在 traefik toml 文件中定义 RBAC
Defining RBAC in traefik toml file
我正在将 Traefik 连接到我的 Kubernetes 1.7.2 集群。我的集群使用的是RBAC,toml的指南中没有任何关于rbac的内容。
我通过 运行 获得证书(并将其放入 /root/projects/certs/ca.crt):
cat ~/.kube/config | grep client-certificate-data | tr -d ' ' | cut -d ":" -f2 | base64 -d
以及 运行 的令牌:
kubectl get secrets default-token-mnxss -o jsonpath='{.data.token}' | base64 -d
我的 toml 现在看起来像这样:
InsecureSkipVerify = true
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/certs/kubernetes.pem"
KeyFile = "/certs/kubernetes-key.pem"
[web]
address = ":8080"
ReadOnly = true
[kubernetes]
endpoint = "https://192.168.100.226:6443"
token="eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tbW54c3MiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImQxNjYxZWIyLTc1Y2EtMTFlNy1iY2Q4LTUyNTQwMDI2OGU5YSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.xHVMxmFm8e8SkfHQxaxh_UjocWeHr_GoAvkMfrZUyMrleqxj5LQg_fHfpaWNcKePF3AfLmDn7COILiPNAoknF9OqaQzSXRoch0i8omFIbTtf3d5fe7z3psHBCE827tdtnV_9VNejFWC6VWRhxmkHz6_9x1LeLvYWOXPet5_97A254UUvJVQouriq3Y9GqIZiWdCIzU4yC9wQbYCG5s_Sy9pVELsRAGuVNYMA6-UH4rjUDrtn0fBxah89XjBlqJ8FB1darByqmY0Ws-3IX6AB1PGPKrQdz9kI2Yzg_ftobUJNcjM3oeQ4acx4EO9zu_5WMl7PnrVfO3tWZHHXRa-6IA"
certAuthFilePath = "/root/projects/certs/ca.crt"
# Kubernetes server endpoint
#endpoint = "http://localhost:8001"
#endpoint = "https://192.168.100.226:6443"
#namespaces = ["default","kube-system"]
我仍然得到:
ERROR: logging before flag.Parse: E0804 04:02:54.161007 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Service: the server does not allow access to the requested resource (get services)
ERROR: logging before flag.Parse: E0804 04:02:54.161070 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1beta1.Ingress: the server does not allow access to the requested resource (get ingresses.extensions)
ERROR: logging before flag.Parse: E0804 04:02:54.161089 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Endpoints: the server does not allow access to the requested resource (get endpoints)
ERROR: logging before flag.Parse: E0804 04:02:54.162291 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Secret: the server does not allow access to the requested resource (get secrets)
ERROR: logging before flag.Parse: E0804 04:02:55.174304 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Secret: the server does not allow access to the requested resource (get secrets)
ERROR: logging before flag.Parse: E0804 04:02:55.174399 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Service: the server does not allow access to the requested resource (get services)
ERROR: logging before flag.Parse: E0804 04:02:55.174474 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Endpoints: the server does not allow access to the requested resource (get endpoints)
ERROR: logging before flag.Parse: E0804 04:02:55.176349 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1beta1.Ingress: the server does not allow access to the requested resource (get ingresses.extensions)
服务帐户名称不进入 TOML 配置,而是 Deployment/DaemonSet 清单的规范。
Traefik guide 显示了一个例子。以下是部署的最小 YAML,用于查看服务帐户名称需要缩进的位置:
kind: Deployment
apiVersion: extensions/v1beta1
spec:
template:
spec:
serviceAccountName: traefik-ingress-controller
请注意,此示例假定您已通过名称 traefik-ingress-controller
设置了一个服务帐户并将适当的 RBAC 规则绑定到它。该指南还为两者提供了额外且一致的清单。
如果你想 运行 Traefik 脱离集群,你必须设置三个参数 endpoint
、token
和 certAuthFilePath
。令牌应该是与 Kubernetes 自动创建的服务帐户密码相关联的令牌。要提取令牌,请执行以下操作:
- 从
kubectl get secrets --namespace=<the service account's namespace>
中识别您的服务帐户的秘密名称。
- 提取令牌(请注意,所有机密都是 base64 编码的,因此您需要解码):
kubectl get secrets <the service account's secret> --namespace=<the service account's namespace> -o jsonpath='{.data.token}' | base64 -D
.
