-
Notifications
You must be signed in to change notification settings - Fork 198
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proxy Mode API for child cluster: how to specific the user credentials #124
Comments
Chinese text explains the same with above message , just to make myself more clear 我目前唯一的打通方式是在子集群开启无认证的 但是这并不是生产集群的实践。 弱弱请教,有劳 @dixudx |
@panpan0000 Thanks for using The kubeconfig you are using is not correct. Please follow visting ManagedCluster with RBAC to construct a valid kubeconfig to access child clusters.
And |
@panpan0000 I've created a PR to demonstrate |
Below (following your PR https://github.com/clusternet/clusternet/pull/125/files ) now works ✅
|
Copied . I missed those part of user impersonation
I found the theory behind it: good job and Thank you @dixudx |
What happened:
When following the guide: https://github.com/clusternet/clusternet#visit-managedcluster-with-rbac
It will be a problem about how to pass the user cred to managed cluster.
I suffer from "forbidden: User "system:anonymous" cannot get path "/api"" error .
api-server does not set
-anonymous-auth=false
explicitly.What you expected to happen:
Using curl + token to add Child Cluster API, or use kubectl to access it .
How to reproduce it (as minimally and precisely as possible):
Neither
proxy/https
mode orproxy/direct
mode, you will have to find a way to satisfy Auth of **Child Cluster **.So I tried to specific cert/key in your kube.conf or token in curl header (
--header "Authorization: Bearer $TOKEN"
)It will be looked like (curl to access http proxy child cluster )
At first, I thought the TOKEN should be CHILD-Cluster authorized token . So I picked an admin privilege token of child cluster.
Before sending it to Hub Cluster, I verified the token with directly access the Child cluster without clusterNet. token is good.✅
But with clusterNet proxy ,using the same
$TOKEN
(Child Cluster token), it failed。❌I believe it's due to Hub Cluster reject this token . So the first gate(Hub Cluster AuthZ) blocks request.
Ok, I change the
$TOKEN
to Hub Cluster admin token.Now I can access Child Cluster's /healthz (this API does not require auth), ✅ like below
But it still failed for other API( like /apis/v1/nodes ), ❌ error will be :
Same problem , I'm also confused the
user
config in kube-config.For Child Cluster configuration in kube.conf:
certificate-authority-data
) should be Hub-Cluster certuser
, I copied client-certificate-data and client-key-data from child cluster kube config file.Below is my kubectl config, the failure was
Anything else we need to know?:
Environment:
clusternet-agent --version=json
): latest . 0.4.0clusternet-hub --version=json
): 0.4.0kubectl version
): k8s: 1.19.13(build by kubeadm ). kubectl binary : v1.18.20cat /etc/os-release
):uname -a
):The text was updated successfully, but these errors were encountered: