允许变异的tls钩子使用启用tls的istio。
允许变异的tls钩子使用启用tls的istio。
提问于 2022-06-05 12:22:31
我有下面的MutatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: example-webhook
webhooks:
- name: example-webhook.default.svc.cluster.local
admissionReviewVersions:
- "v1beta1"
sideEffects: "None"
timeoutSeconds: 30
objectSelector:
matchLabels:
example-webhook-enabled: "true"
clientConfig:
service:
name: example-webhook
namespace: default
path: "/mutate"
caBundle: "LS0tLS1CR..."
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]我想将webhook pod注入一个启用了istio的命名空间中,istio具有严格的TLS模式。
因此,(我认为)在我的example-webhook服务中不应该需要TLS,因此它是按如下方式构建的:
apiVersion: v1
kind: Service
metadata:
name: example-webhook
namespace: default
spec:
selector:
app: example-webhook
ports:
- port: 80
targetPort: webhook
name: webhook但是,当创建一个Pod (这确实会触发webhook)时,我会得到以下错误:
▶ k create -f demo-pod.yaml
Error from server (InternalError): error when creating "demo-pod.yaml": Internal error occurred: failed calling webhook "example-webhook.default.svc.cluster.local": Post "https://example-webhook.default.svc:443/mutate?timeout=30s": no service port 443 found for service "example-webhook"我不能将web钩子配置为不是在443上调用,而是在80上调用吗?无论哪种方式,TLS终止都是由istio侧way完成的。
有没有办法用VirtualService / DestinationRule解决这个问题?
编辑:最重要的是,为什么它试图到达example-webhook.default.svc端点中的服务?(而它应该在example-webhook.default.svc.cluster.local中这样做)?
更新1
我试图按以下方式使用https:
我使用istio的CA创建了一个证书和私钥。
我可以验证我在证书中的DNS名称是否有效,如下所示(从另一个pod)
echo | openssl s_client -showcerts -servername example-webhook.default.svc -connect example-webhook.default.svc:443 2>/dev/null | openssl x509 -inform pem -noout -text...
Subject: C = GR, ST = Attica, L = Athens, O = Engineering, OU = FOO, CN = *.cluster.local, emailAddress = me@myemail.com
...
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.default.svc.cluster.local, DNS:example-webhook, DNS:example-webhook.default.svc
...但是现在pod的创建失败了,如下所示:
▶ k create -f demo-pod.yaml
Error from server (InternalError): error when creating "demo-pod.yaml": Internal error occurred: failed calling webhook "example-webhook.default.svc.cluster.local": Post "https://example-webhook.default.svc:443/mutate?timeout=30s": x509: certificate is not valid for any names, but wanted to match example-webhook.default.svc更新2
使用istio CA证书适当地创建了运行webhook结荚的证书,这一事实也得到了验证。
curl --cacert istio_cert https://example-webhook.default.svc
Test其中istio_cert是包含istio的CA证书的文件
怎么一回事?
回答 3
Stack Overflow用户
发布于 2022-06-06 11:14:52
不确定你能不能在端口80上使用web钩子..。
其中一些可能会对您有用,我使用了以下脚本来生成证书,您可以修改它以满足您的需要:
#!/bin/bash
set -e
service=webhook-svc
namespace=default
secret=webhook-certs
csrName=${service}.${namespace}
cat <<EOF >> csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${service}
DNS.2 = ${service}.${namespace}
DNS.3 = ${service}.${namespace}.svc
EOF
openssl genrsa -out server-key.pem 2048
openssl req -new -key server-key.pem -subj "/CN=${service}.${namespace}.svc" -out server.csr -config csr.conf
kubectl delete csr ${csrName} 2>/dev/null || true
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: ${csrName}
spec:
groups:
- system:authenticated
request: $(< server.csr base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
sleep 5
kubectl certificate approve ${csrName}
for i in {1 .. 10}
do
serverCert=$(kubectl get csr ${csrName} -o jsonpath='{.status.certificate}')
if [[ ${serverCert} != '' ]]; then
break
fi
sleep 1
done
if [[ ${serverCert} == '' ]]; then
echo "ERROR: After approving csr ${csrName}, the signed certificate did not appear on the resource. Giving up after 10 attempts." >&2
exit 1
fi
echo "${serverCert}" | openssl base64 -d -A -out server-cert.pem
# create the secret with CA cert and server cert/key
kubectl create secret generic ${secret} \
--from-file=key.pem=server-key.pem \
--from-file=cert.pem=server-cert.pem \
--dry-run -o yaml |
kubectl -n ${namespace} apply -f -脚本创建了一个秘密,然后我将其挂载到web钩子deployment.yaml中:
apiVersion: apps/v1
kind: Deployment
metadata:
name: webhook-deployment
namespace: default
labels:
app: webhook
annotations:
sidecar.istio.io/inject: "false"
spec:
replicas: 1
selector:
matchLabels:
app: webhook
template:
metadata:
labels:
app: webhook
annotations:
sidecar.istio.io/inject: "false"
spec:
containers:
- name: webhook
image: webhook:v1
imagePullPolicy: IfNotPresent
volumeMounts:
- name: webhook-certs
mountPath: /certs
readOnly: true
volumes:
- name: webhook-certs
secret:
secretName: webhook-certsservice.yaml:
apiVersion: v1
kind: Service
metadata:
name: webhook-svc
namespace: default
labels:
app: webhook
spec:
ports:
- port: 443
targetPort: 8443
selector:
app: webhookStack Overflow用户
发布于 2022-06-08 20:24:51
您是否尝试将端口属性添加到MutatingWebhookConfiguration中?
clientConfig:
service:
name: example-webhook
namespace: default
path: "/mutate"
port: 80Stack Overflow用户
发布于 2022-06-14 04:32:10
您可以尝试更改值。
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: ${csrName}
spec:
groups:
- system:authenticated
request: $(< server.csr base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/72507275
复制相关文章
相似问题
腾讯云开发者
