這個賞金已經結束。此問題的答案有資格獲得 500聲望賞金。賞金寬限期在14 小時后結束。 pkaramol希望引起更多關注這個問題:
我想要 - 注入 istio 的 webhook pod - 我的 webhook 可以正常作業
我有以下MutatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: example-webhook
webhooks:
- name: example-webhook.default.svc.cluster.local
admissionReviewVersions:
- "v1beta1"
sideEffects: "None"
timeoutSeconds: 30
objectSelector:
matchLabels:
example-webhook-enabled: "true"
clientConfig:
service:
name: example-webhook
namespace: default
path: "/mutate"
caBundle: "LS0tLS1CR..."
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
我想在啟用了嚴格 TLS 模式的啟用命名空間中注入webhookpod 。istioistio
因此,(我認為)我的服務中不需要 TLS,example-webhook因此它的制作如下:
apiVersion: v1
kind: Service
metadata:
name: example-webhook
namespace: default
spec:
selector:
app: example-webhook
ports:
- port: 80
targetPort: webhook
name: webhook
但是,當創建一個Pod(確實會觸發 webhook)時,我收到以下錯誤:
? k create -f demo-pod.yaml
Error from server (InternalError): error when creating "demo-pod.yaml": Internal error occurred: failed calling webhook "example-webhook.default.svc.cluster.local": Post "https://example-webhook.default.svc:443/mutate?timeout=30s": no service port 443 found for service "example-webhook"
我不能將 webhook 配置為不被呼叫443而是被呼叫80嗎?無論哪種方式,TLS 終止都是由istiosidecar 完成的。
有沒有辦法使用VirtualService/解決這個問題DestinationRule?
編輯:最重要的是,為什么它試圖到達example-webhook.default.svc端點中的服務?(雖然它應該這樣做example-webhook.default.svc.cluster.local)?
更新 1
我嘗試使用https如下:
我使用 istio 的 CA 創建了證書和私鑰。
我可以驗證證書中的 DNS 名稱是否有效,如下所示(來自另一個 pod)
echo | openssl s_client -showcerts -servername example-webhook.default.svc -connect example-webhook.default.svc:443 2>/dev/null | openssl x509 -inform pem -noout -text
...
Subject: C = GR, ST = Attica, L = Athens, O = Engineering, OU = FOO, CN = *.cluster.local, emailAddress = [email protected]
...
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.default.svc.cluster.local, DNS:example-webhook, DNS:example-webhook.default.svc
...
但現在 pod 創建失敗如下:
? k create -f demo-pod.yaml
Error from server (InternalError): error when creating "demo-pod.yaml": Internal error occurred: failed calling webhook "example-webhook.default.svc.cluster.local": Post "https://example-webhook.default.svc:443/mutate?timeout=30s": x509: certificate is not valid for any names, but wanted to match example-webhook.default.svc
更新 2
istio運行 webhook pod 的證書是使用CA 證書適當創建的這一事實也得到了驗證。
curl --cacert istio_cert https://example-webhook.default.svc
Test
istio_cert包含 istio 的 CA 證書的檔案在哪里
到底是怎么回事?
uj5u.com熱心網友回復:
不確定是否可以在埠 80 上使用 webhook ...
也許其中一些對您有用,我使用以下腳本生成證書,您可以更改它以滿足您的需要:
#!/bin/bash
set -e
service=webhook-svc
namespace=default
secret=webhook-certs
csrName=${service}.${namespace}
cat <<EOF >> csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${service}
DNS.2 = ${service}.${namespace}
DNS.3 = ${service}.${namespace}.svc
EOF
openssl genrsa -out server-key.pem 2048
openssl req -new -key server-key.pem -subj "/CN=${service}.${namespace}.svc" -out server.csr -config csr.conf
kubectl delete csr ${csrName} 2>/dev/null || true
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: ${csrName}
spec:
groups:
- system:authenticated
request: $(< server.csr base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
sleep 5
kubectl certificate approve ${csrName}
for i in {1 .. 10}
do
serverCert=$(kubectl get csr ${csrName} -o jsonpath='{.status.certificate}')
if [[ ${serverCert} != '' ]]; then
break
fi
sleep 1
done
if [[ ${serverCert} == '' ]]; then
echo "ERROR: After approving csr ${csrName}, the signed certificate did not appear on the resource. Giving up after 10 attempts." >&2
exit 1
fi
echo "${serverCert}" | openssl base64 -d -A -out server-cert.pem
# create the secret with CA cert and server cert/key
kubectl create secret generic ${secret} \
--from-file=key.pem=server-key.pem \
--from-file=cert.pem=server-cert.pem \
--dry-run -o yaml |
kubectl -n ${namespace} apply -f -
該腳本創建了一個秘密,然后我將其掛載到 webhook 中,deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: webhook-deployment
namespace: default
labels:
app: webhook
annotations:
sidecar.istio.io/inject: "false"
spec:
replicas: 1
selector:
matchLabels:
app: webhook
template:
metadata:
labels:
app: webhook
annotations:
sidecar.istio.io/inject: "false"
spec:
containers:
- name: webhook
image: webhook:v1
imagePullPolicy: IfNotPresent
volumeMounts:
- name: webhook-certs
mountPath: /certs
readOnly: true
volumes:
- name: webhook-certs
secret:
secretName: webhook-certs
服務.yaml:
apiVersion: v1
kind: Service
metadata:
name: webhook-svc
namespace: default
labels:
app: webhook
spec:
ports:
- port: 443
targetPort: 8443
selector:
app: webhook
uj5u.com熱心網友回復:
您是否嘗試在 MutatingWebhookConfiguration 中添加埠屬性
clientConfig:
service:
name: example-webhook
namespace: default
path: "/mutate"
port: 80
uj5u.com熱心網友回復:
您可以嘗試更改值
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: ${csrName}
spec:
groups:
- system:authenticated
request: $(< server.csr base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
轉載請註明出處,本文鏈接:https://www.uj5u.com/shujuku/490868.html
標籤:ssl Kubernetes 网络挂钩 TLS1.2 istio
上一篇:在Wildfly17中啟用SSL:瀏覽器顯示證書無效
下一篇:PikaAmqps連接:使用AMQPConnectorAMQPHandshakeError完成連接嘗試:IncompatibleProtocolError
