Comments (5)
Below (following your PR https://github.com/clusternet/clusternet/pull/125/files ) now works ✅
TOKEN is Child Cluster admin SA token
curl -H "Accept: application/json" -H "Impersonate-User: clusternet" -H "Impersonate-Extra-Clusternet-Token: $TOKEN" -H "Authorization: Basic system:anonymous" https://${HUB_CLUSTER_IP}:6443/apis/proxies.clusternet.io/v1alpha1/sockets/7a93727c-6609-45bc-8c3e-6556cb89cc2b/proxy/https/${CHILD_CLUSTER_IP}:6443/api/v1/nodes -k
from clusternet.
Chinese text explains the same with above message , just to make myself more clear
补充一下中文,
通过主集群的API Aggregation,去访问子集群。 鉴权问题如何解决?
这是一个单纯的kubeadm搭建的k8s,没有特别的设置。
当我们curl被AA代理的子集群API,需要同时满足(1)主集群的认证鉴权 (2)子集群的认证鉴权
(1)其实不需要做,因为 sockets.proxies.clusternet.io 已经在clusterrolebinding (clusternet:system:socketsproxy)里面给anonymous用户赋权了
(2)子集群的鉴权无法避免。但是不管是curl还是kubectl,无法将TOKEN或者证书传递下去。如果我curl -H "Authorization: Bearer $TOKEN", 这个TOKEN会被Hub集群的api-server截获,而不会往下传递给子集群。所以,我没有办法去通过ClusterNet的Proxy API去调用子集群。
我目前唯一的打通方式是在子集群开启无认证的kubectl proxy --address= '$MYIP' --accept-hosts= ' ^*$ ' --port=8080
但是这并不是生产集群的实践。
弱弱请教,有劳 @dixudx
from clusternet.
@panpan0000 Thanks for using Clusternet
.
The kubeconfig you are using is not correct. Please follow visting ManagedCluster with RBAC to construct a valid kubeconfig to access child clusters.
Clusternet
DOES support visiting all your managed clusters with RBAC.
And Clusternet
does not care about those credentials (tokens, keys/certficates) at all, passing them directly to child clusters. That means all the authentication/authorization are handled by child clusters. What the parent cluster does is just allowing forwarding these proxies requests to child clusters. And related RBACs are already declared when you deploy clusternet-hub
.
from clusternet.
@panpan0000 I've created a PR to demonstrate curl
usage. Please take a look.
from clusternet.
Copied . I missed those part of user impersonation
user:
username: system:anonymous
as: clusternet
as-user-extra:
clusternet-token:
- BASE64-DECODED-PLEASE-CHANGE-ME
I found the theory behind it:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation
good job and Thank you @dixudx
from clusternet.
Related Issues (20)
- Add post-join actions after child cluster joins in parent cluster successfully. HOT 2
- controller-manager will panic when the length of bindingClusters and replicas in subscription are not equal
- helm deploy failed HOT 4
- Replace ApplyResourceWithRetry with ApplyResource HOT 2
- Optimized performance of clusternet in large-scale CR scenarios.
- add metrics and pprof server for controller-manager
- Support Scheduling Priority and Preemption HOT 4
- for dividing scheduling, manifest changes should not directly trigger the updates of base objects HOT 1
- does clusternet support Multi-Cluster Controller HOT 5
- The default priority of localization for dynamic scheduling is 1000(the highest), which is not flexible HOT 2
- when we watch wrapper resource, sometimes we can not receive event
- shadow api can not access pv which dynamicly created by pvc HOT 9
- Installation issues: How to add other sub-clusters to the parent cluster HOT 6
- Add a None value to ClusterSyncMode HOT 10
- Missing the example to set a valid chartPullSecret HOT 1
- Sub cluster initiated multiple controllers for processing the same resource
- Report the use of components with vulnerabilities in clusternet HOT 1
- Clusternet Helm Chart: Unnecessary RBAC permissions
- Add the AgentVersion field in ManagedClusterStatus HOT 2
- Failed to create cluster HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from clusternet.