TLS 引导,--token-auth-file,用户 "system:anonymous" 无法创建证书签名请求
TLS bootstrapping ,--token-auth-file, User "system:anonymous" cannot create certificatesigningrequests
为什么我在 api-server 上设置 --token-auth-file 并在 worker 节点上设置 --bootstrap-kubeconfig,指定我的用户名是 "kubelet-bootstrap"在 api 服务器和工作节点上,我收到错误提示 User "system:anonymous" ?
error: failed to run Kubelet: cannot create certificate signing
request: certificatesigningrequests.certificates.k8s.io is forbidden:
User "system:anonymous" cannot create
certificatesigningrequests.certificates.k8s.io at the cluster scope
kubernetes版本v1.8.3
下面是我的配置
api服务器:
/usr/local/bin/kube-apiserver --etcd-servers=http://127.0.0.1:2379
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota
--service-account-key-file=/srv/kubernetes/pubkey.pem
--service-cluster-ip-range=10.96.0.0/16
--allow-privileged=true
--authorization-mode=RBAC
--enable-bootstrap-token-auth=true
--token-auth-file=/var/lib/kubernetes/bootstrap.csv
--client-ca-file=/var/lib/kubernetes/cacert.pem
--tls-cert-file=/var/lib/kubernetes/servercert.pem
--tls-private-key-file=/var/lib/kubernetes/serverkey.pem
--address=172.18.11.249
--insecure-bind-address=127.0.0.1
--advertise-address=172.18.11.249
--audit-log-maxage=30
--audit-log-maxsize=100
--audit-log-path=/var/log/kube-apiserver.log
--v=4
1>>/var/log/kube-apiserver.log 2>&1
/var/lib/kubernetes/bootstrap.csv
0d681e2438667d2b5236ad7385d80ddc,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
工作节点:
/usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubelet/bootstrap.kubeconfig.yaml
--pod-manifest-path=/etc/kubernetes/manifests
--node-labels=node-role.kubernetes.io/worker=
--node-ip=172.18.10.16
--allow-privileged
--v=4
/etc/kubelet/bootstrap.kubeconfig.yaml
apiVersion: v1
clusters:
- cluster:
server: https://172.18.11.249:6443/
name: myk8s
contexts:
- context:
cluster: myk8s
name: myk8s
current-context: myk8s
kind: Config
preferences: {}
users:
- name: kubelet-bootstrap
user:
as-user-extra: {}
token: 0d681e2438667d2b5236ad7385d80ddc
从工作节点登录
I0821 08:49:50.916993 6232 bootstrap.go:57] Using bootstrap
kubeconfig to generate TLS client cert, key and kubeconfig file
error: failed to run Kubelet: cannot create certificate signing
request: certificatesigningrequests.certificates.k8s.io is forbidden:
User "system:anonymous" cannot create
certificatesigningrequests.certificates.k8s.io at the cluster scope
从 api 服务器
登录
I0821 08:05:05.726968 5 rbac.go:116] RBAC DENY: user
"system:anonymous" groups ["system:unauthenticated"] cannot "create"
resource "certificatesigningrequests.certificates.k8s.io" cluster-wide
I0821 08:05:05.727015 5 authorization.go:59] Forbidden:
"/apis/certificates.k8s.io/v1beta1/certificatesigningrequests",
Reason: ""
感谢您的帮助
您 bootstrap.kubeconfig.yaml 中的标记格式看起来与 kubeadm 生成的通常标记不同。
根据文章Authenticating with Bootstrap Tokens:
Token Format
Bootstrap Tokens take the form of abcdef.0123456789abcdef. More
formally, they must match the regular expression
[a-z0-9]{6}.[a-z0-9]{16}.
The first part of the token is the “Token ID” and is considered public
information. It is used when referring to a token without leaking the
secret part used for authentication. The second part is the “Token
Secret” and should only be shared with trusted parties.
