启用kubelet服务器承载令牌认证 [英] Enabling kubelet server Bearer Token authentication
问题描述
我正在尝试使用Bearer令牌在我的kubelet服务器上启用身份验证(不是 X.509客户端证书身份验证),并且无法理解工作流程.
I am trying to enable authentication on my kubelet servers using Bearer Tokens (not X.509 client certificate authentication), and fail to understand the workflow.
根据文档页面 Kubelet身份验证/授权,启动带有--authentication-token-webhook
标志的kubelet启用承载令牌认证.我可以通过使用Controller Manager创建的default
机密之一向kubelet REST API发送请求来确认这一点:
According to the documentation page Kubelet authentication/authorization, starting the kubelet with the --authentication-token-webhook
flag enables the Bearer Token authentication. I could confirm that by sending a request to the kubelet REST API using one of the default
secrets created by the Controller Manager:
$ MY_TOKEN="$(kubectl get secret default-token-kw7mk \
-o jsonpath='{$.data.token}' | base64 -d)"
$ curl -sS -o /dev/null -D - \
--cacert /var/run/kubernetes/kubelet.crt \
-H "Authorization : Bearer $MY_TOKEN" \
https://host-192-168-0-10:10250/pods/
HTTP/1.1 200 OK
Content-Type: application/json
Date: Fri, 30 Jun 2017 22:12:29 GMT
Transfer-Encoding: chunked
但是,使用与上述相同的Bearer令牌通过API服务器与logs
或exec
命令)都会失败:
However any communication with the kubelet via the API server (typically using the kubectl logs
or exec
commands) using the same Bearer Token as above fails with:
$ kubectl --token="$MY_TOKEN" -n kube-system logs \
kube-dns-2272871451-sc02r -c kubedns
error: You must be logged in to the server (the server has asked for the client to provide credentials ( pods/log kube-dns-2272871451-sc02r))
我需要澄清的地方
我最初的假设是API服务器刚刚将它从客户端接收到的Bearer令牌直接传递给了kubelet,但是上面的小实验证明了我不是这样.
Where I need clarification
My initial assumption was that the API server just passed the Bearer Token it received from the client directly to the kubelet, but my little experiment above proved me otherwise.
我看到 kube-apiserver 文档提到了称为
I see that the kube-apiserver documentation mentions a flag called --authentication-token-webhook-config-file
but I'm unsure how to use it, or if it's even relevant for authenticating the API server against a kubelet.
我的kubelet的运行方式为:
My kubelet(s) run with:
--anonymous-auth=false
--authorization-mode=Webhook
--authentication-token-webhook
--cadvisor-port=0
--cluster-dns=10.0.0.10
--cluster-domain=cluster.local
--read-only-port=0
--kubeconfig=/etc/kubernetes/kubeconfig-kubelet
--pod-manifest-path=/etc/kubernetes/manifests
--require-kubeconfig
我的API服务器运行:
My API server runs with:
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
--anonymous-auth=false
--authorization-mode=AlwaysAllow
(+ tls flags)
推荐答案
当调用需要从API服务器到kubelet进行通信的API服务器时,该通信是使用API服务器的客户端凭据完成的,该客户端凭据仅支持x509对kubelet进行身份验证.
When making calls to the API server that require communication from the API server to the kubelet, that communication is done using the API server's client credentials, which only support x509 authentication to the kubelet.
API服务器Webhook身份验证选项与kubelet身份验证无关.
API server webhook authentication options are unrelated to kubelet auth.
这篇关于启用kubelet服务器承载令牌认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!