Kubernetes K3s-创建具有客户端证书的用户
我已尝试使用客户端证书创建用户帐户 我遵循了两个教程,但在消息中出现错误时仍坚持使用这两个选项 我设置了正确的用户、服务器和正确的上下文。我设置了名称空间,但仍然存在相同的错误Kubernetes K3s-创建具有客户端证书的用户,kubernetes,kubectl,k3s,Kubernetes,Kubectl,K3s,我已尝试使用客户端证书创建用户帐户 我遵循了两个教程,但在消息中出现错误时仍坚持使用这两个选项 我设置了正确的用户、服务器和正确的上下文。我设置了名称空间,但仍然存在相同的错误 > kubectl get pods You must be logged in to the server (Unauthorized) 有人经历过类似的事情吗?还是有人知道我做错了什么 我的k3s群集版本是1.15.4。根据您发布的错误,您的用户仅在身份验证阶段失败(HTTP错误代码:401),您可以使
> kubectl get pods
You must be logged in to the server (Unauthorized)
有人经历过类似的事情吗?还是有人知道我做错了什么
我的k3s群集版本是1.15.4。根据您发布的错误,您的用户仅在身份验证阶段失败(HTTP错误代码:401),您可以使用以下方法验证此错误:
$ k get pods -v=6
...
I0123 16:34:18.842853 29373 helpers.go:203] server response object: [{
...
"code": 401
}]
F0123 16:34:18.842907 29373 helpers.go:114] error: You must be logged in to the server (Unauthorized)
使用以下步骤调试安装程序:
$ kubectl config view --raw -o jsonpath="{.users[?(@.name == \"user-user-ca-signed\")].user.client-certificate-data}" | base64 -d > client.crt
$ openssl x509 -in client.crt -text -noout | grep -i "Issuer:\|Subject:"
Issuer: CN = kubernetes
Subject: C = IN, ST = Some-State, O = Some-Organization, CN = user-ca-signed
$ kubectl get pods -v=6
I0123 16:59:41.350501 28553 helpers.go:203] server response object: [{
...
"code": 403
}]
F0123 16:59:41.351080 28553 helpers.go:114] Error from server (Forbidden): pods is forbidden: User "user-ca-signed" cannot list resource "pods" in API group "" in the namespace "ns1": No policy matched.
根据您发布的错误,您的用户仅在身份验证阶段失败(HTTP错误代码:401),您可以使用以下方法验证此错误:
$ k get pods -v=6
...
I0123 16:34:18.842853 29373 helpers.go:203] server response object: [{
...
"code": 401
}]
F0123 16:34:18.842907 29373 helpers.go:114] error: You must be logged in to the server (Unauthorized)
使用以下步骤调试安装程序:
$ kubectl config view --raw -o jsonpath="{.users[?(@.name == \"user-user-ca-signed\")].user.client-certificate-data}" | base64 -d > client.crt
$ openssl x509 -in client.crt -text -noout | grep -i "Issuer:\|Subject:"
Issuer: CN = kubernetes
Subject: C = IN, ST = Some-State, O = Some-Organization, CN = user-ca-signed
$ kubectl get pods -v=6
I0123 16:59:41.350501 28553 helpers.go:203] server response object: [{
...
"code": 403
}]
F0123 16:59:41.351080 28553 helpers.go:114] Error from server (Forbidden): pods is forbidden: User "user-ca-signed" cannot list resource "pods" in API group "" in the namespace "ns1": No policy matched.
