是否可以通过https入口访问Kubernetes API? [英] Is it possible to access the Kubernetes API via https ingress?

问题描述

我尝试通过HTTPS入口访问Kubernetes API失败，现在开始怀疑这是否完全可能?

I was trying unsuccessfully access Kubernetes API via HTTPS ingress and now started to wonder if that is possible at all?

对于任何直接远程访问(不使用ssh-> kubectl代理以避免在Kubernetes节点上进行用户管理的工作)的详细指导，将不胜感激. :)

Any working detailed guide for a direct remote access (without using ssh -> kubectl proxy to avoid user management on Kubernetes node) would be appreciated. :)

更新:

只是要弄清楚一点.这是前提条件下的裸机部署(NO GCE，AWZ，Azure或其他任何方式)，并且有一种意图是某些环境将完全脱机(这将在获取安装软件包时增加其他问题).

Just to make more clear. This is bare metal on premise deployment (NO GCE, AWZ, Azure or any other) and there is intension that some environments will be totally offline (which will add additional issues with getting the install packages).

意图是要能够在通过Keycloak进行身份验证的客户端主机上使用kubectl(如果遵循分步说明，该操作也会失败).使用SSH进行管理访问，然后使用kubectl进行访问不适合冷杉客户端访问.因此，看来我将必须更新防火墙以公开API端口并创建NodePort服务.

Intention is to be able to use kubectl on client host with authentication via Keycloak (which also fails if followed by the step by step instructions). Administrative access using SSH and then kubectl is not suitable fir client access. So it looks I will have to update firewall to expose API port and create NodePort service.

设置:

[kubernetes-env]-[FW/SNAT]-[me]

[kubernetes - env] - [FW/SNAT] - [me]

防火墙/NAT仅允许22,80和443端口访问

FW/NAT allows only 22,80 and 443 port access

因此，当我在Kubernetes上设置入口时，我无法创建将443重定向到6443的防火墙规则.似乎唯一的选择是创建一个https入口，以将对"api-kubernetes.node.lan"的访问指向kubernetes服务.端口6443.Ingress本身运行良好，我为Keycloak auth应用程序创建了一个有效的Ingress.

So as I set up an ingress on Kubernetes, I cannot create a firewall rule to redirect 443 to 6443. Seems the only option is creating an https ingress to point access to "api-kubernetes.node.lan" to kubernetes service port 6443. Ingress itself is working fine, I have created a working ingress for Keycloak auth application.

我已将.kube/config从主节点复制到我的机器上，并将其放入.kube/config(Cygwin环境)中

I have copied .kube/config from the master node to my machine and placed it into .kube/config (Cygwin environment)

尝试了什么:

• SSL直通.由于kubernetes-ingress控制器无法创建中间证书而无法启动，因此无法启用.即使启动，很可能也会破坏其他HTTPS入口.
• 创建的自签名SSL证书.结果，通过浏览器，当指向 https://api-kubernetes时，我可以获得API输出. node.lan/api .但是，由于未签名的证书，kubectl引发错误，这是显而易见的.
• 将apiserver.crt放入入口tls:定义.由于cert导致错误，因此不适用于api-kubernetes.node.lan.也很明显.

• 按照指南[1]创建kube-ca签名的证书.现在，浏览器根本不显示任何内容.使用curl访问 https://api-kubernetes.node.lan/api 会导致输出为空(使用-v时，我可以看到HTTP OK). Kubectl现在出现以下错误:

• SSL passthrough. Could not enable as kubernetes-ingress controller was not able to start due to not being able to create intermediary cert. Even if started, most likely would have crippled other HTTPS ingresses.
• Created self-signed SSL cert. As a result via browser, I could get an API output, when pointing to https://api-kubernetes.node.lan/api. However, kubectl throws an error due to unsigned cert, which is obvious.
• Put apiserver.crt into ingress tls: definition. Got an error due to cert is not suitable for api-kubernetes.node.lan. Also obvious.

