我正在 Charmed Kubernetes v1.19 上使用 Vault CSI 驱动程序,我正在尝试按照博客中的步骤从 Vault 中检索在webapp具有自己的服务帐户 () 的单独命名空间 ()中运行的 pod 的机密。webapp-sa
到目前为止,我已经能够理解,Pod 正在尝试对 Kubernetes API 进行身份验证,以便稍后它可以生成一个 Vault 令牌以从 Vault 访问机密。
$ kubectl get po webapp
NAME READY STATUS RESTARTS AGE
webapp 0/1 ContainerCreating 0 22m
在我看来,使用 Kubernetes API 进行身份验证存在一些问题。
pod 仍然停留在 Container Creating 状态并显示消息 -failed to create a service account token for requesting pod
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 35m default-scheduler Successfully assigned webapp/webapp to host-03
Warning FailedMount 4m38s (x23 over 35m) kubelet MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod webapp/webapp, err: rpc error: code = Unknown desc = error making mount request: **failed to create a service account token for requesting pod** {webapp xxxx webapp webapp-sa}: the server could not find the requested resource
我可以在 pod 命名空间中使用 cli 获取保管库令牌:
$ vault write auth/kubernetes/login role=database jwt=$SA_JWT_TOKEN
Key Value
--- -----
token <snipped>
我也使用 API 获得了保管库令牌:
$ curl --request POST --data @payload.json https://127.0.0.1:8200/v1/auth/kubernetes/login
{
"request_id":"1234",
<snipped>
"auth":{
"client_token":"XyZ",
"accessor":"abc",
"policies":[
"default",
"webapp-policy"
],
"token_policies":[
"default",
"webapp-policy"
],
"metadata":{
"role":"database",
"service_account_name":"webapp-sa",
"service_account_namespace":"webapp",
"service_account_secret_name":"webapp-sa-token-abcd",
"service_account_uid":"123456"
},
<snipped>
}
}
参考:https ://www.vaultproject.io/docs/auth/kubernetes
根据 Vault 文档,我使用 Token Reviewer SA 配置了 Vault,如下所示:
$ cat vault-auth-service-account.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: role-token-review-binding
namespace: vault
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: vault
Vault 使用来自 Token Reviewer SA 的 JWT 进行配置,如下所示:
$ vault write auth/kubernetes/config \
token_reviewer_jwt="< TOKEN Reviewer service account JWT>" \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"
kubernetes_ca_cert=@ca.crt
我已经定义了一个 Vault 角色以允许webapp-sa访问机密:
$ vault write auth/kubernetes/role/database \
bound_service_account_names=webapp-sa \
bound_service_account_namespaces=webapp \
policies=webapp-policy \
ttl=72h
Success! Data written to: auth/kubernetes/role/database
根据webapp-sa定义如下的保险库策略,允许访问机密:
$ vault policy write webapp-policy - <<EOF
> path "secret/data/db-pass" {
> capabilities = ["read"]
> }
> EOF
Success! Uploaded policy: webapp-policy
Pod及其SA定义如下:
$ cat webapp-sa-and-pod.yaml
kind: ServiceAccount
apiVersion: v1
metadata:
name: webapp-sa
---
kind: Pod
apiVersion: v1
metadata:
name: webapp
spec:
serviceAccountName: webapp-sa
containers:
- image: registry/jweissig/app:0.0.1
name: webapp
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
providerName: vault
secretProviderClass: "vault-database"
- 有没有人知道为什么 Pod 不会使用 Kubernetes API 进行身份验证?
- 我是否必须在 kube-apiserver 上启用标志才能使 Token Review API 工作?
- Charmed Kubernetes v1.19 是否默认启用?
将不胜感激任何帮助。
问候, 萨娜