Coder Social home page Coder Social logo

Comments (5)

panpan0000 avatar panpan0000 commented on June 22, 2024 1

Below (following your PR https://github.com/clusternet/clusternet/pull/125/files ) now works ✅
TOKEN is Child Cluster admin SA token

curl -H "Accept: application/json" -H "Impersonate-User: clusternet" -H "Impersonate-Extra-Clusternet-Token: $TOKEN"  -H "Authorization: Basic system:anonymous"  https://${HUB_CLUSTER_IP}:6443/apis/proxies.clusternet.io/v1alpha1/sockets/7a93727c-6609-45bc-8c3e-6556cb89cc2b/proxy/https/${CHILD_CLUSTER_IP}:6443/api/v1/nodes  -k

from clusternet.

panpan0000 avatar panpan0000 commented on June 22, 2024

Chinese text explains the same with above message , just to make myself more clear
补充一下中文,
通过主集群的API Aggregation,去访问子集群。 鉴权问题如何解决?
这是一个单纯的kubeadm搭建的k8s,没有特别的设置。
当我们curl被AA代理的子集群API,需要同时满足(1)主集群的认证鉴权 (2)子集群的认证鉴权
(1)其实不需要做,因为 sockets.proxies.clusternet.io 已经在clusterrolebinding (clusternet:system:socketsproxy)里面给anonymous用户赋权了
(2)子集群的鉴权无法避免。但是不管是curl还是kubectl,无法将TOKEN或者证书传递下去。如果我curl -H "Authorization: Bearer $TOKEN", 这个TOKEN会被Hub集群的api-server截获,而不会往下传递给子集群。所以,我没有办法去通过ClusterNet的Proxy API去调用子集群。

我目前唯一的打通方式是在子集群开启无认证的kubectl proxy --address= '$MYIP' --accept-hosts= ' ^*$ ' --port=8080

但是这并不是生产集群的实践。

弱弱请教,有劳 @dixudx

from clusternet.

dixudx avatar dixudx commented on June 22, 2024

@panpan0000 Thanks for using Clusternet.

The kubeconfig you are using is not correct. Please follow visting ManagedCluster with RBAC to construct a valid kubeconfig to access child clusters.

Clusternet DOES support visiting all your managed clusters with RBAC.

And Clusternet does not care about those credentials (tokens, keys/certficates) at all, passing them directly to child clusters. That means all the authentication/authorization are handled by child clusters. What the parent cluster does is just allowing forwarding these proxies requests to child clusters. And related RBACs are already declared when you deploy clusternet-hub.

from clusternet.

dixudx avatar dixudx commented on June 22, 2024

@panpan0000 I've created a PR to demonstrate curl usage. Please take a look.

from clusternet.

panpan0000 avatar panpan0000 commented on June 22, 2024

Copied . I missed those part of user impersonation

  user:
    username: system:anonymous
    as: clusternet
    as-user-extra:
        clusternet-token:
            - BASE64-DECODED-PLEASE-CHANGE-ME

I found the theory behind it:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation

good job and Thank you @dixudx

from clusternet.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.