0

我试图使用 Hashicorps 教程使用外部保险库对 Kubernetes 进行身份验证,https: //learn.hashicorp.com/vault/identity-access-management/vault-agent-k8s

在下面的配置中,我们必须为END POINT我们的集群提供K8S_HOST

vault write auth/kubernetes/config \
        token_reviewer_jwt="$SA_JWT_TOKEN" \
        kubernetes_host="https://$K8S_HOST:8443" \
        kubernetes_ca_cert="$SA_CA_CRT"

我已经在私有子网中设置了 Kubernetes HA 集群,在前端设置了 ALB。我需要帮助来配置K8S_HOST端点。

到目前为止,我已经生成SSL Certs并重新创建了仪表板。尝试暴露kubernetes-dashboardas node port。更新了正在监听 443 的 ALB 中的证书。但它仍然没有连接到集群。

所以我怀疑 K8S_HOST:8443kubernetes仪表板或其他东西的终点是相同的吗?

K8S_HOST从私有子网中的集群获取详细信息的正确方法。

有人可以帮忙吗?我在这里感到震惊。

4

2 回答 2

1

使用kubectl config view命令查看集群配置:

$ kubectl config view --flatten --minify
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01ETXdOakE0TlRFd05sb1hEVE13TURNd05EQTROVEV3Tmxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDRlClg5eWZpN0JhVVlUNmhUcEUvNm02WW5HczlZSHY3SmFMOGxsWWsvOENUVjBRcUk4VjBOYnB5V3ByQjBadmV4ZmMKQ0NTQ2hkYWFlcVBQWUJDckxTSGVoVllZcE1PK2UrMVFkTFN2RmpnZUQ1UHY0NFBqTW1MeFAzVkk0MFVZOXVNNwpCcjRueVRPYnJpWXJaSVhTYjdTbWRTdFg5TUgreVVXclNrRllGSEhnREVRdXF0dFRJZ1pjdUh2MzY3Nkpyc1FuCmI1TlM0ZHJyc0U0NVZUcWYrSXR1NzRSa1VkOUsvcTNHMHN1SlVMZ3AxOUZ4ZXorYTNRenJiUTdyWTlGUEhsSG4KVno1N1dWYmt2cjMzOUxnNWd0VzB4am10Q1hJaGgzNFRqRE1OazNza0VvcFBibjJPcER5STVUMUtOL3Vsa0FmTAptcXJ4bU5VNEVVYy9NcWFoVlVrQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBL3c0OEFkdFU3Tkx2d0k1S2N4Y3hMMitBT0IKV29nakFKNUMwTlBTN1NDR2tWK2d6dlcrZHZVYWVtYTFHUFlJdUJuajBVR2k2QUF5SStES0tiY01iL2dVVUdKQQp0YVpEcFpidU1lZ1JZOVZ2dlpMZXRZQndESzkvWk9lYnF1MGh6eWo4TzduTnJaM3RIb3h6VW1MaVVIU2Jmc0R1CnkvaE9IM0wvUE1mZ0FFaHF5SVZwWGMvQzZCYWNlOEtRSWJMQ0hYZmZjTGhEWDQ0THZYSXVIL1Y3LzN1cHcxWm8KK05NcFY5Sys4TTExNHV2bWdyOHdTNkZHYlltdXFVZy9CTlpRd2FqKzVWMEZ6azZzeHoySTdZSXI3NHVNK3BLRgpMS3lEQzJnK2NXTU5YZTV0S0YrVG5zUXE1eWtNVEJKeHl1bTh5a3VtZTE4MGcyS1o3NzVTdVF1Ni9kND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=

    server: https://127.0.0.1:32769 # <<-----------here
  name: kind-kind
contexts:
- context:
    cluster: kind-kind
    user: kind-kind
  name: kind-kind
current-context: kind-kind
kind: Config
preferences: {}
users:
- name: kind-kind
... ... ...

复制server地址并kubernetes_host在配置 Vault kubernetes auth 方法时使用它。

$ vault write auth/kubernetes/config \
           token_reviewer_jwt="eyJhbGciOiJSUz....." \
           kubernetes_host="https://127.0.0.1:32769" \
           kubernetes_ca_cert=@examples/guides/vault-server/ca.crt

注意:如果server地址不包含端口号,则无需添加。保持地址不变。

GKE 的演示服务器地址:

server: https://35.203.181.169

DigitalOcean k8s 集群的演示服务器地址:

server: https://e8dabcb3-**bb-451e****d5.k8s.ondigitalocean.com
于 2020-03-06T09:19:52.140 回答
0

这已解决。我必须将 alb dns 名称添加到 api 服务器证书,然后重新启动所有节点。身份验证现在工作正常。

于 2020-03-10T03:56:28.063 回答