Istio 允许 Docker Desktop Kubernetes 上的第三方 JWT
Istio allow third party JWT on Docker Desktop Kubernetes
我正在使用 docker 桌面附带的预打包 Kubernetes 集群。我在一台 windows 机器上,运行 使用 WSL 2 在 Ubuntu-18.04 VM 上连接 Kubernetes。在我的 Kubernetes 集群上,我 运行:
istioctl install --set profile=demo --set values.global.jwtPolicy=third-party-jwt
但我收到消息:
Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/v1.9/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.
在那之后,它会一直冻结直到超时:
Processing resources for Istiod. Waiting for Deployment/istio-system/istiod
有没有办法在我的集群中启用第三方 JWT?
在您收到的错误消息中,link 指向有关该特定问题的文档:
引用官方文档:
Configure third party service account tokens
To authenticate with the Istio control plane, the Istio proxy will use a Service Account token. Kubernetes supports two forms of these tokens:
Third party tokens, which have a scoped audience and expiration.
First party tokens, which have no expiration and are mounted into all pods.
Because the properties of the first party token are less secure, Istio will default to using third party tokens. However, this feature is not enabled on all Kubernetes platforms.
If you are using istioctl to install, support will be automatically detected. This can be done manually as well, and configured by passing --set values.global.jwtPolicy=third-party-jwt or --set values.global.jwtPolicy=first-party-jwt.
To determine if your cluster supports third party tokens, look for the TokenRequest API. If this returns no response, then the feature is not supported:
$ kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))'
{
"name": "serviceaccounts/token",
"singularName": "",
"namespaced": true,
"group": "authentication.k8s.io",
"version": "v1",
"kind": "TokenRequest",
"verbs": [
"create"
]
}
While most cloud providers support this feature now, many local development tools and custom installations may not prior to Kubernetes 1.20. To enable this feature, please refer to the Kubernetes documentation.
我不确定使用 Docker Desktop 创建的 Kubernetes (1.19.7) 是否支持此功能,但 Kubernetes 文档显示了如何启用它:
Service Account Token Volume Projection
FEATURE STATE: Kubernetes v1.20 [stable]
Note:
To enable and use token request projection, you must specify each of the following command line arguments to kube-apiserver:
--service-account-issuer
--service-account-key-file
--service-account-signing-key-file
--api-audiences
您可以在带有 Kubernetes 的 Docker 桌面中以一种有点老套的方式编辑您的 kubeapi-server 清单。您可以通过以下答案(我是其作者)阅读更多相关信息:
解决方法
当您在主机上使用 Docker 时,您也可以考虑使用 minikube 及其 --driver=docker。它支持第三方 JWT 令牌,如 Istio 文档中所述(它从 $ kubectl get --raw ... 命令生成响应)。
A side note!
I've tested this on a minikube version 1.19.0 and Kubernetes version 1.20.2.
我正在使用 docker 桌面附带的预打包 Kubernetes 集群。我在一台 windows 机器上,运行 使用 WSL 2 在 Ubuntu-18.04 VM 上连接 Kubernetes。在我的 Kubernetes 集群上,我 运行:
istioctl install --set profile=demo --set values.global.jwtPolicy=third-party-jwt
但我收到消息:
Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/v1.9/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.
在那之后,它会一直冻结直到超时:
Processing resources for Istiod. Waiting for Deployment/istio-system/istiod
有没有办法在我的集群中启用第三方 JWT?
在您收到的错误消息中,link 指向有关该特定问题的文档:
引用官方文档:
Configure third party service account tokens
To authenticate with the Istio control plane, the Istio proxy will use a Service Account token. Kubernetes supports two forms of these tokens:
Third party tokens, which have a scoped audience and expiration. First party tokens, which have no expiration and are mounted into all pods. Because the properties of the first party token are less secure, Istio will default to using third party tokens. However, this feature is not enabled on all Kubernetes platforms.
If you are using istioctl to install, support will be automatically detected. This can be done manually as well, and configured by passing
--set values.global.jwtPolicy=third-party-jwtor--set values.global.jwtPolicy=first-party-jwt.To determine if your cluster supports third party tokens, look for the TokenRequest API. If this returns no response, then the feature is not supported:
$ kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))'{ "name": "serviceaccounts/token", "singularName": "", "namespaced": true, "group": "authentication.k8s.io", "version": "v1", "kind": "TokenRequest", "verbs": [ "create" ] }While most cloud providers support this feature now, many local development tools and custom installations may not prior to Kubernetes 1.20. To enable this feature, please refer to the Kubernetes documentation.
我不确定使用 Docker Desktop 创建的 Kubernetes (1.19.7) 是否支持此功能,但 Kubernetes 文档显示了如何启用它:
Service Account Token Volume Projection
FEATURE STATE: Kubernetes v1.20 [stable]
Note:
To enable and use token request projection, you must specify each of the following command line arguments to kube-apiserver:
--service-account-issuer --service-account-key-file --service-account-signing-key-file --api-audiences
您可以在带有 Kubernetes 的 Docker 桌面中以一种有点老套的方式编辑您的 kubeapi-server 清单。您可以通过以下答案(我是其作者)阅读更多相关信息:
解决方法
当您在主机上使用 Docker 时,您也可以考虑使用 minikube 及其 --driver=docker。它支持第三方 JWT 令牌,如 Istio 文档中所述(它从 $ kubectl get --raw ... 命令生成响应)。
A side note!
I've tested this on a
minikubeversion1.19.0and Kubernetes version1.20.2.