无法从Pod容器内部访问kubernetes api [英] Not able to access kubernetes api from inside a pod container
问题描述
我已经创建了hashicorp保管库部署并配置了kubernetes auth.保管库容器从Pod内部调用kubernetes api进行k8s身份验证,并且该调用失败,并显示500个错误代码(连接被拒绝).我正在将docker用于Windows kubernetes.
I have created a hashicorp vault deployment and configured kubernetes auth. The vault container calls kubernetes api internally from the pod to do k8s authentication, and that call is failing with 500 error code (connection refused). I am using docker for windows kubernetes.
我将以下配置添加到kubernetes身份验证机制的库中.
I added the below config to vault for kubernetes auth mechanism.
payload.json
{
"kubernetes_host": "http://kubernetes",
"kubernetes_ca_cert": <k8s service account token>
}
curl --header "X-Vault-Token: <vault root token>" --request POST --data @payload.json http://127.0.0.1:8200/v1/auth/kubernetes/config
我得到了204个预期的答复.
I got 204 response as expected.
我为kubernetes auth创建了一个角色,尝试通过该角色登录Vault:
And I created a role for kubernetes auth using which I am trying to login to vault:
payload2.json
{
"role": "tanmoy-role",
"jwt": "<k8s service account token>"
}
curl --request POST --data @payload2.json http://127.0.0.1:8200/v1/auth/kubernetes/login
上面的卷曲给出以下响应:
The above curl is giving below response:
{错误":[发布 http://kubernetes/apis/authentication .k8s.io/v1/tokenreviews :拨打tcp 10.96.0.1:80:connect:连接被拒绝]}
{"errors":["Post http://kubernetes/apis/authentication.k8s.io/v1/tokenreviews: dial tcp 10.96.0.1:80: connect: connection refused"]}
下面是我的kubernetes服务正常运行,并且我也可以使用代理访问kubernetes仪表板.
Below is my kubernetes service up and running properly and I can also access kubernetes dashboard by using proxy.
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 13d
我无法弄清楚为什么无法从容器内部访问"kubernetes"服务.任何帮助将不胜感激.
I am not able to figure out why 'kubernetes' service is not accessible from inside the container. Any help would be greatly appreciated.
编辑1.我的保管箱和服务运行正常:
Edit 1. My vault pod and service are working fine:
服务
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
vault-elb-int LoadBalancer 10.104.197.76 localhost,192.168.0.10 8200:31650/TCP,8201:31206/TCP 26h
豆荚
NAME READY STATUS RESTARTS AGE
vault-84c65db6c9-pj6zw 1/1 Running 0 21h
编辑2. 正如约翰建议的那样,我将payload.json中的"kubernetes_host"更改为" https://kubernetes ".但是现在我得到了这个错误:
Edit 2. As John suggested, I changed the 'kubernetes_host' in payload.json to 'https://kubernetes'. But now I am getting this error:
{"errors":["Post https://kubernetes/apis/authentication.k8s.io/v1/tokenreviews: x509: certificate signed by unknown authority"]}
推荐答案
最后,我弄清楚出了什么问题:
Finally I have figured out what went wrong:
我的payload.json内容错误
my payload.json content was wrong
应该是这样的:
{
"kubernetes_host": "https://kubernetes",
"kubernetes_ca_cert": <kubectl exec to vault pod and cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, now make the cert one line by following this answer: https://stackoverflow.com/a/14580203/2054147>
}
现在端点下方的状态良好,并返回了client_token的愿望
Now below endpoint is working fine and returning the desire client_token
curl --request POST --data @payload2.json http://127.0.0.1:8200/v1/auth/kubernetes/login
感谢@John帮助我弄清kubernetes_host的最初问题.
Thanks @John for helping me to figure out the initial issue with kubernetes_host.
这篇关于无法从Pod容器内部访问kubernetes api的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!