我终于在这张票上找到了答案 用户huapox发布了以下代码:
[root@(⎈ |default:default) sec-rbac]$ cat t2.sh
ws=/opt/sec-rbac
day=3650
clus_name="t1.k3s"
clus_ns="default"
user="koper"
#clus_url="https://10.200.100.183:7442"
clus_url="https://server:6443" ##
ca_path=$ws/server/tls
rm -f $ca_path/*-ca.srl
ctx=gen && mkdir -p $ws/$ctx/{kube,keys} && cd $ws/$ctx
#############
ca1=client-ca
generate="keys/u-"$user
echo -e "\033[32m#>>GEN-KEY\033[0m"
#openssl genrsa -out $generate.key 2048
openssl ecparam -name prime256v1 -genkey -noout -out $generate.key
openssl req -new -key $generate.key -out $generate.csr -subj "/CN=${user}@${clus_name}/O=key-gen"
openssl x509 -req -in $generate.csr -CA $ca_path/$ca1.crt -CAkey $ca_path/$ca1.key -CAcreateserial -out $generate.crt -days $day
#-----------
#generate=$ca_path/client-admin ##test
ca2=server-ca
embed=false
ctx2="$user@$clus_name"
config="kube/$user.kubeconfig"
echo -e "\033[32m#>>KUBE-CONFIG\033[0m"
kubectl --kubeconfig=$config config set-cluster $clus_name --embed-certs=$embed --server=$clus_url --certificate-authority=$ca_path/$ca2.crt
kubectl --kubeconfig=$config config set-credentials $user --embed-certs=$embed --client-certificate=$generate.crt --client-key=$generate.key
kubectl --kubeconfig=$config config set-context $ctx2 --cluster=$clus_name --namespace=$clus_ns --user=$user
kubectl --kubeconfig=$config config set current-context $ctx2
kubectl --kubeconfig=$config --context=$ctx2 get pods
非常感谢huapox。我终于在这张票上找到了答案 用户huapox发布了以下代码:
[root@(⎈ |default:default) sec-rbac]$ cat t2.sh
ws=/opt/sec-rbac
day=3650
clus_name="t1.k3s"
clus_ns="default"
user="koper"
#clus_url="https://10.200.100.183:7442"
clus_url="https://server:6443" ##
ca_path=$ws/server/tls
rm -f $ca_path/*-ca.srl
ctx=gen && mkdir -p $ws/$ctx/{kube,keys} && cd $ws/$ctx
#############
ca1=client-ca
generate="keys/u-"$user
echo -e "\033[32m#>>GEN-KEY\033[0m"
#openssl genrsa -out $generate.key 2048
openssl ecparam -name prime256v1 -genkey -noout -out $generate.key
openssl req -new -key $generate.key -out $generate.csr -subj "/CN=${user}@${clus_name}/O=key-gen"
openssl x509 -req -in $generate.csr -CA $ca_path/$ca1.crt -CAkey $ca_path/$ca1.key -CAcreateserial -out $generate.crt -days $day
#-----------
#generate=$ca_path/client-admin ##test
ca2=server-ca
embed=false
ctx2="$user@$clus_name"
config="kube/$user.kubeconfig"
echo -e "\033[32m#>>KUBE-CONFIG\033[0m"
kubectl --kubeconfig=$config config set-cluster $clus_name --embed-certs=$embed --server=$clus_url --certificate-authority=$ca_path/$ca2.crt
kubectl --kubeconfig=$config config set-credentials $user --embed-certs=$embed --client-certificate=$generate.crt --client-key=$generate.key
kubectl --kubeconfig=$config config set-context $ctx2 --cluster=$clus_name --namespace=$clus_ns --user=$user
kubectl --kubeconfig=$config config set current-context $ctx2
kubectl --kubeconfig=$config --context=$ctx2 get pods
非常感谢huapox。您可以使用刚刚创建的用户登录吗?我遵循了本页所述的设置,但看起来与k3s安装不同。也许我犯了很多次错误?!不确定,如果我是盲人,看不出我做错了什么。你能用你刚刚创建的用户登录吗?我按照本页上的说明进行了设置,但看起来与k3s安装不同。也许我犯了很多次错误?!不确定,如果我是盲人,看不出我做错了什么。你好,拉梅什,首先非常感谢你详细的回答。不幸的是,k3s中的配置文件有点不同。我找到了以下文件,希望它是默认kubernetes安装的挂件。在此处找到文件:
/var/lib/rancher/k3s/server/cred/api server.kubeconfig
,但它不包含客户端ca文件条目。相反,我有一个客户端证书:/var/lib/rancher/k3s/server/tls/client kube-apiserver.crt
和一个证书颁发机构:/var/lib/rancher/k3s/server/tls/server-ca.crt
Oh,client-kube-apiserver.crt中的问题是另一个问题。有趣的是,我向kubectl申请了csr,并批准了它。然后提取了crt,但结果仍然是另一个。你好Ramesh,首先非常感谢你的详细回答。不幸的是,k3s中的配置文件有点不同。我找到了以下文件,希望它是默认kubernetes安装的挂件。在此处找到文件:/var/lib/rancher/k3s/server/cred/api server.kubeconfig
,但它不包含客户端ca文件条目。相反,我有一个客户端证书:/var/lib/rancher/k3s/server/tls/client kube-apiserver.crt
和一个证书颁发机构:/var/lib/rancher/k3s/server/tls/server-ca.crt
Oh,client-kube-apiserver.crt中的问题是另一个问题。有趣的是,我向kubectl申请了csr,并批准了它。当时提取了crt,但结果仍然是另一个。