Kubernetes:如何启用API服务器承载令牌认证? [英] Kubernetes: how to enable API Server Bearer Token Auth?
问题描述
我一直在尝试为远程客户端的HTTP REST API服务器访问启用令牌身份验证.
I've been trying to enabled token auth for HTTP REST API Server access from a remote client.
我使用以下脚本安装了CoreOS/K8S集群控制器: https://github.com/coreos/coreos-kubernetes/blob/master/multi-node/generic/controller-install.sh
I installed my CoreOS/K8S cluster controller using this script: https://github.com/coreos/coreos-kubernetes/blob/master/multi-node/generic/controller-install.sh
我的集群工作正常.这是TLS安装,因此我需要使用客户端证书配置任何kubectl客户端,以访问群集.
My cluster works fine. This is a TLS installation so I need to configure any kubectl clients with the client certs to access the cluster.
然后我尝试通过运行启用令牌身份验证:
I then tried to enable token auth via running:
echo `dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null`
这给了我一个令牌.然后,将令牌添加到控制器上的令牌文件中,该文件包含令牌和默认用户:
this gives me a token. I then added the token to a token file on my controller containing a token and default user:
$> cat /etc/kubernetes/token
3XQ8W6IAourkXOLH2yfpbGFXftbH0vn,default,default
然后我修改了/etc/kubernetes/manifests/kube-apiserver.yaml以添加:
I then modified the /etc/kubernetes/manifests/kube-apiserver.yaml to add in:
- --token-auth-file=/etc/kubernetes/token
到启动参数列表
然后我重新启动(不确定最好自行重启API Server的最佳方法吗?)
I then reboot (not sure the best way to restart API Server by itself??)
这时,来自远程服务器的kubectl退出工作(无法连接).然后,我在控制器上查看docker ps并看到api服务器.我运行docker logs container_id并没有输出.如果我查看其他Docker容器,则会看到类似以下的输出:
At this point, kubectl from a remote server quits working(won't connect). I then look at docker ps on the controller and see the api server. I run docker logs container_id and get no output. If I look at other docker containers I see output like:
E0327 20:05:46.657679 1 reflector.go:188]
pkg/proxy/config/api.go:33: Failed to list *api.Endpoints:
Get http://127.0.0.1:8080/api/v1/endpoints?resourceVersion=0:
dial tcp 127.0.0.1:8080: getsockopt: connection refused
所以看来我的api-server.yaml配置它阻止了API服务器正确启动....
So it appears that my api-server.yaml config it preventing the API Server from starting properly....
关于为承载令牌REST身份验证配置API服务器的正确方法有何建议?
Any suggestions on the proper way to configure API Server for bearer token REST auth?
可以同时配置TLS配置和Bearer Token Auth,对吗?
It is possible to have both TLS configuration and Bearer Token Auth configured, right?
谢谢!
推荐答案
我认为您的kube-apiserver死了,因为找不到/etc/kubernetes/token.那是因为在您的部署中,apiserver是一个静态容器,因此在容器中运行,这又意味着它具有与主机不同的根文件系统.
I think your kube-apiserver dies because it's can't find the /etc/kubernetes/token. That's because on your deployment the apiserver is a static pod therefore running in a container which in turn means it has a different root filesystem than that of the host.
查看/etc/kubernetes/manifests/kube-apiserver.yaml并添加这样的volume和volumeMount(我省略了不需要更改的行,并且无助于查找正确的部分):
Look into /etc/kubernetes/manifests/kube-apiserver.yaml and add a volume and a volumeMount like this (I have omitted the lines that do not need changing and don't help in locating the correct section):
kind: Pod
metadata:
name: kube-apiserver
spec:
containers:
- name: kube-apiserver
command:
- ...
- --token-auth-file=/etc/kubernetes/token
volumeMounts:
- mountPath: /etc/kubernetes/token
name: token-kubernetes
readOnly: true
volumes:
- hostPath:
path: /etc/kubernetes/token
name: token-kubernetes
另一个注意事项:引用为token的文件应不以.结尾(点)-也许这只是一个复制粘贴错误,但无论如何都要检查它.该格式记录在静态令牌文件:
One more note: the file you quoted as token should not end in . (dot) - maybe that was only a copy-paste mistake but check it anyway. The format is documented under static token file:
令牌,用户,uid,"group1,group2,group3"
token,user,uid,"group1,group2,group3"
如果您的问题仍然存在,请执行以下命令并发布输出:
If your problem perists execute the command below and post the output:
journalctl -u kubelet | grep kube-apiserver
这篇关于Kubernetes:如何启用API服务器承载令牌认证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
