ssl - 访问 Kubelet API Microk8s

Question

请问如何从microk8s集群访问Kubelet API。

我查看了这个url，它说 Kubelet API 需要客户端证书。所以我称之为（来自/var/snap/microk8s/current/certs） curl -v https://127.0.0.1:10250 --cert ca.crt --cert-type PEM --cacert ca.crt --key ca.key

但我收到错误消息： curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

我该如何解决这个问题？还有，microk8s中的kubelet.crt、server.crt、ca.crt有什么区别？

谢谢！

score 1 · Accepted Answer

试试这个：

curl --verbose \
  --cert ./server.crt \
  --key ./server.key  \
  --insecure \
  https://127.0.0.1:10250/healthz

目录中的 CA 证书certs不是提供给用户的证书 :10250 的签名者。我不知道提供的 CA 证书来自哪里，它看起来像发行者一样旋转CN=<servername>-ca@1567568834（因此是--insecure）。

kube-apiserver命令行将包含 kubelet 客户端证书的确切路径（或者也可以存储在新 k8s 世界中的配置文件中）

--kubelet-client-certificate --kubelet-client-key

$ pgrep -a kube-apiserver | perl -pe 's/ --/\n --/g'
22071 /snap/microk8s/1247/kube-apiserver
 --cert-dir=/var/snap/microk8s/1247/certs
 --service-cluster-ip-range=10.22.189.0/24
 --authorization-mode=RBAC,Node
 --basic-auth-file=/var/snap/microk8s/1247/credentials/basic_auth.csv
 --service-account-key-file=/var/snap/microk8s/1247/certs/serviceaccount.key
 --client-ca-file=/var/snap/microk8s/1247/certs/ca.crt
 --tls-cert-file=/var/snap/microk8s/1247/certs/server.crt
 --tls-private-key-file=/var/snap/microk8s/1247/certs/server.key
 --kubelet-client-certificate=/var/snap/microk8s/1247/certs/server.crt
 --kubelet-client-key=/var/snap/microk8s/1247/certs/server.key
 --secure-port=16443
 --token-auth-file=/var/snap/microk8s/1247/credentials/known_tokens.csv
 --token-auth-file=/var/snap/microk8s/1247/credentials/known_tokens.csv
 --etcd-servers=https://127.0.0.1:12379
 --etcd-cafile=/var/snap/microk8s/1247/certs/ca.crt
 --etcd-certfile=/var/snap/microk8s/1247/certs/server.crt
 --etcd-keyfile=/var/snap/microk8s/1247/certs/server.key
 --requestheader-client-ca-file=/var/snap/microk8s/1247/certs/front-proxy-ca.crt
 --requestheader-allowed-names=front-proxy-client
 --requestheader-extra-headers-prefix=X-Remote-Extra-
 --requestheader-group-headers=X-Remote-Group
 --requestheader-username-headers=X-Remote-User
 --proxy-client-cert-file=/var/snap/microk8s/1247/certs/front-proxy-client.crt
 --proxy-client-key-file=/var/snap/microk8s/1247/certs/front-proxy-client.key

ssl - 访问 Kubelet API Microk8s

1 回答 1

Related

Reference