我会说你没有 system:anonymous 的 clusterrolebindings,因为默认情况下它被禁用以保护集群免受 DoS 攻击。
kube-public 命名空间中有一个应该用于 TLS 引导的 configMap。如果一个节点想要自动加入集群,它需要一些信息。这是这个 configMap 出现的时候。但是节点必须有读取文件的权限。
为什么我在 api-server 上设置 --token-auth-file 并在 worker 节点上设置 --bootstrap-kubeconfig,指定我的用户名是 "kubelet-bootstrap"在 api 服务器和工作节点上,我收到错误提示 User "system:anonymous" ?
error: failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:anonymous" cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope
kubernetes版本v1.8.3
下面是我的配置
api服务器:
/usr/local/bin/kube-apiserver --etcd-servers=http://127.0.0.1:2379
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota
--service-account-key-file=/srv/kubernetes/pubkey.pem
--service-cluster-ip-range=10.96.0.0/16
--allow-privileged=true
--authorization-mode=RBAC
--enable-bootstrap-token-auth=true
--token-auth-file=/var/lib/kubernetes/bootstrap.csv
--client-ca-file=/var/lib/kubernetes/cacert.pem
--tls-cert-file=/var/lib/kubernetes/servercert.pem
--tls-private-key-file=/var/lib/kubernetes/serverkey.pem
--address=172.18.11.249
--insecure-bind-address=127.0.0.1
--advertise-address=172.18.11.249
--audit-log-maxage=30
--audit-log-maxsize=100
--audit-log-path=/var/log/kube-apiserver.log
--v=4
1>>/var/log/kube-apiserver.log 2>&1
/var/lib/kubernetes/bootstrap.csv
0d681e2438667d2b5236ad7385d80ddc,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
工作节点:
/usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubelet/bootstrap.kubeconfig.yaml
--pod-manifest-path=/etc/kubernetes/manifests
--node-labels=node-role.kubernetes.io/worker=
--node-ip=172.18.10.16
--allow-privileged
--v=4
/etc/kubelet/bootstrap.kubeconfig.yaml
apiVersion: v1
clusters:
- cluster:
server: https://172.18.11.249:6443/
name: myk8s
contexts:
- context:
cluster: myk8s
name: myk8s
current-context: myk8s
kind: Config
preferences: {}
users:
- name: kubelet-bootstrap
user:
as-user-extra: {}
token: 0d681e2438667d2b5236ad7385d80ddc
从工作节点登录
I0821 08:49:50.916993 6232 bootstrap.go:57] Using bootstrap kubeconfig to generate TLS client cert, key and kubeconfig file
error: failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:anonymous" cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope
从 api 服务器
I0821 08:05:05.726968 5 rbac.go:116] RBAC DENY: user "system:anonymous" groups ["system:unauthenticated"] cannot "create" resource "certificatesigningrequests.certificates.k8s.io" cluster-wide I0821 08:05:05.727015 5 authorization.go:59] Forbidden: "/apis/certificates.k8s.io/v1beta1/certificatesigningrequests", Reason: ""
感谢您的帮助
您 bootstrap.kubeconfig.yaml 中的标记格式看起来与 kubeadm 生成的通常标记不同。
根据文章Authenticating with Bootstrap Tokens:
Token Format
Bootstrap Tokens take the form of abcdef.0123456789abcdef. More formally, they must match the regular expression [a-z0-9]{6}.[a-z0-9]{16}.
The first part of the token is the “Token ID” and is considered public information. It is used when referring to a token without leaking the secret part used for authentication. The second part is the “Token Secret” and should only be shared with trusted parties.
我会说你没有 system:anonymous 的 clusterrolebindings,因为默认情况下它被禁用以保护集群免受 DoS 攻击。
kube-public 命名空间中有一个应该用于 TLS 引导的 configMap。如果一个节点想要自动加入集群,它需要一些信息。这是这个 configMap 出现的时候。但是节点必须有读取文件的权限。