我们已经在kubernetes 1.9.2上的istio-0.5.0中跟踪了guide的自动边车注入,但由于api-server上的证书问题,到目前为止还没有成功。
当创建pod时,会调用webhook,但是api-server拒绝istio-sidecar-injector / inject提供的证书,说明:
W0205 09:15:27.389473 1 admission.go:257] Failed calling webhook, failing open sidecar-injector.istio.io: failed calling admission webhook "sidecar-injector.istio.io": Post https://istio-sidecar-injector.istio-system.svc:443/inject: x509: certificate signed by unknown authority
E0205 09:15:27.389501 1 admission.go:258] failed calling admission webhook "sidecar-injector.istio.io": Post https://istio-sidecar-injector.istio-system.svc:443/inject: x509: certificate signed by unknown authority
我们的API服务器配置了以下标志:
- --allow-privileged=true
- --kubelet-client-certificate=/etc/kubernetes/pki/admin.pem
- --kubelet-client-key=/etc/kubernetes/pki/admin-key.pem
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --tls-ca-file=/etc/kubernetes/pki/ca.pem
- --tls-cert-file=/etc/kubernetes/pki/kube-apiserver-server.pem
- --tls-private-key-file=/etc/kubernetes/pki/kube-apiserver-server-key.pem
- --secure-port=6443
- --enable-bootstrap-token-auth
- --storage-backend=etcd3
- --service-cluster-ip-range=10.254.0.0/16
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --client-ca-file=/etc/kubernetes/pki/ca.pem
- --insecure-port=8080
- --insecure-bind-address=127.0.0.1
- --admissioncontrol=MutatingAdmissionWebhook,Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
- --authorization-mode=RBAC
- --oidc-issuer-url=https://sts.windows.net/[...removed...]/
- --oidc-client-id=spn:[...removed...]
- --oidc-username-claim=upn
- --oidc-groups-claim=groups
- --v=0
- --advertise-address=10.1.1.200
- --etcd-servers=http://etcd-0:2379,http://etcd-1:2379,http://etcd-2:2379
证书已经由ca.pem文件签名,我们已经通过--tls-ca-file标志给api-server,但仍然没有雪茄。 关于我们如何让kubernetes API准入控制器信任sidecar-injector提供的证书的任何想法?