联系kubernetes API时，kubernetes kubelet使用什么用户名? [英] What username does the kubernetes kubelet use when contacting the kubernetes API?

问题描述

因此，我一直在尝试在kubernetes API中实现ABAC授权，并在我的kube-api清单文件中添加了以下参数.

So I've been trying to implement ABAC authorization in the kubernetes API, with the following arguments in my kube-api manifest file.

  - --authorization-mode=ABAC
  - --authorization-policy-file=/etc/kubernetes/auth/abac-rules.json

以及abac-rulse.json文件中的以下内容.

And the following content in the abac-rulse.json file.

{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"*",         "nonResourcePath": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin",     "namespace": "*",              "resource": "*",         "apiGroup": "*"                   }}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "apiGroup": "*", "namespace": "*", "resource": "*", "readonly": false}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "apiGroup": "*",   "namespace": "*", "resource": "*", "readonly": false }}

但是，kubelet似乎无法连接到api服务器.我读到用户名取自用于验证连接的证书中-subject的CN字段，看到这里.在这种情况下，这就是软管的性能，我也没有运气尝试过.

However, the kubelets can't seem to connect to the api servers. I read that the username is taken from the CN field of the -subject in the certificate used to authenticate the connection, see here. In this case that's the fqdn of the hose, i've tried that too with no luck.

有什么想法我在做什么错吗?

Any ideas what i'm doing wrong?

提前欢呼

我正在使用Kubernetes版本1.2.2，同时使用kubectl和hyperkube docker镜像.

I'm using Kubernetes version 1.2.2, both kubectl and hyperkube docker image.

推荐答案

找出答案，在这里为与ABAC有相同问题的其他人提供文档.

Figured out the answer, documenting here for anyone else having the same issue with ABAC.

在工作程序配置中定义了kubelet用户，在我的情况下，这是一个我存储在此处的yaml文件-/etc/kubernetes/worker-kubeconfig.yaml，其内容如下所示:

The kubelet user is define in the worker configuration, which in my case is a yaml file which i store here - /etc/kubernetes/worker-kubeconfig.yaml, the content of which is shown below:

apiVersion: v1
kind: Config
clusters:
- name: default
  cluster:
    server: https://10.96.17.34:8443
    certificate-authority: /etc/kubernetes/ssl/ca.pem
users:
- name: kubelet
  user:
    client-certificate: /etc/kubernetes/ssl/worker.pem
    client-key: /etc/kubernetes/ssl/worker-key.pem
contexts:
- context:
    cluster: default
    user: kubelet
  name: kubelet-context
current-context: kubelet-context

因此连接的用户是kubelet.

在我的情况下，我使用CN = $ {MINION_FQDN}创建了证书，由于此证书与"kubelet"不匹配，因此无法满足ABAC策略.我使用以下参数重新生成了证书，现在节点成功进行了身份验证:)

In my case I had create my certificates with the CN=${MINION_FQDN}, and since this did not match "kubelet" then the ABAC policies weren't met. I regenerated my certifcates with the following arguments and now the nodes authenticate succesfully :)

# Create worker key
openssl genrsa -out $OUT/${WORKER_HOSTNAME}/worker-key.pem 2048
#Creating Worker CSR...
WORKER_FQDN=${WORKER_FQDN} WORKER_IP=${WORKER_IP} openssl req -new -key $OUT/${WORKER_HOSTNAME}/worker-key.pem -out $OUT/${WORKER_HOSTNAME}/worker.csr -subj "/CN=kubelet" -config $SSL_CONFIG
# Creating Worker Cert
WORKER_FQDN=${WORKER_FQDN} WORKER_IP=${WORKER_IP} openssl x509 -req -in $OUT/${WORKER_HOSTNAME}/worker.csr -CA $CA/ca.pem -CAkey $CA/ca-key.pem -CAcreateserial -out $OUT/${WORKER_HOSTNAME}/worker.pem -days 365 -extensions v3_req -extfile $SSL_CONFIG

其中重要的一点是:

-subj "/CN=kubelet"

希望这对其他人有帮助.

Hope this helps someone else.

这篇关于联系kubernetes API时，kubernetes kubelet使用什么用户名?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！