Kubernetes 向gke上运行的外部vault服务验证pod时,权限被拒绝
GKE版本-1.14 目前我有两个私有gke集群(Vault集群和应用集群) 获取以下错误:Kubernetes 向gke上运行的外部vault服务验证pod时,权限被拒绝,kubernetes,google-cloud-platform,google-kubernetes-engine,hashicorp-vault,Kubernetes,Google Cloud Platform,Google Kubernetes Engine,Hashicorp Vault,GKE版本-1.14 目前我有两个私有gke集群(Vault集群和应用集群) 获取以下错误: vault errors - auth.kubernetes.auth_kubernetes_b0f01fa6: login unauthorized due to: Post "https://10.V.V.194:443/apis/authentication.k8s.io/v1/tokenreviews": dial tcp `10.V.V.194`:443: i/o time
vault errors -
auth.kubernetes.auth_kubernetes_b0f01fa6: login unauthorized due to: Post "https://10.V.V.194:443/apis/authentication.k8s.io/v1/tokenreviews": dial tcp `10.V.V.194`:443: i/o timeout
10.V.V.194 -- is master IP address (no https://) via `kubectl cluster-info
* permission denied" backoff=1.324573453
2020-10-12T14:39:46.421Z [INFO] auth.handler: authenticating
2020-10-12T14:40:16.427Z [ERROR] auth.handler: error authenticating: error="Error making API request.
URL: PUT http://10.LB.LB.38:8200/v1/auth/kubernetes/login
Code: 403. Errors:
* permission denied" backoff=2.798763368
http://10.LB.LB.38:8200 is Internal LB IP
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
test-vault LoadBalancer 240.130.0.59 10.LB.LB.38 8200:32105/TCP,8201:31147/TCP
$ export VAULT_SA_NAME=$(kubectl get sa vault-auth -o jsonpath="{.secrets[*]['name']}")
$ export SA_JWT_TOKEN=$(kubectl get secret $VAULT_SA_NAME -o jsonpath="{.data.token}" | base64 --decode; echo)
$ export SA_CA_CRT=$(kubectl get secret $VAULT_SA_NAME -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo)
# determine Kubernetes master IP address (no https://) via `kubectl cluster-info`
$ export K8S_HOST=<K8S_MASTER_IP> ----- App cluster ip
# set VAULT_TOKEN & VAULT_ADDR before next steps
$ vault auth enable kubernetes
$ vault write auth/kubernetes/config \
token_reviewer_jwt="$SA_JWT_TOKEN" \
kubernetes_host="https://$K8S_HOST:443" \
kubernetes_ca_cert="$SA_CA_CRT"
kubectl创建serviceaccount vault验证-n默认值
-----
apiVersion:rbac.authorization.k8s.io/v1beta1
种类:簇状卷边
元数据:
名称:角色标记审阅绑定
roleRef:
apiGroup:rbac.authorization.k8s.io
种类:ClusterRole
名称:系统:授权委托人
学科:
-种类:服务帐户
名称:vault auth
名称空间:默认值
vault身份验证启用kubernetes
-----------
vault write auth/kubernetes/config kubernetes_host=“${K8S_host}”
kubernetes_ca_cert=“${VAULT_SA_ca_CRT}”
令牌\u审阅者\u jwt=“${TR\u帐户\u令牌}”
-----------
vault机密启用-路径=机密/kv
-----------
vault策略写入myapp kv rw-您可以尝试使用与设置vault相同的配置从vault群集手动访问Kubernetes API(在应用程序群集中)
curl -X "POST" "${K8S_HOST}/apis/authentication.k8s.io/v1/tokenreviews" \
--cacert <(echo $VAULT_SA_CA_CRT)
-H 'Authorization: Bearer ${TR_ACCOUNT_TOKEN}' \
-H 'Content-Type: application/json; charset=utf-8' \
-d $'{
"kind": "TokenReview",
"apiVersion": "authentication.k8s.io/v1",
"spec": {
"token": "${INTERNAL_APP_TOKEN}"
}
}'
curl-X“POST”“${K8S_HOST}/api/authentication.K8S.io/v1/tokenreviews”\
--cacert Vault logs-2020-10-04T16:16:40.034Z[错误]auth.kubernetes.auth_kubernetes_d78f6a94:未经授权的登录原因:Post”“:拨号tcp群集_AppB:443:i/o超时能否提供更多信息?您使用的是什么GKE版本?您到底在使用什么外部Vault
?您可以共享一些日志吗?Gke cluster verison-1.16.13-Gke.1(Vault群集和应用程序群集)--在Vault群集中,我使用内部LB运行Vault。我的日志文件--2020-10-05T14:06:26.752Z[错误]auth.kubernetes.auth_kubernetes_c78cbc33:未经授权的登录原因:Post“”:拨号tcp应用程序\u客户机\u主机\u ip:443:i/o超时………当我在同一群集上运行vault和应用程序播客时,它工作正常。@PjoterS-我已添加日志文件。使用curl命令后-我得到---------------------------------------------------------------------------------------------------------------------{“种类”:“状态”、“apiVersion”:“v1”、“元数据”:{},“状态”:“失败”,“消息”:“禁止:用户\”系统:serviceaccount:默认:内部应用\“无法获取路径\”/\”,“原因”:“禁止”,“详细信息”:{},“代码”:403您使用了错误的令牌。“禁止:用户系统:serviceaccount:默认:内部应用无法获取路径/”。应该进行令牌审核的不是内部应用程序服务帐户,而是vault auth服务帐户。我仍然收到相同的错误消息-消息:“禁止:用户\”系统:服务帐户:默认值:vault auth \“无法获取路径\”/\”“,-----------我已更新了答案,以包含令牌审阅终结点的路径,请尝试一下,看看您是否仍然被禁止。
kubectl create serviceaccount vault-auth -n default
-----
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: default
vault auth enable kubernetes
-----------
vault write auth/kubernetes/config kubernetes_host="${K8S_HOST}"
kubernetes_ca_cert="${VAULT_SA_CA_CRT}"
token_reviewer_jwt="${TR_ACCOUNT_TOKEN}"
-----------
vault secrets enable -path=secret/ kv
-----------
vault policy write myapp-kv-rw - <<EOF
path "secret/myapp/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
--------------
vault write auth/kubernetes/role/myapp-role \
bound_service_account_names=default \
bound_service_account_namespaces=default \
policies=default,myapp-kv-rw \
ttl=15m
curl -X "POST" "${K8S_HOST}/apis/authentication.k8s.io/v1/tokenreviews" \
--cacert <(echo $VAULT_SA_CA_CRT)
-H 'Authorization: Bearer ${TR_ACCOUNT_TOKEN}' \
-H 'Content-Type: application/json; charset=utf-8' \
-d $'{
"kind": "TokenReview",
"apiVersion": "authentication.k8s.io/v1",
"spec": {
"token": "${INTERNAL_APP_TOKEN}"
}
}'