我设置了一个示例Kubernetes集群,其中包含3个主节点和2个工作节点。 我试图将其连接到OpenId Provider(在我的情况下为Keycloak)。但是当查询API时,我从kubectl得到以下消息:
error: You must be logged in to the server (Unauthorized)
或通过curl:
curl -H "Authorization: Bearer $token" -k https://192.168.178.30:6443/api/v1/namespaces/default/pods
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}
,并且在API服务器日志中显示
Unable to authenticate the request due to an error: invalid bearer token
根据jwt.io,我的令牌似乎有效。
在API服务器中,我指定了以下参数:
oidc-issuer-url: https://192.168.178.25:8443/auth/realms/master
oidc-client-id: account
oidc-ca-file: /etc/kubernetes/ssl/keycloak-rootCA.pem
oidc-username-claim: sub
oidc-groups-claim: groups
我必须指定CA文件,因为用于密钥转换的证书是自签名证书
证书似乎有效,因为没有CA文件的卷曲会导致错误;在没有指定CA文件的地方:
ansible@node1:~$ curl https://192.168.178.25:8443/auth/realms/master
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
ansible@node1:~$ curl --cacert /etc/kubernetes/ssl/keycloak-rootCA.pem https://192.168.178.25:8443/auth/realms/master
{"realm":"master","public_key":"...","token-service":"https://192.168.178.25:8443/auth/realms/master/protocol/openid-connect","account-service":"https://192.168.178.25:8443/auth/realms/master/account","tokens-not-before":0}
我的JWT令牌的有效负载如下所示:
{
"jti": "455feab7-5828-49f3-9243-a2ce0a1ae6f9",
"exp": 1557246081,
"nbf": 0,
"iat": 1557246021,
"iss": "https://192.168.178.25:8443/auth/realms/master",
"aud": "account",
"sub": "78f9bdc8-d1a4-43c4-ab83-f1b4645519f6",
"typ": "ID",
"azp": "account",
"auth_time": 1557246020,
"session_state": "ccafaa62-a888-43dd-9135-1c5a31766e0b",
"acr": "1",
"email_verified": true,
"name": "Testuser",
"groups": [
"group1",
"k8s-admin"
],
"preferred_username": "dummy-username",
"given_name": "Firstname1",
"family_name": "Lastname1",
"email": "me@example.com"
}
当我尝试使用生成的服务帐户(从kubernetes)的令牌登录时,一切正常。
通过Kubespray和以下指定的API服务器参数设置环境:
kube_oidc_url: https://192.168.178.25:8443/auth/realms/master
kube_oidc_client_id: account
kube_oidc_ca_file: "{{ kube_cert_dir }}/keycloak-rootCA.pem"
kube_oidc_username_claim: sub
kube_oidc_groups_claim: groups
#kube_oidc_username_prefix: "oidc:"
#kube_oidc_groups_prefix: "oidc:"
感谢您的帮助。
答案 0 :(得分:1)
问题是Kubespray并未将我的设置超过api服务器的Pod规范(/etc/kubernetes/manifests/kube-apiserver.yaml)。当我在每个api服务器的Pod规范中添加参数时(我有一个多主设置),它按预期工作:
- --oidc-issuer-url=https://192.168.178.25:8443/auth/realms/master
- --oidc-client-id=account
- --oidc-username-claim=email
- '--oidc-username-prefix=oidc:'
- --oidc-groups-claim=groups
- '--oidc-groups-prefix=oidc:'
- --oidc-ca-file=/etc/kubernetes/ssl/keycloak-rootCA.pem
答案 1 :(得分:0)
我认为在您的情况下,kube_oidc_url
应该是https://192.168.178.25:8443
还要记下documentation中的CA证书要求:
关于上述要求3的注释,要求具有CA签名的证书。 如果您部署自己的身份提供商(而不是其中一个 云提供商(例如Google或Microsoft),您必须具有自己的身份 提供者的Web服务器证书,由CA签署证书 标记设置为TRUE,即使它是自签名的。这是由于GoLang的 TLS客户端实施对周围的标准非常严格 证书验证。如果您没有方便使用的CA,则可以使用它 CoreOS团队提供的脚本来创建简单的CA和签名的 证书和密钥对。或者您可以使用类似的脚本 生成具有更长寿命和更大密钥大小的SHA256证书。