coreos - Kubernetes: how to enable API Server Bearer Token Auth? -

i've been trying enabled token auth http rest api server access remote client.

i installed coreos/k8s cluster controller using script: https://github.com/coreos/coreos-kubernetes/blob/master/multi-node/generic/controller-install.sh

my cluster works fine. tls installation need configure kubectl clients client certs access cluster.

i tried enable token auth via running:

 echo `dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null`

this gives me token. added token token file on controller containing token , default user:

$> cat /etc/kubernetes/token  3xq8w6iaourkxolh2yfpbgfxftbh0vn,default,default

i modified /etc/kubernetes/manifests/kube-apiserver.yaml add in:

 - --token-auth-file=/etc/kubernetes/token

to startup param list

i reboot (not sure best way restart api server itself??)

at point, kubectl remote server quits working(won't connect). @ docker ps on controller , see api server. run docker logs container_id , no output. if @ other docker containers see output like:

    e0327 20:05:46.657679       1 reflector.go:188]      pkg/proxy/config/api.go:33: failed list *api.endpoints:      http://127.0.0.1:8080/api/v1/endpoints?resourceversion=0:  dial tcp 127.0.0.1:8080: getsockopt: connection refused

so appears api-server.yaml config preventing api server starting properly....

any suggestions on proper way configure api server bearer token rest auth?

it possible have both tls configuration , bearer token auth configured, right?

thanks!

i think kube-apiserver dies because it's can't find /etc/kubernetes/token. that's because on deployment apiserver static pod therefore running in container in turn means has different root filesystem of host.

look /etc/kubernetes/manifests/kube-apiserver.yaml , add volume , volumemount (i have omitted lines not need changing , don't in locating correct section):

kind: pod metadata:   name: kube-apiserver spec:   containers:   - name: kube-apiserver     command:     - ...     - --token-auth-file=/etc/kubernetes/token     volumemounts:     - mountpath: /etc/kubernetes/token       name: token-kubernetes       readonly: true   volumes:   - hostpath:       path: /etc/kubernetes/token     name: token-kubernetes

one more note: file quoted token should not end in . (dot) - maybe copy-paste mistake check anyway. format documented under static token file:

token,user,uid,"group1,group2,group3"

if problem perists execute command below , post output:

journalctl -u kubelet | grep kube-apiserver

Search This Blog

Breniser

coreos - Kubernetes: how to enable API Server Bearer Token Auth? -

Comments

Post a Comment

Popular posts from this blog

javascript - Clear button on addentry page doesn't work -

c# - Selenium Authentication Popup preventing driver close or quit -

tensorflow when input_data MNIST_data , zlib.error: Error -3 while decompressing: invalid block type -