在KOPS管理的集群中轮换kubernetes的证书 [英] Rotate certificate for kubernetes in a KOPS managed cluster
问题描述
我已经通过 KOPS 启动了几个集群,并且是供应k8s集群的新手,他们共享了与我的团队一起使用整个kube配置文件.我错误地认为我可以轻易更改用户名和密码,以防止离开公司的开发人员通过kube配置文件进行身份验证.
I've launched a couple clusters through KOPS and, being new to provisioning k8s clusters, shared the entire kube config file with my team. I had assumed incorrectly that I could easily change username and password to prevent developers that have left the company from authenticating if they had the kube config file.
示例用户部分如下所示:
The sample user section looks something like this:
- name: kubernetes.example.com
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
password: REDACTED
username: REDACTED
更改密码后,我仍然可以进行身份验证.但是,删除证书部分后,我将成为未经授权的人.我已经设置了 aws-iam-authenticator ,它运行良好,但是证书身份验证仍然有效,表明有权访问原始kube配置的任何人仍然可以通过服务器进行身份验证.
When I change the password, I can still authenticate. But removing the certificate sections I become unauthorized. I've set up aws-iam-authenticator and that is working perfectly, but the certificate authentication still works indicating that anyone with access to the original kube config would still be able to authenticate with the server.
在重新启动新集群以轮换这些证书或完全关闭证书身份验证并仅遵从AWS身份验证之外,是否有任何简便的方法?
Is there any easy way outside of relaunching a new cluster to rotate these certificates or turn off certificate authentication altogether and just defer to AWS authentication?
推荐答案
目前,尚无简便的方法可以在不中断的情况下滚动证书.参见 https://kops.sigs.k8s.io/rotate-secrets/
At the moment there is no easy way to roll certificates without disruptions. See https://kops.sigs.k8s.io/rotate-secrets/
由于kubernetes本身依赖于PKI进行身份验证,因此也无法禁用证书.
It is also not possible to disable certificates as kubernetes itself relies on the PKI to authenticate.
好消息是,在更高版本的kOps中,应该旋转的秘密应该很优美.这里有此功能的PR: https://github.com/kubernetes/kops/拉/10516
The good news is that in later versions of kOps, rotating secrets should be graceful. There is a PR here for this functionality here: https://github.com/kubernetes/kops/pull/10516
这篇关于在KOPS管理的集群中轮换kubernetes的证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
