stackoom
  简体   繁体   中英

Using ansible k8s module: how to authenticate with certificates

 原文  2021-02-16 16:21:45       kubernetes/ ansible

Question

I'm struggling to deploy the playbook below (adding a namespace to Openshift 3.11 cluster):

---
- hosts: kubernetesmastergfm
  gather_facts: false
  vars:
   name_namespace: testingnamespace
  tasks:
   - name: Create a k8s namespace
     k8s:
      host: "https://{{ cluster.endpoint }}"
      ca_cert: "/etc/origin/master/ca.crt" <--WHERE IS THIS IN OPENSHIFT 3.11?
      api_key: "/etc/origin/master/admin.key"<--WHERE IS THIS IN OPENSHIFT 3.11?
      validate_certs: no
      name: pippo
      api_version: v1
      kind: Namespace
      state: present

I'm getting the error:

      ...
kubernetes.client.rest.ApiException: (401)
Reason: Unauthorized
HTTP response headers: HTTPHeaderDict({'Date': 'Tue, 16 Feb 2021 16:05:03 GMT', 'Content-Length': '129', 'Content-Type': 'application/json', 'Cache-Control': 'no-store'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}

I suspect that the certificates in the path below are wrong: /etc/origin/master/ca.crt /etc/origin/master/admin.key

Any suggestion is welcome. Gian Filippo

2 answers

solution1
 2 ACCPTED  2021-02-17 11:24:42

The api_key parameter is the value of the ServiceAccount token. I think you should paste this token directly as a api_key parameter value becuse providing the path to the file with token doesn't seem to work.

I will describe required steps on a simple example to illustrate you how it works.

To find the token name associated with a specific ServiceAccount you can use:

###  kubectl describe sa <SERVICE ACCOUNT NAME> | grep "Token"

# kubectl describe sa namespace-creator | grep "Token"
Tokens:              namespace-creator-token-hs6zn

And then to display the value of this token:

### kubectl describe secret <TOKEN NAME> | grep "token:" 

# kubectl describe secret namespace-creator-token-hs6zn | grep "token:"
token:      ey(...)3Q

Finally pass this token value as the api_key parameter value:

---
...
  tasks:
   - name: Create a k8s namespace
     community.kubernetes.k8s:
      ...
      api_key: "ey(...)3Q"
      validate_certs: no
      ...

To find out where the CA certificate is located, you may look at the --client-ca-file parameter of the API server eg:

# kubectl describe pod kube-apiserver-master -n kube-system | grep "client-ca-file"
      --client-ca-file=/etc/kubernetes/ssl/ca.crt

NOTE: If you are using validate_certs: no , you don't need to provide ca_cert parameter.

Additionally, if you want instead of api_key , you can use kubeconfig with path to an existing Kube.netes config file.

solution2
 0  2021-02-17 11:27:46

Finally I found out another way to authenticate to API (Openshift) by using k8s_auth rather then k8s . The playbook should look like:

- hosts: localhost
  module_defaults:
    group/k8s:
      host: https://openshift-url:8443
      ca_cert: /etc/origin/master/ca.crt <<===THIS IS THE RIGHT PATH FOR OCP 3.11
  tasks:
     - name: Log in (obtain access token)
       k8s_auth:
          username: xxxx
          password: yyyy
       register: k8s_auth_results

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to use k8s Ansible module without quotes? How to create a secret in k8s using Ansible-K8s Use ansible k8s module behind a proxy Cannot run k8s module of ansible multiple times (not idempotent) Ansible K8s Module - Apply Multiple Yaml Files at Once k8s Module not recognizing environement variables on the remote machine - Ansible How to execute shell commands with k8s module on a Pod through Ansible Ansible, k8s and variables How to update k8s certificates safely and completely? Get list of k8s pod using ansible
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM