileged=true  \
    --bind-address=0.0.0.0  \
    --secure-port=6443  \
    --advertise-address=192.168.123.78 \
    --service-cluster-ip-range=10.96.0.0/12  \
    --service-node-port-range=30000-32767  \
    --etcd-servers=https://192.168.123.78:2379,https://192.168.123.79:2379,https://192.168.123.80:2379 \
    --etcd-cafile=/root/certs/ca.pem \
    --etcd-certfile=/root/certs/etcd.pem \
    --etcd-keyfile=/root/certs/etcd-key.pem \
    --tls-cert-file=/root/certs/api-server.pem  \
    --tls-private-key-file=/root/certs/api-server-key.pem \
    --client-ca-file=/root/certs/ca.pem  \
    --kubelet-client-certificate=/root/certs/client.pem  \
    --kubelet-client-key=/root/certs/client-key.pem  \
    --service-account-key-file=/root/certs/api-server.pem  \
    --service-account-signing-key-file=/root/certs/api-server-key.pem  \
    --service-account-issuer=https://kubernetes.default.svc.cluster.local \
    --kubelet-preferred-address-types=Hostname,InternalDNS,InternalIP,ExternalDNS,ExternalIP \
    --authorization-mode=RBAC,Node  \
    --enable-bootstrap-token-auth=true  \
    --requestheader-client-ca-file=/root/certs/ca.pem  \
    --proxy-client-cert-file=/root/certs/proxy.pem  \
    --proxy-client-key-file=/root/certs/proxy-key.pem  \
    --requestheader-allowed-names=""  \
    --requestheader-group-headers=X-Remote-Group  \
    --requestheader-extra-headers-prefix=X-Remote-Extra-  \
    --requestheader-username-headers=X-Remote-User
    

    尝试访问

    利用其中的 --kubelet-client-certificate--kubelet-client-key

    生成了一个config

    /root/k8s/kubernetes/server/bin/kubectl config set-cluster kubernetes --certificate-authority=/root/certs/ca.pem --embed-certs=true --server=https://192.168.123.78:6443 --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig
    
    
    /root/k8s/kubernetes/server/bin/kubectl config set-credentials kubernetes-admin --client-certificate=/root/certs/client.pem --client-key=/root/certs/client-key.pem --embed-certs=true  --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig
    
    
    /root/k8s/kubernetes/server/bin/kubectl config set-context kubernetes-admin@kubernetes --cluster=kubernetes --user=kubernetes-admin --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig
    
    
    /root/k8s/kubernetes/server/bin/kubectl config use-context kubernetes-admin@kubernetes --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig
    
    

    然后当我用admin.kubeconfig进行访问的时候,出现了 403 的问题 ./kubectl get cs --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig -v=9

    <<<<<

    Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/api\"","reason":"Forbidden","details":{},"code":403}
    I1002 21:44:12.604038  227095 round_trippers.go:466] curl -v -XGET  -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.25.2 (linux/amd64) kubernetes/5835544" 'https://192.168.123.78:6443/apis?timeout=32s'
    

    有大佬知道是什么原因吗, 或者说一个新开的 API-SERVER 的所谓的管理员账号密码是在哪里= =,如何访问api-server

    3 条回复    2022-10-08 16:25:23 +08:00
    aqua02
        1
    aqua02  
    OP
       2022-10-02 23:57:48 +08:00
    解决了 如果通过证书访问的话 证书的 CN 一定要携带 system:xxx 之类的 恕我直言。真恶心
    plko345
        2
    plko345  
       2022-10-03 21:18:28 +08:00 via Android
    文档里 best practice 里写的很清楚了,说恶心不合适吧
    aqua02
        3
    aqua02  
    OP
       2022-10-08 16:25:23 +08:00
    @plko345 嗯,之前没看到。网上的教程资料太少了, 只有脚本,但没有说明为什么这么做
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   995 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 25ms · UTC 22:14 · PVG 06:14 · LAX 14:14 · JFK 17:14
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.