启用kubelet服务器承载令牌认证 [英] Enabling kubelet server Bearer Token authentication

问题描述

我正在尝试使用Bearer令牌在我的kubelet服务器上启用身份验证(不是 X.509客户端证书身份验证)，并且无法理解工作流程.

I am trying to enable authentication on my kubelet servers using Bearer Tokens (not X.509 client certificate authentication), and fail to understand the workflow.

根据文档页面 Kubelet身份验证/授权，启动带有--authentication-token-webhook标志的kubelet启用承载令牌认证.我可以通过使用Controller Manager创建的default机密之一向kubelet REST API发送请求来确认这一点:

According to the documentation page Kubelet authentication/authorization, starting the kubelet with the --authentication-token-webhook flag enables the Bearer Token authentication. I could confirm that by sending a request to the kubelet REST API using one of the default secrets created by the Controller Manager:

$ MY_TOKEN="$(kubectl get secret default-token-kw7mk \
      -o jsonpath='{$.data.token}' | base64 -d)"

$ curl -sS -o /dev/null -D - \
      --cacert /var/run/kubernetes/kubelet.crt \
      -H "Authorization : Bearer $MY_TOKEN" \
      https://host-192-168-0-10:10250/pods/

HTTP/1.1 200 OK
Content-Type: application/json
Date: Fri, 30 Jun 2017 22:12:29 GMT
Transfer-Encoding: chunked

但是，使用与上述相同的Bearer令牌通过API服务器与进行的任何通信(通常使用kubectl logs或exec命令)都会失败:

However any communication with the kubelet via the API server (typically using the kubectl logs or exec commands) using the same Bearer Token as above fails with:

$ kubectl --token="$MY_TOKEN" -n kube-system logs \
      kube-dns-2272871451-sc02r -c kubedns

error: You must be logged in to the server (the server has asked for the client to provide credentials ( pods/log kube-dns-2272871451-sc02r))

我需要澄清的地方

我最初的假设是API服务器刚刚将它从客户端接收到的Bearer令牌直接传递给了kubelet，但是上面的小实验证明了我不是这样.

Where I need clarification

My initial assumption was that the API server just passed the Bearer Token it received from the client directly to the kubelet, but my little experiment above proved me otherwise.

我看到 kube-apiserver 文档提到了称为但我不确定如何使用它，或者它是否与根据kubelet验证API服务器有关.

I see that the kube-apiserver documentation mentions a flag called --authentication-token-webhook-config-file but I'm unsure how to use it, or if it's even relevant for authenticating the API server against a kubelet.

我的kubelet的运行方式为:

My kubelet(s) run with:

  --anonymous-auth=false
  --authorization-mode=Webhook
  --authentication-token-webhook
  --cadvisor-port=0
  --cluster-dns=10.0.0.10
  --cluster-domain=cluster.local
  --read-only-port=0
  --kubeconfig=/etc/kubernetes/kubeconfig-kubelet
  --pod-manifest-path=/etc/kubernetes/manifests
  --require-kubeconfig

我的API服务器运行:

My API server runs with:

  --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
  --anonymous-auth=false
  --authorization-mode=AlwaysAllow
  (+ tls flags)

推荐答案

当调用需要从API服务器到kubelet进行通信的API服务器时，该通信是使用API​​服务器的客户端凭据完成的，该客户端凭据仅支持x509对kubelet进行身份验证.

When making calls to the API server that require communication from the API server to the kubelet, that communication is done using the API server's client credentials, which only support x509 authentication to the kubelet.

API服务器Webhook身份验证选项与kubelet身份验证无关.

API server webhook authentication options are unrelated to kubelet auth.

这篇关于启用kubelet服务器承载令牌认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！