1. 首頁
  2. 問答
  3. 在traefik toml文件中定義RBAC

在traefik toml文件中定義RBAC

2017-08-02 30 views
0

我將Traefik連接到我的Kubernetes 1.7.2羣集。我的集羣使用RBAC,而toml指南不包含有關rbac的任何內容。在traefik toml文件中定義RBAC

cat ~/.kube/config | grep client-certificate-data | tr -d ' ' | cut -d ":" -f2 | base64 -d

和令牌運行:

kubectl get secrets default-token-mnxss -o jsonpath='{.data.token}' | base64 -d

我toml長相

我通過運行(並把它/root/projects/certs/ca.crt)拿到證書現在這個樣子:

InsecureSkipVerify = true 

defaultEntryPoints = ["http", "https"] 

[entryPoints] 
[entryPoints.http] 
    address = ":80" 
[entryPoints.http.redirect] 
    entryPoint = "https" 
[entryPoints.https] 
    address = ":443" 
[entryPoints.https.tls] 

[[entryPoints.https.tls.certificates]] 
CertFile = "/certs/kubernetes.pem" 
KeyFile = "/certs/kubernetes-key.pem" 

[web] 
address = ":8080" 
ReadOnly = true 

[kubernetes] 
endpoint = "https://192.168.100.226:6443" 

token="eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tbW54c3MiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImQxNjYxZWIyLTc1Y2EtMTFlNy1iY2Q4LTUyNTQwMDI2OGU5YSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.xHVMxmFm8e8SkfHQxaxh_UjocWeHr_GoAvkMfrZUyMrleqxj5LQg_fHfpaWNcKePF3AfLmDn7COILiPNAoknF9OqaQzSXRoch0i8omFIbTtf3d5fe7z3psHBCE827tdtnV_9VNejFWC6VWRhxmkHz6_9x1LeLvYWOXPet5_97A254UUvJVQouriq3Y9GqIZiWdCIzU4yC9wQbYCG5s_Sy9pVELsRAGuVNYMA6-UH4rjUDrtn0fBxah89XjBlqJ8FB1darByqmY0Ws-3IX6AB1PGPKrQdz9kI2Yzg_ftobUJNcjM3oeQ4acx4EO9zu_5WMl7PnrVfO3tWZHHXRa-6IA" 

certAuthFilePath = "/root/projects/certs/ca.crt" 

# Kubernetes server endpoint 
#endpoint = "http://localhost:8001" 
#endpoint = "https://192.168.100.226:6443" 
#namespaces = ["default","kube-system"]

我仍然得到:

ERROR: logging before flag.Parse: E0804 04:02:54.161007 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Service: the server does not allow access to the requested resource (get services) 
ERROR: logging before flag.Parse: E0804 04:02:54.161070 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1beta1.Ingress: the server does not allow access to the requested resource (get ingresses.extensions) 
ERROR: logging before flag.Parse: E0804 04:02:54.161089 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Endpoints: the server does not allow access to the requested resource (get endpoints) 
ERROR: logging before flag.Parse: E0804 04:02:54.162291 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Secret: the server does not allow access to the requested resource (get secrets) 
ERROR: logging before flag.Parse: E0804 04:02:55.174304 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Secret: the server does not allow access to the requested resource (get secrets) 
ERROR: logging before flag.Parse: E0804 04:02:55.174399 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Service: the server does not allow access to the requested resource (get services) 
ERROR: logging before flag.Parse: E0804 04:02:55.174474 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Endpoints: the server does not allow access to the requested resource (get endpoints) 
ERROR: logging before flag.Parse: E0804 04:02:55.176349 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1beta1.Ingress: the server does not allow access to the requested resource (get ingresses.extensions)

來源

2017-08-02 Henrik Høegh

回答

0

服務帳戶名稱不進入TOML配置,但您的部署/ DaemonSet清單的規範。

Traefik guide顯示了一個例子。以下僅僅是一個部署看到最小YAML其中服務帳戶名需要去壓痕明智:

kind: Deployment 
apiVersion: extensions/v1beta1 
spec: 
    template: 
    spec: 
     serviceAccountName: traefik-ingress-controller

注意,這個例子假定您已經通過名稱traefik-ingress-controller和結合適當的RBAC設立了服務帳戶規則。指南還爲兩者提供了額外和一致的體現。

如果您想要在羣集外運行Traefik,您必須設置三個參數endpoint,tokencertAuthFilePath。令牌應該與Kubernetes自動創建的服務帳戶祕密相關聯。要提取令牌,請執行以下操作:

  1. kubectl get secrets --namespace=<the service account's namespace>中確定您的服務帳戶的祕密名稱。
  2. 提取令牌(注意所有的祕密都是base64編碼的,所以你需要解碼):kubectl get secrets <the service account's secret> --namespace=<the service account's namespace> -o jsonpath='{.data.token}' | base64 -D

最後,在TOML配置文件中設置該令牌。

您可以同樣從祕密對象獲取CA證書。但是,它是公開的,可能更容易從其他位置訪問(例如羣集的管理控制檯或$HOME/.kube/config)。

來源

2017-08-02 20:02:26

+0

感謝@蒂莫 - 萊曼 我知道在部署中serviceAccountName,但我不是我Kubernetes集羣內運行traefik。我在外面跑。所以我沒有部署或守護進程。我需要traefik連接到主服務器,並使用我在集羣中創建的服務帳戶。但我不知道如何在文檔中。 –

+0

對不起,我沒有意識到。我擴展了我的答案,以解釋如何從服務帳戶的祕密中提取令牌。 –

+0

Hi $ timo-reimann。我試過你寫的東西,但沒有運氣。 我更新了我的頂級帖子。集羣是我筆記本電腦上的測試集羣,因此對於我來說,對於在線證書而言,集羣並不重要。 –

相關問題

 相關問題