Spinnaker 使用服务帐户对 K8s 进行身份验证。不与 system:anonymous
Spinnaker authenticate K8s with service account. Not with system:anonymous
我看到 spinnaker 使用 system:anonymous 用户来验证 K8s。但是我想要一个特定的用户(我已经在 K8s 中创建了)来验证 K8s。我在下面使用 kubeconfig 来使用用户 veeru
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: RETRACTED
server: https://xx.xx.xx.220:8443
name: xx-xx-xx-220:8443
contexts:
- context:
cluster: xx-xx-xx-220:8443
namespace: default
user: veeru/xx-xx-xx-220:8443
name: area-51/xx-xx-xx-220:8443/veeru
current-context: area-51/xx-xx-xx-220:8443/veeru
kind: Config
preferences: {}
users:
- name: veeru/xx-xx-xx-220:8443
user:
client-certificate-data: RETRACTED
client-key-data: RETRACTED
我在配置中指定了(如here)user(~/.hal/config),如下所示
kubernetes:
enabled: true
accounts:
- name: my-k8s-account
requiredGroupMembership: []
providerVersion: V1
dockerRegistries:
- accountName: my-docker-registry2
namespaces: []
configureImagePullSecrets: true
namespaces: ["area-51"]
user: veeru
omitNamespaces: []
kubeconfigFile: /home/ubuntu/.kube/config
oauthScopes: []
oAuthScopes: []
primaryAccount: my-k8s-account
但大三角帆仍在使用 system:anonymous
2018-01-22 08:35:13.929 ERROR 4639 --- [pool-4-thread-1] c.n.s.c.o.DefaultOrchestrationProcessor : com.netflix.spinnaker.clouddriver.kubernetes.v1.deploy.exception.KubernetesOperationException: Get Service openshifttest-dev in area-51 for account my-k8s-account failed: User "system:anonymous" cannot get services in the namespace "area-51": User "system:anonymous" cannot get services in project "area-51"
有什么方法可以指定 spinnaker 应该使用 system:anonymous
以外的配置用户
UPDATE-1
已关注:https://blog.spinnaker.io/spinnaker-kubernetes-rbac-c40f1f73c172
从 kubectl describe secret spinnaker-service-account-token-9sl6q 获得 secret 并在 kubeconfig 更新如下
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://xx.xx.xx.xx:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: webapp
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: spinnaker-service-account
name: spinnaker-context
current-context: spinnaker-context
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: spinnaker-service-account
user:
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9....
比我运行sudo hal deploy
....
! ERROR Unable to communicate with your Kubernetes cluster: Failure
executing: GET at: https://xx.xx.xx.xx:6443/api/v1/namespaces. Message:
Forbidden! User spinnaker-service-account doesn't have permission. namespaces is
forbidden: User "system:serviceaccount:default:spinnaker-service-account" cannot
list namespaces at the cluster scope..
? Unable to authenticate with your Kubernetes cluster. Try using
kubectl to verify your credentials.
....
我可以 运行
$ kubectl get namespace webapp
NAME STATUS AGE
webapp Active 22m
我在 ~/.hal/config
中指定 webapp 名称空间和用户为 spinnaker-service-account
我正在使用 GKE 并禁用了基本身份验证。我让我的大三角帆使用我创建的专用 K8s 服务帐户。在我的 ~/.kube/config 中,我有每个 K8s 集群的令牌。
users:
- name: gke_operation-covfefe-1_asia-east1_testing-asia-east1
user:
token: token1
- name: gke_operation-covfefe-1_europe-west1_testing-europe-west1
user:
token: token2
- name: gke_operation-covfefe-1_us-central1_testing-us-central1
user:
token: token3
我通过 运行
获得了这些代币
kubectl get secret spinnaker-service-account -o json \
| jq -r .data.token \
| base64 -d
然后手动更新我的 ~/.kube/config 文件。
确保您的服务帐户具有所需的 RBAC 权限。参见 blog post here。
更新:
还要确保您为服务帐户授予所需的 RBAC 权限。请参阅上面博客 post 的 "Role" 部分或 guide here。当您使用 kubectl 测试 RBAC 权限时,请确保您使用的服务帐户与 Spinnaker 正在使用的相同。
更新 2
如果您希望 spinnaker 作用于所有命名空间,请在您的 RBAC 中使用 ClusterRole 和 ClusterRoleBinding。博客 post 仅使用 Role 和 RoleBinding 来限制对特定名称空间的操作。参见 this guide for the Cluster* way. Note the PR to fix a typo here。
