向GKE上运行的外部保险存储服务验证Pod时权限被拒绝 [英] Permission denied when authenticating pod to external vault service running on gke
本文介绍了向GKE上运行的外部保险存储服务验证Pod时权限被拒绝的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
获取以下错误:
vault errors -
auth.kubernetes.auth_kubernetes_b0f01fa6: login unauthorized due to: Post "https://10.V.V.194:443/apis/authentication.k8s.io/v1/tokenreviews": dial tcp `10.V.V.194`:443: i/o timeout
->;其中
10.V.V.194 -- is master IP address (no https://) via `kubectl cluster-info
应用程序Pod日志
* permission denied" backoff=1.324573453
2020-10-12T14:39:46.421Z [INFO] auth.handler: authenticating
2020-10-12T14:40:16.427Z [ERROR] auth.handler: error authenticating: error="Error making API request.
URL: PUT http://10.LB.LB.38:8200/v1/auth/kubernetes/login
Code: 403. Errors:
* permission denied" backoff=2.798763368
->;其中
http://10.LB.LB.38:8200 is Internal LB IP
Vault设置
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
test-vault LoadBalancer 240.130.0.59 10.LB.LB.38 8200:32105/TCP,8201:31147/TCP
K8s身份验证方法如何启用
$ export VAULT_SA_NAME=$(kubectl get sa vault-auth -o jsonpath="{.secrets[*]['name']}")
$ export SA_JWT_TOKEN=$(kubectl get secret $VAULT_SA_NAME -o jsonpath="{.data.token}" | base64 --decode; echo)
$ export SA_CA_CRT=$(kubectl get secret $VAULT_SA_NAME -o jsonpath="{.data['ca.crt']}" | base64 --decode; echo)
# determine Kubernetes master IP address (no https://) via `kubectl cluster-info`
$ export K8S_HOST=<K8S_MASTER_IP> ----- App cluster ip
# set VAULT_TOKEN & VAULT_ADDR before next steps
$ vault auth enable kubernetes
$ vault write auth/kubernetes/config
token_reviewer_jwt="$SA_JWT_TOKEN"
kubernetes_host="https://$K8S_HOST:443"
kubernetes_ca_cert="$SA_CA_CRT"
如何在应用程序群集中设置Vault插入
name: AGENT_INJECT_VAULT_ADDR
value: http://10.LB.LB.38:8200
群集B(应用群集)
kubectl create serviceaccount vault-auth -n default
-----
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: default
vault auth enable kubernetes
-----------
vault write auth/kubernetes/config kubernetes_host="${K8S_HOST}"
kubernetes_ca_cert="${VAULT_SA_CA_CRT}"
token_reviewer_jwt="${TR_ACCOUNT_TOKEN}"
-----------
vault secrets enable -path=secret/ kv
-----------
vault policy write myapp-kv-rw - <<EOF
path "secret/myapp/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
--------------
vault write auth/kubernetes/role/myapp-role
bound_service_account_names=default
bound_service_account_namespaces=default
policies=default,myapp-kv-rw
ttl=15m
如果我错过了什么,请告诉我好吗?
推荐答案
我很好奇您使用的是哪个版本的K8。我使用v1.21.1
时也遇到了同样的问题。我必须将颁发者添加到每个文档(https://www.vaultproject.io/docs/auth/kubernetes)
Kubernetes 1.21+群集可能需要将服务帐户颁发者设置为与Kube-apiserver的--service-account-Issuer标志相同的值。这是因为这些群集的服务帐户JWT可能具有特定于群集本身的颁发者,而不是旧默认值kubernetes/serviceaccount
喜欢这样
vault write auth/kubernetes/config
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
issuer=""test-aks-cluster-dns-d6cbb78e.hcp.uksouth.azmk8s.io""
,可以通过运行kubectl proxy & curl --silent http://127.0.0.1:8001/.well-known/openid-configuration | jq -r .issuer
这篇关于向GKE上运行的外部保险存储服务验证Pod时权限被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文