访问 Kubelet API Microk8s
Accessing Kubelet API Microk8s
我想问如何从microk8s集群访问KubeletAPI
我查看了这个 url,它说 Kubelet API 需要客户端证书。
所以我称之为(来自/var/snap/microk8s/current/certs)
curl -v https://127.0.0.1:10250 --cert ca.crt --cert-type PEM --cacert ca.crt --key ca.key
但我收到错误提示:
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
如何解决这个问题?另外,microk8s中的kubelet.crt、server.crt、ca.crt有什么区别?
谢谢!
试试这个:
curl --verbose \
--cert ./server.crt \
--key ./server.key \
--insecure \
https://127.0.0.1:10250/healthz
certs 目录中的 CA 证书不是证书的签署者:10250 提供给用户。我不知道所提供的 CA 证书来自哪里,看起来它是轮换的,因为颁发者是 CN=<servername>-ca@1567568834(因此是 --insecure)。
kube-apiserver 命令行将包含 kubelet 客户端证书的确切路径(或者也可以存储在新的 k8s 世界中的配置文件中)
--kubelet-client-certificate
--kubelet-client-key
$ pgrep -a kube-apiserver | perl -pe 's/ --/\n --/g'
22071 /snap/microk8s/1247/kube-apiserver
--cert-dir=/var/snap/microk8s/1247/certs
--service-cluster-ip-range=10.22.189.0/24
--authorization-mode=RBAC,Node
--basic-auth-file=/var/snap/microk8s/1247/credentials/basic_auth.csv
--service-account-key-file=/var/snap/microk8s/1247/certs/serviceaccount.key
--client-ca-file=/var/snap/microk8s/1247/certs/ca.crt
--tls-cert-file=/var/snap/microk8s/1247/certs/server.crt
--tls-private-key-file=/var/snap/microk8s/1247/certs/server.key
--kubelet-client-certificate=/var/snap/microk8s/1247/certs/server.crt
--kubelet-client-key=/var/snap/microk8s/1247/certs/server.key
--secure-port=16443
--token-auth-file=/var/snap/microk8s/1247/credentials/known_tokens.csv
--token-auth-file=/var/snap/microk8s/1247/credentials/known_tokens.csv
--etcd-servers=https://127.0.0.1:12379
--etcd-cafile=/var/snap/microk8s/1247/certs/ca.crt
--etcd-certfile=/var/snap/microk8s/1247/certs/server.crt
--etcd-keyfile=/var/snap/microk8s/1247/certs/server.key
--requestheader-client-ca-file=/var/snap/microk8s/1247/certs/front-proxy-ca.crt
--requestheader-allowed-names=front-proxy-client
--requestheader-extra-headers-prefix=X-Remote-Extra-
--requestheader-group-headers=X-Remote-Group
--requestheader-username-headers=X-Remote-User
--proxy-client-cert-file=/var/snap/microk8s/1247/certs/front-proxy-client.crt
--proxy-client-key-file=/var/snap/microk8s/1247/certs/front-proxy-client.key
我想问如何从microk8s集群访问KubeletAPI
我查看了这个 url,它说 Kubelet API 需要客户端证书。
所以我称之为(来自/var/snap/microk8s/current/certs)
curl -v https://127.0.0.1:10250 --cert ca.crt --cert-type PEM --cacert ca.crt --key ca.key
但我收到错误提示:
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
如何解决这个问题?另外,microk8s中的kubelet.crt、server.crt、ca.crt有什么区别?
谢谢!
试试这个:
curl --verbose \
--cert ./server.crt \
--key ./server.key \
--insecure \
https://127.0.0.1:10250/healthz
certs 目录中的 CA 证书不是证书的签署者:10250 提供给用户。我不知道所提供的 CA 证书来自哪里,看起来它是轮换的,因为颁发者是 CN=<servername>-ca@1567568834(因此是 --insecure)。
kube-apiserver 命令行将包含 kubelet 客户端证书的确切路径(或者也可以存储在新的 k8s 世界中的配置文件中)
--kubelet-client-certificate
--kubelet-client-key
$ pgrep -a kube-apiserver | perl -pe 's/ --/\n --/g'
22071 /snap/microk8s/1247/kube-apiserver
--cert-dir=/var/snap/microk8s/1247/certs
--service-cluster-ip-range=10.22.189.0/24
--authorization-mode=RBAC,Node
--basic-auth-file=/var/snap/microk8s/1247/credentials/basic_auth.csv
--service-account-key-file=/var/snap/microk8s/1247/certs/serviceaccount.key
--client-ca-file=/var/snap/microk8s/1247/certs/ca.crt
--tls-cert-file=/var/snap/microk8s/1247/certs/server.crt
--tls-private-key-file=/var/snap/microk8s/1247/certs/server.key
--kubelet-client-certificate=/var/snap/microk8s/1247/certs/server.crt
--kubelet-client-key=/var/snap/microk8s/1247/certs/server.key
--secure-port=16443
--token-auth-file=/var/snap/microk8s/1247/credentials/known_tokens.csv
--token-auth-file=/var/snap/microk8s/1247/credentials/known_tokens.csv
--etcd-servers=https://127.0.0.1:12379
--etcd-cafile=/var/snap/microk8s/1247/certs/ca.crt
--etcd-certfile=/var/snap/microk8s/1247/certs/server.crt
--etcd-keyfile=/var/snap/microk8s/1247/certs/server.key
--requestheader-client-ca-file=/var/snap/microk8s/1247/certs/front-proxy-ca.crt
--requestheader-allowed-names=front-proxy-client
--requestheader-extra-headers-prefix=X-Remote-Extra-
--requestheader-group-headers=X-Remote-Group
--requestheader-username-headers=X-Remote-User
--proxy-client-cert-file=/var/snap/microk8s/1247/certs/front-proxy-client.crt
--proxy-client-key-file=/var/snap/microk8s/1247/certs/front-proxy-client.key