• Followed guide [1] to create kube-ca signed certificate. Now the browser does not show anything at all. Using curl to access https://api-kubernetes.node.lan/api results in an empty output (I can see an HTTP OK when using -v). Kubectl now gets the following error:

$ kubectl.exe version
Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.0", GitCommit:"91e7b4fd31fcd3d5f436da26c980becec37ceefe", GitTreeState:"clean", BuildDate:"2018-06-27T20:17:28Z", GoVersion:"go1.10.2", Compiler:"gc", Platform:"windows/amd64"}
Error from server: the server responded with the status code 0 but did not return more information

当尝试比较apiserver.pem和生成的证书时，我看到的唯一区别是:

When trying to compare apiserver.pem and my generated cert I see the only difference:

apiserver.pem
X509v3 Key Usage:
                 Digital Signature, Non Repudiation, Key Encipherment
generated.crt
X509v3 Extended Key Usage:
                 TLS Web Server Authentication

入口配置:

---
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: kubernetes-api
  namespace: default  
  labels:
    app: kubernetes
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  tls:
    - secretName: kubernetes-api-cert
      hosts:    
        - api-kubernetes.node.lan

  rules:
  - host: api-kubernetes.node.lan
    http:
      paths:
      - path: "/"
        backend:
          serviceName: kubernetes
          servicePort: 6443

链接: [1] https://db-blog.web.cern.ch/blog/lukas-gedvilas/2018-02-creating-tls-certificates-using-kubernetes-api

推荐答案

只要在kube-system名称空间中公开kube-apiserver pod，就应该能够做到.我这样尝试过:

You should be able to do it as long as you expose the kube-apiserver pod in the kube-system namespace. I tried it like this:

$ kubectl -n kube-system expose pod kube-apiserver-xxxx --name=apiserver --port 6443
service/apiserver exposed
$ kubectl -n kube-system get svc
NAME                      TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                       AGE
apiserver                 ClusterIP   10.x.x.x         <none>        6443/TCP                      1m
...

然后转到群集计算机，并指向我的~/.kube/config上下文IP 10.x.x.x:6443

Then go to a cluster machine and point my ~/.kube/config context IP 10.x.x.x:6443

clusters:
- cluster:
    certificate-authority-data: [REDACTED]
    server: https://10.x.x.x:6443
  name: kubernetes
...

然后:

$ kubectl version --insecure-skip-tls-verify
Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.2", GitCommit:"bb9ffb1654d4a729bb4cec18ff088eacc153c239", GitTreeState:"clean", BuildDate:"2018-08-07T23:17:28Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.2", GitCommit:"bb9ffb1654d4a729bb4cec18ff088eacc153c239", GitTreeState:"clean", BuildDate:"2018-08-07T23:08:19Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}

我使用了--insecure-skip-tls-verify，因为10.x.x.x需要在服务器证书上有效.您实际上可以像这样修复它:配置AWS publicIP用于Kubernetes的大师

I used --insecure-skip-tls-verify because 10.x.x.x needs to be valid on the server certificate. You can actually fix it like this: Configure AWS publicIP for a Master in Kubernetes

在您的情况下，可能有几件事:

So maybe a couple of things in your case:

1. 由于您最初是在Ingress上提供SSL，因此您需要在主服务器上的/etc/kubernetes/pki/下使用相同的kubeapi-server证书
2. 您需要将外部IP或名称添加到暴露Ingress的证书中.请按照以下方式进行操作:在Kubernetes

1. Since you are initially serving SSL on the Ingress you need to use the same kubeapi-server certificates under /etc/kubernetes/pki/ on your master
2. You need to add the external IP or name to the certificate where the Ingress is exposed. Follow something like this: Configure AWS publicIP for a Master in Kubernetes

这篇关于是否可以通过https入口访问Kubernetes API?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！