K8S(1.9)如何用客户端证书访问API服务器
K8S (1.9) how to access API server with client certifiicate
问题
如何使用客户端证书访问 API 服务器 API?在下面尝试但没有成功。
export K8S_PKI_HOME=/etc/kubernetes/pki
curl -k --key ${K8S_PKI_HOME}/ca.key --cert ${K8S_PKI_HOME}/ca.crt \
https://localhost:6443/api/v1/componentstatuses
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "componentstatuses is forbidden: User \"kubernetes\" cannot list componentstatuses at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "componentstatuses"
},
"code": 403
}
根据X509 Client Certs (Authentication Strategy:
Client certificate authentication is enabled by passing the --client-ca-file=SOMEFILE option to API server.
在/etc/kubernetes/manifests/kube-apiserver.yaml中,指定了--client-ca-file=/etc/kubernetes/pki/ca.crt。
spec:
containers:
- command:
- kube-apiserver
- --client-ca-file=/etc/kubernetes/pki/ca.crt
您出示的客户端证书似乎已被识别,并已将您验证为用户 "kubernetes"。
您收到的错误是授权错误,而不是身份验证。
下一步是确保用户有权执行他们正在进行的 API 调用。你如何做到这一点取决于你的服务器使用的授权模式。详情见https://kubernetes.io/docs/admin/authorization/
发现客户端证书和密钥错误。
# sudo curl -iv -L \
> --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt \
> --key /etc/kubernetes/pki/apiserver-kubelet-client.key \
> --cacert /etc/kubernetes/pki/ca.crt \
> https://172.31.4.117:6443/healthz
* About to connect() to 172.31.4.117 port 6443 (#0)
* Trying 172.31.4.117...
* Connected to 172.31.4.117 (172.31.4.117) port 6443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/kubernetes/pki/ca.crt
CApath: none
* NSS: client certificate from file
* subject: CN=kube-apiserver-kubelet-client,O=system:masters
* start date: Dec 23 05:13:30 2017 GMT
* expire date: Dec 23 05:13:30 2018 GMT
* common name: kube-apiserver-kubelet-client
* issuer: CN=kubernetes
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=kube-apiserver
* start date: Dec 23 05:13:30 2017 GMT
* expire date: Dec 23 05:13:30 2018 GMT
* common name: kube-apiserver
* issuer: CN=kubernetes
> GET /healthz HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 172.31.4.117:6443
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 25 Dec 2017 02:10:15 GMT
Date: Mon, 25 Dec 2017 02:10:15 GMT
< Content-Length: 2
Content-Length: 2
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8
<
* Connection #0 to host 172.31.4.117 left intact
ok
问题
如何使用客户端证书访问 API 服务器 API?在下面尝试但没有成功。
export K8S_PKI_HOME=/etc/kubernetes/pki
curl -k --key ${K8S_PKI_HOME}/ca.key --cert ${K8S_PKI_HOME}/ca.crt \
https://localhost:6443/api/v1/componentstatuses
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "componentstatuses is forbidden: User \"kubernetes\" cannot list componentstatuses at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "componentstatuses"
},
"code": 403
}
根据X509 Client Certs (Authentication Strategy:
Client certificate authentication is enabled by passing the --client-ca-file=SOMEFILE option to API server.
在/etc/kubernetes/manifests/kube-apiserver.yaml中,指定了--client-ca-file=/etc/kubernetes/pki/ca.crt。
spec:
containers:
- command:
- kube-apiserver
- --client-ca-file=/etc/kubernetes/pki/ca.crt
您出示的客户端证书似乎已被识别,并已将您验证为用户 "kubernetes"。
您收到的错误是授权错误,而不是身份验证。
下一步是确保用户有权执行他们正在进行的 API 调用。你如何做到这一点取决于你的服务器使用的授权模式。详情见https://kubernetes.io/docs/admin/authorization/
发现客户端证书和密钥错误。
# sudo curl -iv -L \
> --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt \
> --key /etc/kubernetes/pki/apiserver-kubelet-client.key \
> --cacert /etc/kubernetes/pki/ca.crt \
> https://172.31.4.117:6443/healthz
* About to connect() to 172.31.4.117 port 6443 (#0)
* Trying 172.31.4.117...
* Connected to 172.31.4.117 (172.31.4.117) port 6443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/kubernetes/pki/ca.crt
CApath: none
* NSS: client certificate from file
* subject: CN=kube-apiserver-kubelet-client,O=system:masters
* start date: Dec 23 05:13:30 2017 GMT
* expire date: Dec 23 05:13:30 2018 GMT
* common name: kube-apiserver-kubelet-client
* issuer: CN=kubernetes
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=kube-apiserver
* start date: Dec 23 05:13:30 2017 GMT
* expire date: Dec 23 05:13:30 2018 GMT
* common name: kube-apiserver
* issuer: CN=kubernetes
> GET /healthz HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 172.31.4.117:6443
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 25 Dec 2017 02:10:15 GMT
Date: Mon, 25 Dec 2017 02:10:15 GMT
< Content-Length: 2
Content-Length: 2
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8
<
* Connection #0 to host 172.31.4.117 left intact
ok