无法使用x509证书在Kubernetes中对用户进行身份验证

时间:2018-03-19 12:51:03

标签: authentication kubernetes x509certificate

我使用的是以下版本:

Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.1", GitCommit:"3a1c9449a956b6026f075fa3134ff92f7d55f812", GitTreeState:"clean", BuildDate:"2018-01-04T11:52:23Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.1", GitCommit:"3a1c9449a956b6026f075fa3134ff92f7d55f812", GitTreeState:"clean", BuildDate:"2018-01-04T11:40:06Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}

在这里,我正在尝试使用我创建的以下自定义脚本来查看使用x509证书的用户,并查看几个在线论坛和kubernetes文档。 

#!/bin/bash

cluster=test-operations-k8
namespace=demo
username=jack


openssl genrsa -out $username.pem 2048


openssl req -new -key $username.pem -out $username.csr -subj "/CN=$username"



cat <<EOF | kubectl create -n $namespace -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: user-request-$username
spec:
  groups:
  - system:authenticated
  request: $(cat $username.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF



kubectl certificate approve user-request-$username


kubectl get csr user-request-$username -o jsonpath='{.status.certificate}' | base64 -d > $username.crt

kubectl --kubeconfig ~/.kube/config-$username config set-cluster $cluster --insecure-skip-tls-verify=true --server=https://$cluster.eastus.cloudapp.azure.com
kubectl --kubeconfig ~/.kube/config-$username config set-credentials $username --client-certificate=$username.crt --client-key=$username.pem --embed-certs=true
kubectl --kubeconfig ~/.kube/config-$username config set-context $cluster --cluster=$cluster --user=$username
kubectl --kubeconfig ~/.kube/config-$username config use-context $cluster

echo "Config file for $username has been created successfully !"

但在获取资源时,我收到以下错误:

error: You must be logged in to the server (Unauthorized)

有人可以建议您需要做些什么来解决这个问题吗?

另请注意,我已经创建了相应的角色和角色绑定,我没有在此列出。

1 个答案:

答案 0 :(得分:1)

确保用于签署CSR的CA(提供给kube-controller-manager的DispatchQueue.main.async { self.channelRefHandle = self.channelRef.queryOrdered(byChild: "userid1") .queryEqual(toValue: String(describing: getMyUserDefaults(key: MyUserDefaults.UserId))) .observe(.value, with: { (snapshot:FIRDataSnapshot) in }) } 文件)位于给予kube-apiserver的--cluster-signing-cert-file捆绑包中(这是验证客户端证书的身份验证)到了apiserver)

同时确保所请求的证书是客户端证书(--client-ca-file字段中有client auth

相关问题
最新问题