Unable to connect to the server: x509: certificate is valid for 10.96.0.1, 192.168.3.10, not
HTTP Token认证:通过一个Token来识别合法用户。
HTTPS 证书认证:基于CA根证书签名的双向数字证书认证方式
HTTP Base认证:通过用户名+密码的方式认证,这个只有1.19之前的版本适用,之后的版本不在支持
root@ipo# kubectl cluster-info
Kubernetes control plane is running at https://172.31.9.115:6443
CoreDNS is running at https://172.31.9.115:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/prTo further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
1 通过openssl生成一个令牌
# openssl rand -hex 10
4bf42S36c8ff0a0fb
echo "4bf42S36c8ff0a0fb,admins8,3" > /etc/kubernetes/pki/amins8.csv
cat /etc/kubernetes/pki/amins8.csv
4bf42S36c8ff0a0fb,admins8,3
#尝试替换
sed '17a \ \ \ \ - --token-auth-file=/etc/kubernetes/pki/amins8.csv' /etc/kubernetes/manifests/kube-apiserver.yaml | grep -A 5 command
#正式sed替换
sed -i '17a \ \ \ \ - --token-auth-file=/etc/kubernetes/pki/amins8.csv' /etc/kubernetes/manifests/kube-apiserver.yaml
#查看
cat -n /etc/kubernetes/manifests/kube-apiserver.yaml | grep -A 5 comma
root@ip-172# sed '17a \ \ \ \ - --token-auth-file=/etc/kubernetes/pki/amins8.csv' /ver.yaml | grep -A 5 command
- command:
- kube-apiserver
- --service-node-port-range=80-65535
- --advertise-address=172.31.9.115
- --token-auth-file=/etc/kubernetes/pki/amins8.csv
- --allow-privileged=true
root@ip-172# sed -i '17a \ \ \ \ - --token-auth-file=/etc/kubernetes/pki/amins8.csvserver.yaml
检查修改的启动参数
root@ip-172# cat -n /etc/kubernetes/manifests/kube-apiserver.yaml | grep -A 5 comma
14 - command:
15 - kube-apiserver
16 - --service-node-port-range=80-65535
17 - --advertise-address=172.31.9.115
18 - --token-auth-file=/etc/kubernetes/pki/amins8.csv
19 - --allow-privileged=true
客户端访问
[root@docker02 ~]# kubectl -s="https://你的公网IP:6443" --insecure-skip-tls-verify=true --token="4bf42S36c8ff0a0fb" get pods -n kube-system
NAME READY STATUS RESTARTS AGE
cilium-gpbfd 1/1 Running 0 17h
cilium-operator-5f6c65555d-h297t 1/1 Running 4 (52m ago) 17h
cilium-w8flp 1/1 Running 1 (3h55m ago) 17h
coredns-6d8c4cb4d-n8qgw 1/1 Running 0 17h
coredns-6d8c4cb4d-tgbjb 1/1 Running 0 17h
etcd-ip-172-31-9-115 1/1 Running 1 (3h55m ago) 17h
kube-apiserver-ip-172-31-9-115 1/1 Running 0 51m
kube-controller-manager-ip-172-31-9-115 1/1 Running 3 (52m ago) 17h
kube-proxy-2cc6p 1/1 Running 0 17h
kube-proxy-mmk97 1/1 Running 1 (3h55m ago) 17h
命令太长可以通过别名访问
alias kubectl='kubectl -s="https://你的公网IP:6443" --insecure-skip-tls-verify=true --token="4bf42S36c8ff0a0fb"'
alias kubectl='kubectl -s="https://你的公网IP:6443" --insecure-skip-tls-verify=true --token="4bf42S36c8ff0a0fb"'
保存
source .bashrc
PS:
在集群外的客户机访问集群信息,这里提示刚才创建得用户没有访问的权限,说明已经认证成功了,只是没有权限
Error from server (Forbidden): pods is forbidden: User "admins" cannot list resource "pods" in API group "" in the namespace "kube-system"
Token和集群的Token文件不对应,会提示我们没有获得授权,即认证失败
error: You must be logged in to the server (Unauthorized)