我目前有以下设置:
proxy_pass https://127.0.0.1:6443 当前,我可以通过在kubeconfig中指定来连接到集群,
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://127.0.0.1:6443 <-----------------------------
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: test-namespace
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
但是,如果我将kubeconfig中的服务器更改为指向我的域:server: https://kube.my-domain.com,则会出现以下错误:
user@master:~$ kubectl get deployments
Unable to connect to the server: x509: certificate signed by unknown authority
现在,我认为这是因为我的流量必须通过cloudflare的代理,并且在此过程中具有不同的证书。因此,我尝试附加--insecure-skip-tls-verify = true并获得以下响应:
user@master:~$ kubectl get deployments --insecure-skip-tls-verify=true
error: the server doesn't have a resource type "deployments"
因此,我进行了查找,并发现了很多时间是由于RBAC(尽管我应该通过kubernetes-admin进行身份验证,当我在本地连接时可以正常工作...)
I0317 00:41:09.281404 31989 loader.go:375] Config loaded from file: /home/user/.kube/config
I0317 00:41:09.281813 31989 round_trippers.go:423] curl -k -v -XGET -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.17.3 (linux/amd64) kubernetes/06ad960" 'https://kube.my-domain.com/api?timeout=32s'
I0317 00:41:09.493885 31989 round_trippers.go:443] GET https://kube.my-domain.com/api?timeout=32s 403 Forbidden in 212 milliseconds
I0317 00:41:09.493921 31989 round_trippers.go:449] Response Headers:
I0317 00:41:09.493970 31989 round_trippers.go:452] Set-Cookie: REDACTED; expires=Thu, 16-Apr-20 04:41:09 GMT; path=/; domain=.my-domain.com; HttpOnly; SameSite=Lax; Secure
I0317 00:41:09.493991 31989 round_trippers.go:452] Expect-Ct: max-age=604800, report-uri="REDACTED"
I0317 00:41:09.494002 31989 round_trippers.go:452] Server: cloudflare
I0317 00:41:09.494027 31989 round_trippers.go:452] Cf-Ray: REDACTED
I0317 00:41:09.494065 31989 round_trippers.go:452] Date: Tue, 17 Mar 2020 04:41:09 GMT
I0317 00:41:09.494070 31989 round_trippers.go:452] X-Content-Type-Options: nosniff
I0317 00:41:09.494091 31989 round_trippers.go:452] Cf-Cache-Status: DYNAMIC
I0317 00:41:09.494112 31989 round_trippers.go:452] Content-Type: application/json
I0317 00:41:09.498893 31989 request.go:1017] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/api\"","reason":"Forbidden","details":{},"code":403}
I0317 00:41:09.503266 31989 round_trippers.go:423] curl -k -v -XGET -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.17.3 (linux/amd64) kubernetes/06ad960" 'https://kube.my-domain.com/apis?timeout=32s'
I0317 00:41:09.640948 31989 round_trippers.go:443] GET https://kube.my-domain.com/apis?timeout=32s 403 Forbidden in 137 milliseconds
I0317 00:41:09.640992 31989 round_trippers.go:449] Response Headers:
I0317 00:41:09.641000 31989 round_trippers.go:452] Date: Tue, 17 Mar 2020 04:41:09 GMT
I0317 00:41:09.641006 31989 round_trippers.go:452] Content-Type: application/json
I0317 00:41:09.641011 31989 round_trippers.go:452] Cf-Cache-Status: DYNAMIC
I0317 00:41:09.641016 31989 round_trippers.go:452] Expect-Ct: max-age=604800, report-uri="REDACTED"
I0317 00:41:09.641021 31989 round_trippers.go:452] Set-Cookie: REDACTED; expires=Thu, 16-Apr-20 04:41:09 GMT; path=/; domain=.my-domain.com; HttpOnly; SameSite=Lax; Secure
I0317 00:41:09.641027 31989 round_trippers.go:452] X-Content-Type-Options: nosniff
I0317 00:41:09.641031 31989 round_trippers.go:452] Server: cloudflare
I0317 00:41:09.641056 31989 round_trippers.go:452] Cf-Ray: REDACTED
我在做什么错?另外,公开群集并确保其安全的最佳方法是什么?
我觉得这与NGINX的SSL终止有关,消除了api服务器识别我的必要条件。
谢谢。
更新:似乎任一Cloudflare代理pr NIGNX都剥夺了身份验证证书和密钥,因此导致请求的用户成为匿名用户。仍在调查。
答案 0 :(得分:2)
无法连接到服务器:x509:证书由未知者签名 权威
以上错误指示https://kube.my-domain.com端点提供的服务器证书未由kubeconfig文件certificate-authority-data部分中拥有的证书颁发机构签名。在kubeconfig中,您需要配置正确的证书颁发机构(CA)。