无法从Pod容器内部访问kubernetes api [英] Not able to access kubernetes api from inside a pod container

问题描述

我已经创建了hashicorp保管库部署并配置了kubernetes auth.保管库容器从Pod内部调用kubernetes api进行k8s身份验证，并且该调用失败，并显示500个错误代码(连接被拒绝).我正在将docker用于Windows kubernetes.

I have created a hashicorp vault deployment and configured kubernetes auth. The vault container calls kubernetes api internally from the pod to do k8s authentication, and that call is failing with 500 error code (connection refused). I am using docker for windows kubernetes.

我将以下配置添加到kubernetes身份验证机制的库中.

I added the below config to vault for kubernetes auth mechanism.

payload.json

{
    "kubernetes_host": "http://kubernetes",
    "kubernetes_ca_cert": <k8s service account token>
}

curl --header "X-Vault-Token: <vault root token>" --request POST --data @payload.json http://127.0.0.1:8200/v1/auth/kubernetes/config

我得到了204个预期的答复.

I got 204 response as expected.

我为kubernetes auth创建了一个角色，尝试通过该角色登录Vault:

And I created a role for kubernetes auth using which I am trying to login to vault:

payload2.json

{
    "role": "tanmoy-role",
    "jwt": "<k8s service account token>"
}

curl --request POST --data @payload2.json http://127.0.0.1:8200/v1/auth/kubernetes/login

上面的卷曲给出以下响应:

The above curl is giving below response:

{错误":[发布 http://kubernetes/apis/authentication .k8s.io/v1/tokenreviews :拨打tcp 10.96.0.1:80:connect:连接被拒绝]}

{"errors":["Post http://kubernetes/apis/authentication.k8s.io/v1/tokenreviews: dial tcp 10.96.0.1:80: connect: connection refused"]}

下面是我的kubernetes服务正常运行，并且我也可以使用代理访问kubernetes仪表板.

Below is my kubernetes service up and running properly and I can also access kubernetes dashboard by using proxy.

NAME            TYPE           CLUSTER-IP      EXTERNAL-IP              PORT(S)                         AGE
kubernetes      ClusterIP      10.96.0.1       <none>                   443/TCP                         13d

我无法弄清楚为什么无法从容器内部访问"kubernetes"服务.任何帮助将不胜感激.

I am not able to figure out why 'kubernetes' service is not accessible from inside the container. Any help would be greatly appreciated.

编辑1.我的保管箱和服务运行正常:

Edit 1. My vault pod and service are working fine:

服务

NAME            TYPE           CLUSTER-IP      EXTERNAL-IP              PORT(S)                         AGE
vault-elb-int   LoadBalancer   10.104.197.76   localhost,192.168.0.10   8200:31650/TCP,8201:31206/TCP   26h

豆荚

NAME                     READY   STATUS    RESTARTS   AGE
vault-84c65db6c9-pj6zw   1/1     Running   0          21h

编辑2. 正如约翰建议的那样，我将payload.json中的"kubernetes_host"更改为" https://kubernetes ".但是现在我得到了这个错误:

Edit 2. As John suggested, I changed the 'kubernetes_host' in payload.json to 'https://kubernetes'. But now I am getting this error:

{"errors":["Post https://kubernetes/apis/authentication.k8s.io/v1/tokenreviews: x509: certificate signed by unknown authority"]}

推荐答案

最后，我弄清楚出了什么问题:

Finally I have figured out what went wrong:

我的payload.json内容错误

my payload.json content was wrong

应该是这样的:

{
      "kubernetes_host": "https://kubernetes",
      "kubernetes_ca_cert": <kubectl exec to vault pod and cat  /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, now make the cert one line by following this answer: https://stackoverflow.com/a/14580203/2054147>
}

现在端点下方的状态良好，并返回了client_token的愿望

Now below endpoint is working fine and returning the desire client_token

curl --request POST --data @payload2.json http://127.0.0.1:8200/v1/auth/kubernetes/login

感谢@John帮助我弄清kubernetes_host的最初问题.

Thanks @John for helping me to figure out the initial issue with kubernetes_host.

这篇关于无法从Pod容器内部访问kubernetes api的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！