使用服务帐户访问GKE中的Kubernetes API
[英]Accessing Kubernetes API in GKE using service accounts
问题描述
I have my Kubernetes cluster running in GKE I want to run an application outside the cluster and talk to the Kubernetes API. 
我的Kubernetes集群在GKE中运行,我想在集群外部运行一个应用程序,并与Kubernetes API对话。
By using password retrieved from running: 通过使用从运行中检索到的密码:
gcloud container clusters get-credentials cluster-2 --log-http
I am able to access the API with Basic authentication. 我可以使用基本身份验证来访问API。 But I want to create multiple Kubernetes service accounts and configure them with required authorization and use appropriately. 但我想创建多个Kubernetes服务帐户,并使用所需的授权对其进行配置并适当使用。
So, I created service accounts and obtained the tokens using: 因此,我使用以下方法创建了服务帐户并获得了令牌:
kubectl create serviceaccount sauser1
kubectl get serviceaccounts sauser1 -o yaml
kubectl get secret sauser1-token-<random-string-as-retrieved-from-previous-command> -o yaml
If I try to access the Kubernetes API with the obtained token using Bearer authentication then I get a 401 HTTP error. 如果我尝试使用Bearer身份验证使用获得的令牌访问Kubernetes API,则会收到401 HTTP错误。 I thought that some permissions may have to be set for the service account, so based on the documentation here , I created below YAML file: 我认为可能必须为服务帐户设置一些权限,因此根据此处的文档,我在YAML文件下面创建了该文件:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-reader
subjects:
- kind: ServiceAccount
name: sauser1
namespace: default
roleRef:
kind: ClusterRole
name: pod-reader
apiGroup: rbac.authorization.k8s.io
and tried to apply it using the below command: 并尝试使用以下命令将其应用:
kubectl apply -f default-sa-rolebinding.yaml
I got the following error: 我收到以下错误:
clusterrolebinding "pod-reader" created
Error from server (Forbidden): error when creating "default-sa-rolebinding.yaml"
: clusterroles.rbac.authorization.k8s.io "pod-reader" is forbidden: attempt to g
rant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["g
et"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["watch"]} PolicyRule
{Resources:["pods"], APIGroups:[""], Verbs:["list"]}] user=&{xyz@gmail.
com [system:authenticated] map[authenticator:[GKE]]} ownerrules=[PolicyRule{Res
ources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:[
"create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healt
hz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/versi
on"], Verbs:["get"]}] ruleResolutionErrors=[]
I dont know how to proceed from here. 我不知道如何从这里开始。 Is my approach correct or am I missing something here? 我的方法正确吗?还是我在这里遗漏了什么?
UPDATE : As per the post referred by @JanosLenart in the comments, modified the kubectl command and the above error is not observed. 更新 :根据@JanosLenart在评论中引用的帖子,修改了kubectl命令,未观察到以上错误。 But accessing the API, still gives 401 error. 但是访问API仍然会出现401错误。 The curl command that I am using is: 我正在使用的curl命令是:
curl -k -1 -H "Authorization: Bearer <token>" https://<ip-address>/api/v1/namespaces/default/pods -v
2 个解决方案
解决方案1
4 2018-04-09 18:56:16
@Janos pointed out the potential problem, however I think you will need an actual Cloud IAM Service Account as well, because you said: @Janos指出了潜在的问题,但是我认为您也将需要一个实际的Cloud IAM服务帐户,因为您说:
I want to run an application outside the cluster [...]
If you're authenticating to GKE from outside, I believe you can only use the Google IAM identities. 如果您要从外部向GKE进行身份验证,我相信您只能使用Google IAM身份。 (I might be wrong, if so, please let me know.) (我可能是错的,如果是这样,请告诉我。)
In this case, what you need to do: 在这种情况下,您需要执行以下操作:
- Create an IAM service account and download a json key file of it. 创建一个IAM服务帐户并下载它的json密钥文件。
- set
GOOGLE_APPLICATION_CREDENTIALSto that file.将GOOGLE_APPLICATION_CREDENTIALS设置为该文件。 either:
之一: use RBAC like in your question to give permissions to the email address of the IAM Service Account
像您的问题一样使用RBAC授予对IAM服务帐户的电子邮件地址的权限 use IAM Roles to give the IAM Service Account on the GKE API (eg
Container Developerrole is usually sufficient)使用IAM角色在GKE API上提供IAM服务帐户(例如, Container Developer角色通常就足够了)
Use
kubectlcommand against the cluster (make sure you have a.kube/configfile with the cluster's IP/CA cert beforehand) with the environment variable above, it should work.对上面的环境变量对集群使用kubectl命令(确保事先具有集群的IP / CA证书的.kube/config文件),它应该可以工作。
解决方案2
0 2018-08-18 07:23:09
YMMV 因人而异
I managed to get it work without USING an actual Cloud IAM Service Account 我设法在没有使用实际Cloud IAM服务帐户的情况下使其正常工作
First, I decided to use an shell inside GKE's k8s cluster by running 首先,我决定通过运行以下命令在GKE的k8s集群中使用外壳程序:
kubectl run curl-random --image=radial/busyboxplus:curl -i --tty --rm
Second, I made sure I decoded my token by copying the token and then running through 其次,我确保通过复制令牌然后运行来解码令牌
pbpaste | base64 -D
Third, I created the rolebinding for the serviceaccount, NOT the username. 第三,我为服务帐户而不是用户名创建了角色绑定。
kubectl create clusterrolebinding shaoserverless-cluster-admin-binding --clusterrole=cluster-admin --serviceaccount=default:shaoserverless
The third step was particularly tricky but I got the inspiration since the error message used to be Unknown user \\"system:serviceaccount:default:shaoserverless\\"", 第三步特别棘手,但是我得到了启发,因为错误消息曾经是Unknown user \\"system:serviceaccount:default:shaoserverless\\"",
Lastly, then this works curl -k -1 -H "Authorization: Bearer <token>" https://<ip-address>/api/v1/namespaces/default/pods -v 最后,然后可以使用curl -k -1 -H "Authorization: Bearer <token>" https://<ip-address>/api/v1/namespaces/default/pods -v
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.