我看到 spinnaker 使用 system:anonymous 用户来验证 K8s。但是我想要一个特定的用户(我已经在 K8s 中创建了)来验证 K8s。我在下面使用 kubeconfig 来使用用户 veeru
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: RETRACTED
server: https://xx.xx.xx.220:8443
name: xx-xx-xx-220:8443
contexts:
- context:
cluster: xx-xx-xx-220:8443
namespace: default
user: veeru/xx-xx-xx-220:8443
name: area-51/xx-xx-xx-220:8443/veeru
current-context: area-51/xx-xx-xx-220:8443/veeru
kind: Config
preferences: {}
users:
- name: veeru/xx-xx-xx-220:8443
user:
client-certificate-data: RETRACTED
client-key-data: RETRACTED
我在配置中指定了(如here)user(~/.hal/config),如下所示
kubernetes:
enabled: true
accounts:
- name: my-k8s-account
requiredGroupMembership: []
providerVersion: V1
dockerRegistries:
- accountName: my-docker-registry2
namespaces: []
configureImagePullSecrets: true
namespaces: ["area-51"]
user: veeru
omitNamespaces: []
kubeconfigFile: /home/ubuntu/.kube/config
oauthScopes: []
oAuthScopes: []
primaryAccount: my-k8s-account
但大三角帆仍在使用 system:anonymous
2018-01-22 08:35:13.929 ERROR 4639 --- [pool-4-thread-1] c.n.s.c.o.DefaultOrchestrationProcessor : com.netflix.spinnaker.clouddriver.kubernetes.v1.deploy.exception.KubernetesOperationException: Get Service openshifttest-dev in area-51 for account my-k8s-account failed: User "system:anonymous" cannot get services in the namespace "area-51": User "system:anonymous" cannot get services in project "area-51"
有什么方法可以指定 spinnaker 应该使用 system:anonymous
UPDATE-1
已关注:https://blog.spinnaker.io/spinnaker-kubernetes-rbac-c40f1f73c172
从 kubectl describe secret spinnaker-service-account-token-9sl6q 获得 secret 并在 kubeconfig 更新如下
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://xx.xx.xx.xx:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: webapp
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: spinnaker-service-account
name: spinnaker-context
current-context: spinnaker-context
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: spinnaker-service-account
user:
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9....
比我运行sudo hal deploy
....
! ERROR Unable to communicate with your Kubernetes cluster: Failure
executing: GET at: https://xx.xx.xx.xx:6443/api/v1/namespaces. Message:
Forbidden! User spinnaker-service-account doesn't have permission. namespaces is
forbidden: User "system:serviceaccount:default:spinnaker-service-account" cannot
list namespaces at the cluster scope..
? Unable to authenticate with your Kubernetes cluster. Try using
kubectl to verify your credentials.
....
我可以 运行
$ kubectl get namespace webapp
NAME STATUS AGE
webapp Active 22m
我在 ~/.hal/config
webapp 名称空间和用户为 spinnaker-service-account
我正在使用 GKE 并禁用了基本身份验证。我让我的大三角帆使用我创建的专用 K8s 服务帐户。在我的 ~/.kube/config 中,我有每个 K8s 集群的令牌。
users:
- name: gke_operation-covfefe-1_asia-east1_testing-asia-east1
user:
token: token1
- name: gke_operation-covfefe-1_europe-west1_testing-europe-west1
user:
token: token2
- name: gke_operation-covfefe-1_us-central1_testing-us-central1
user:
token: token3
我通过 运行
获得了这些代币kubectl get secret spinnaker-service-account -o json \
| jq -r .data.token \
| base64 -d
然后手动更新我的 ~/.kube/config 文件。
确保您的服务帐户具有所需的 RBAC 权限。参见 blog post here。
更新:
还要确保您为服务帐户授予所需的 RBAC 权限。请参阅上面博客 post 的 "Role" 部分或 guide here。当您使用 kubectl 测试 RBAC 权限时,请确保您使用的服务帐户与 Spinnaker 正在使用的相同。
更新 2
如果您希望 spinnaker 作用于所有命名空间,请在您的 RBAC 中使用 ClusterRole 和 ClusterRoleBinding。博客 post 仅使用 Role 和 RoleBinding 来限制对特定名称空间的操作。参见 this guide for the Cluster* way. Note the PR to fix a typo here。