最后,在您的 TOML 配置文件中设置该标记。
同样可以从secrets对象中获取CA证书。但是,它是 public 并且可能更容易从其他地方访问(例如集群的管理控制台或 $HOME/.kube/config
内部)。
我正在将 Traefik 连接到我的 Kubernetes 1.7.2 集群。我的集群使用的是RBAC,toml的指南中没有任何关于rbac的内容。
我通过 运行 获得证书(并将其放入 /root/projects/certs/ca.crt):
cat ~/.kube/config | grep client-certificate-data | tr -d ' ' | cut -d ":" -f2 | base64 -d
以及 运行 的令牌:
kubectl get secrets default-token-mnxss -o jsonpath='{.data.token}' | base64 -d
我的 toml 现在看起来像这样:
InsecureSkipVerify = true
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/certs/kubernetes.pem"
KeyFile = "/certs/kubernetes-key.pem"
[web]
address = ":8080"
ReadOnly = true
[kubernetes]
endpoint = "https://192.168.100.226:6443"
token="eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tbW54c3MiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImQxNjYxZWIyLTc1Y2EtMTFlNy1iY2Q4LTUyNTQwMDI2OGU5YSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.xHVMxmFm8e8SkfHQxaxh_UjocWeHr_GoAvkMfrZUyMrleqxj5LQg_fHfpaWNcKePF3AfLmDn7COILiPNAoknF9OqaQzSXRoch0i8omFIbTtf3d5fe7z3psHBCE827tdtnV_9VNejFWC6VWRhxmkHz6_9x1LeLvYWOXPet5_97A254UUvJVQouriq3Y9GqIZiWdCIzU4yC9wQbYCG5s_Sy9pVELsRAGuVNYMA6-UH4rjUDrtn0fBxah89XjBlqJ8FB1darByqmY0Ws-3IX6AB1PGPKrQdz9kI2Yzg_ftobUJNcjM3oeQ4acx4EO9zu_5WMl7PnrVfO3tWZHHXRa-6IA"
certAuthFilePath = "/root/projects/certs/ca.crt"
# Kubernetes server endpoint
#endpoint = "http://localhost:8001"
#endpoint = "https://192.168.100.226:6443"
#namespaces = ["default","kube-system"]
我仍然得到:
ERROR: logging before flag.Parse: E0804 04:02:54.161007 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Service: the server does not allow access to the requested resource (get services)
ERROR: logging before flag.Parse: E0804 04:02:54.161070 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1beta1.Ingress: the server does not allow access to the requested resource (get ingresses.extensions)
ERROR: logging before flag.Parse: E0804 04:02:54.161089 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Endpoints: the server does not allow access to the requested resource (get endpoints)
ERROR: logging before flag.Parse: E0804 04:02:54.162291 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Secret: the server does not allow access to the requested resource (get secrets)
ERROR: logging before flag.Parse: E0804 04:02:55.174304 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Secret: the server does not allow access to the requested resource (get secrets)
ERROR: logging before flag.Parse: E0804 04:02:55.174399 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Service: the server does not allow access to the requested resource (get services)
ERROR: logging before flag.Parse: E0804 04:02:55.174474 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Endpoints: the server does not allow access to the requested resource (get endpoints)
ERROR: logging before flag.Parse: E0804 04:02:55.176349 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1beta1.Ingress: the server does not allow access to the requested resource (get ingresses.extensions)
服务帐户名称不进入 TOML 配置,而是 Deployment/DaemonSet 清单的规范。
Traefik guide 显示了一个例子。以下是部署的最小 YAML,用于查看服务帐户名称需要缩进的位置:
kind: Deployment
apiVersion: extensions/v1beta1
spec:
template:
spec:
serviceAccountName: traefik-ingress-controller
请注意,此示例假定您已通过名称 traefik-ingress-controller
设置了一个服务帐户并将适当的 RBAC 规则绑定到它。该指南还为两者提供了额外且一致的清单。
如果你想 运行 Traefik 脱离集群,你必须设置三个参数 endpoint
、token
和 certAuthFilePath
。令牌应该是与 Kubernetes 自动创建的服务帐户密码相关联的令牌。要提取令牌,请执行以下操作:
- 从
kubectl get secrets --namespace=<the service account's namespace>
中识别您的服务帐户的秘密名称。 - 提取令牌(请注意,所有机密都是 base64 编码的,因此您需要解码):
kubectl get secrets <the service account's secret> --namespace=<the service account's namespace> -o jsonpath='{.data.token}' | base64 -D
.
最后,在您的 TOML 配置文件中设置该标记。
同样可以从secrets对象中获取CA证书。但是,它是 public 并且可能更容易从其他地方访问(例如集群的管理控制台或 $HOME/.kube/config
内部)。