[英]Unable to access vault server from different pods running in kubernetes cluster
I have setup hashicorp vault server in kubernetes. 我在kubernetes中安装了hashicorp Vault服务器。 Vault server works fine when accessed through CLI or UI.
通过CLI或UI访问时,Vault服务器工作正常。 I created another pod which runs my application.
我创建了另一个运行我的应用程序的pod。 But I cannot access Vault Server from my application which is running on different pod.
但是我无法从在其他容器上运行的应用程序访问Vault服务器。
I have tried using Cluster-IP:Port, IP:Port but always see error Connection Refused. 我尝试使用Cluster-IP:Port,IP:Port,但总是看到错误的“拒绝连接”。
service.yaml service.yaml
apiVersion: v1
kind: Service
metadata:
name: vault
labels:
run: vault
spec:
type: ClusterIP
ports:
- port: 8080
targetPort: 8200
protocol: TCP
name: vault
selector:
run: vault
deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: vault
labels:
run: vault
spec:
replicas: 1
template:
metadata:
labels:
run: vault
spec:
containers:
- name: vault
command: ["vault", "server", "-config", "/vault/config/vault.hcl"]
image: "vault"
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
add:
- IPC_LOCK
volumeMounts:
- name: configurations
mountPath: /vault/config/vault.hcl
subPath: vault.hcl
volumes:
- name: configurations
configMap:
name: vault
I need to access vault server from an application running in different pod within same cluster.
Please describe, how do you try to access Vault from different pods? 请描述一下,您如何尝试从不同的容器访问保管箱?
Otherwise, if you don't see any error on your pods, you need to be able to access Vault from other pods within the same namespace via service name or ClusterIP address as you mentioned. 否则,如果您在Pod上没有看到任何错误,则需要能够通过您提到的服务名称或ClusterIP地址从同一命名空间中的其他Pod访问Vault。
For troubleshooting purposes, I would advise you to run sample Vault pod for testing purposes, like below 为了进行故障排除,我建议您运行示例保险柜盒进行测试,如下所示
kubectl run vault-test --image=vault -l "app=vault-test"
Then, run exec to new pod's shell via: 然后,通过以下命令运行exec到新pod的外壳:
kubectl exec -it $(kubectl get pods --namespace default -l "app=vault-test" -o jsonpath="{.items[0].metadata.name}") sh
Then, run below commands to see test: 然后,运行以下命令以查看测试:
export VAULT_ADDR=http://vault:8080
# "vault" is your service name export VAULT_ADDR=http://vault:8080
#“ vault”是您的服务名称
OR 要么
export VAULT_ADDR=http://<ClusterIP of vault service>:8080
Then 然后
vault status
you need to see output like below 您需要查看如下输出
Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 1 Threshold 1 Version 1.0.1 Cluster Name vault-cluster-f3e6e68d Cluster ID 0280993f-5aee-4f97-b8e5-53f652fdc5ad HA Enabled false
Please let me know about the status of this troubleshooting. 请让我知道此故障排除的状态。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.