Coreos/Kubernetes/Client certificate authentication

albertrdixon / romulus

A kubernetes ingress controller

MIT License

103 stars 12 forks source link

Coreos/Kubernetes/Client certificate authentication #15

Open ghost opened 8 years ago

ghost commented 8 years ago

Hi,

I tried the recent release of Coreos/Kubernetes (https://github.com/coreos/coreos-kubernetes/blob/v0.1.0/Documentation/kubernetes-on-aws.md) and they are using the client certificate authentication. Is it possible to have romulus dealing with the a certificate authentication ?

Cheers, Luc

danehans commented 8 years ago

I believe I have this same issue. I am using cert auth in my kube cluster and I can not get example [1] to work. The romulus container within the ingress-controller-v1 pod is not starting due to the following error:

$ kubectl logs ingress-controller-v1-rr5k7 -c romulus --namespace=kube-system Pod "ingress-controller-v1-rr5k7" in namespace "kube-system": container "romulus" is in waiting state.

[2] provides the details of my kubectl config. Does romulus support token-based auth?

[1] https://github.com/timelinelabs/romulus/blob/master/examples/romulus-rc.yaml [2] https://gist.github.com/danehans/57362949eaedf8529e85

cmoad commented 8 years ago

I thought this was a blocker too, but I looked into it and I see that the service account is being tried first, so this should just work if you run inside a k8s pod. I am trying it out now and will report back if I can't get it to work.

https://github.com/timelinelabs/romulus/blob/dev/kubernetes/kubernetes.go#L79

Update: This isn't working for my use case of having a pod launched by kubelet defined in the /etc/kubernetes/manifests directory because these don't have a serviceaccount mounted. (ref: https://github.com/kubernetes/kubernetes/issues/16230)

cescoferraro commented 8 years ago

@danehans How are you starting the api-server? You need to have Kubernetes ServiceAccount enabled and working. The kubelet needs a --service-account-private-key-file flag as well

--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota \
                          --service-account-key-file=/home/core/kube-ssl/server.key \

If you do not know about the flags, test whaever you got it or not, the below line should return something

core@master ~ $ kubectl --all-namespaces=1 get secrets
NAMESPACE     NAME                  TYPE                                  DATA      AGE
blog          default-token-hpwrn   kubernetes.io/service-account-token   3         1h
default       default-token-pa35b   kubernetes.io/service-account-token   3         3h
kube-system   default-token-269ge   kubernetes.io/service-account-token   3         3h
myapp         default-token-hk0yf   kubernetes.io/service-account-token   3         1h

minikiller commented 8 years ago

@cescoferraro Can you run example well? I still not to validate romulus can proxy blog pods. I do not know how to log Etcd. Do not know how to access blog pod under browse. Can you help me?Thanks!

cescoferraro commented 8 years ago

I ran the example with the --validate=false flag. I have added to #27 all my achivements. As far as I know the controller is just a replication controller, so to see it from the outside you will need a service to proxy request to your nodes ip.So I think you should start debugging at the pod level first. Kubernetes get tricky because things depends on the cloudprovider you are in. Hope I can help because I am stuck too