Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
menu search
person
Welcome To Ask or Share your Answers For Others

Categories

Update Filed this as an issue on Google's Issue Tracker.

I'm running a GKE cluster on 1.18.12-gke.1201 and unsuccessfully trying to authenticate (a 3rd-party service) using a Bootstrap token.

Questions:

  • Does GKE 1.18+ support Bootstrap Token auth? How may I confirm this?
  • If it does, how may I revise the Secret to reflect GKE's RBAC

IIUC, 1.18+ should support Bootstrap Tokens but it's unclear to me whether --enable-bootstrap-token-auth is enabled on GKE clusters (how could I determine this?)

I'm using a script that generates Bootstrap Token Secrets and then a 3rd-party solution that exchanges these for CSRs, that I can approve and create a certificate|key pair for the solution.

Generating these Secrets against MicroK8s clusters works so I'm confident the Secrets are valid.

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1C...
    server: https://XX.XX.XX.XX
  name: gke
contexts:
- context:
    cluster: gke
    namespace: kube-system
    user: tls-bootstrap-token-user
  name: tls-bootstrap-token-user@kubernetes
current-context: tls-bootstrap-token-user@kubernetes
kind: Config
preferences: {}
users:
- name: tls-bootstrap-token-user
  user:
    token: 8ziv0n.1t3jxk2d9tdr5xnp

However, I've been unsuccessful exchanging these for CSRs when using GKE. I'm reliant upon the 3rd-party solution to create the CSR for me. Is there a way to run this process manually?

The Secret-generating script includes:

apiVersion: v1
kind: Secret
metadata:
  name: bootstrap-token-${token_id}
  namespace: kube-system
type: bootstrap.kubernetes.io/token
stringData:
  auth-extra-groups: system:bootstrappers:kubeadm:default-node-token
  expiration: ${expiration}
  token-id: ${token_id}
  token-secret: ${token_secret}
  usage-bootstrap-authentication: "true"
  usage-bootstrap-signing: "true"

If I understand correctly, this assume the existence of system:bootstrappers but the GKE cluster does not have system:bootstrappers but it appears to have system:node-bootstrapper:

 kubectl get clusterrolebindings | grep bootstrapper
kubelet-bootstrap                                      ClusterRole/system:node-bootstrapper
kubelet-bootstrap-node-bootstrapper                    ClusterRole/system:node-bootstrapper

And these:

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:node-bootstrapper
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: kubelet

And:

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:node-bootstrapper
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: kubelet-bootstrap

Should I be able to revise the Bootstrap Token to reference system:node-bootstrapper?

Update -- still no success

I tried creating an RBAC group (krustlet-bootstrapper):

kubectl create clusterrolebinding krustlet-bootstrapper 
--clusterrole=system:node-bootstrapper 
--group=krustlet-bootstrapper

kubectl create clusterrolebinding krustlet-authenticated 
--clusterrole=system:authenticated 
--group=krustlet-bootstrapper

And:

apiVersion: v1
kind: Secret
metadata:
  name: bootstrap-token-${token_id}
  namespace: kube-system
type: bootstrap.kubernetes.io/token
stringData:
  auth-extra-groups: krustlet-bootstrapper
  expiration: ${expiration}
  token-id: ${token_id}
  token-secret: ${token_secret}
  usage-bootstrap-authentication: "true"
  usage-bootstrap-signing: "true"

The system:node-bootstrapper role appears to have the appropriate permissions:

kubectl get clusterrole/system:node-bootstrapper --output=jsonpath="{.rules}" | jq .
[
  {
    "apiGroups": [
      "certificates.k8s.io"
    ],
    "resources": [
      "certificatesigningrequests"
    ],
    "verbs": [
      "create",
      "get",
      "list",
      "watch"
    ]
  }
]

But I continue to get 401s when trying to bootstrap using it from the VM.

I suspect Bootstrap Tokens either aren't enabled on GKE or this method is more locked down that is customary.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
4.3k views
Welcome To Ask or Share your Answers For Others

1 Answer

等待大神解答

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
...