在 Kubernetes 上设置 Jenkins - 错误 403

在 Kubernetes 上设置 Jenkins - 错误 403

我在虚拟机上的 IaaS Kubernetes k8s 上。

我已经设置了 nginx 和一些其他运行良好的应用程序。(我可以访问我的应用程序)

我正在使用 nginx 入口控制器。

当我尝试在节点外访问 Jenkins 时,我收到一个空的回复,但入口日志显示 403

当我在节点内部 curl jenkins 时,我可以毫无问题地访问它

当我重新启动 Jenkins 容器时,我可以访问该Please wait while Jenkins is getting ready to work ...页面,但在准备就绪后,我再次收到 403。

知道为什么会发生这种情况吗?

入口资源:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
  labels:
    project: cicd
  managedFields:
  - apiVersion: networking.k8s.io/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:status:
        f:loadBalancer:
          f:ingress: {}
    manager: nginx-ingress-controller
    operation: Update
    time: "2020-04-02T17:11:25Z"
  - apiVersion: extensions/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:kubectl.kubernetes.io/last-applied-configuration: {}
          f:kubernetes.io/ingress.class: {}
        f:labels:
          .: {}
          f:project: {}
      f:spec:
        f:rules: {}
    manager: kubectl
    operation: Update
    time: "2020-04-02T17:12:56Z"
  name: jenkins
  namespace: jenkins
spec:
  rules:
  - host: jenkins.com
    http:
      paths:
      - backend:
          serviceName: jenkins
          servicePort: 8080
        path: /
        pathType: ImplementationSpecific

nginx.conf

## start server jenkins.com
    server {
        server_name jenkins.com ;

        listen 80  ;
        listen 443  ssl http2 ;

        set $proxy_upstream_name "-";

        ssl_certificate_by_lua_block {
            certificate.call()
        }

        location / {

            set $namespace      "jenkins";
            set $ingress_name   "jenkins";
            set $service_name   "jenkins";
            set $service_port   "8080";
            set $location_path  "/";

            rewrite_by_lua_block {
                lua_ingress.rewrite({
                    force_ssl_redirect = false,
                    ssl_redirect = true,
                    force_no_ssl_redirect = false,
                    use_port_in_redirects = false,
                })
                balancer.rewrite()
                plugins.run()
            }

            header_filter_by_lua_block {

                plugins.run()
            }
            body_filter_by_lua_block {

            }

            log_by_lua_block {

                balancer.log()

                monitor.call()

                plugins.run()
            }

            port_in_redirect off;

            set $balancer_ewma_score -1;
            set $proxy_upstream_name "jenkins-jenkins-8080";
            set $proxy_host          $proxy_upstream_name;
            set $pass_access_scheme  $scheme;
            set $pass_server_port    $server_port;
            set $best_http_host      $http_host;
            set $pass_port           $pass_server_port;

            set $proxy_alternative_upstream_name "";

            client_max_body_size                    10m;

            proxy_set_header Host                   $best_http_host;

            # Pass the extracted client certificate to the backend

            # Allow websocket connections
            proxy_set_header                        Upgrade           $http_upgrade;

            proxy_set_header                        Connection        $connection_upgrade;

            proxy_set_header X-Request-ID           $req_id;
            proxy_set_header X-Real-IP              $remote_addr;

            proxy_set_header X-Forwarded-For        $remote_addr;

            proxy_set_header X-Forwarded-Host       $best_http_host;
            proxy_set_header X-Forwarded-Port       $pass_port;
            proxy_set_header X-Forwarded-Proto      $pass_access_scheme;

            proxy_set_header X-Scheme               $pass_access_scheme;

            # Pass the original X-Forwarded-For
            proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;

            # mitigate HTTPoxy Vulnerability
            # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
            proxy_set_header Proxy                  "";

            # Custom headers to proxied server

            proxy_connect_timeout                   5s;
            proxy_send_timeout                      86400s;
            proxy_read_timeout                      86400s;

            proxy_buffering                         off;
            proxy_buffer_size                       4k;
            proxy_buffers                           4 4k;

            proxy_max_temp_file_size                1024m;

            proxy_request_buffering                 on;
            proxy_http_version                      1.1;

            proxy_cookie_domain                     off;
            proxy_cookie_path                       off;

            # In case of errors try the next upstream server before returning an error
            proxy_next_upstream                     error timeout;
            proxy_next_upstream_timeout             0;
            proxy_next_upstream_tries               3;

            proxy_pass http://upstream_balancer;

            proxy_redirect                          off;

        }

    }

curl -v 命令

* Connected to jenkins.com (xxx.xxx.xxx.xxx) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: jenkins.com
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Server: openresty/1.15.8.2
< Date: Sun, 05 Apr 2020 18:09:23 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 793
< Connection: keep-alive
< Vary: Accept-Encoding
< X-Content-Type-Options: nosniff
< Set-Cookie: JSESSIONID.fe94dd2e=node01swwo52ouan0zf0m57265cwjo109.node0; Path=/; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Hudson: 1.395
< X-Jenkins: 2.222.1
< X-Jenkins-Session: efb06340
< X-Hudson-CLI-Port: 50000
< X-Jenkins-CLI-Port: 50000
< X-Jenkins-CLI2-Port: 50000
< X-You-Are-Authenticated-As: anonymous
< X-You-Are-In-Group-Disabled: JENKINS-39402: use -Dhudson.security.AccessDeniedException2.REPORT_GROUP_HEADERS=true or use /whoAmI to diagnose
< X-Required-Permission: hudson.model.Hudson.Read
< X-Permission-Implied-By: hudson.security.Permission.GenericRead
< X-Permission-Implied-By: hudson.model.Hudson.Administer
< 
<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2F'/><script>window.location.replace('/login?from=%2F');</script></head><body style='background-color:white; color:white;'>


Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:

Permission you need to have (but didn't): hudson.model.Hudson.Read
 ... which is implied by: hudson.security.Permission.GenericRead
 ... which is implied by: hudson.model.Hudson.Administer

我正在编辑 /etc/hosts 以便将 jenkins.com 指向我的节点(在尝试访问 jenkins 并获取 403 的机器上)

答案1

这是一个社区维基答案。

此问题最常见的解决方案有三种:

  1. 如果你不介意降低 Jenkins 安装的安全性,你可以取消选中 jenkins.com/configureSecurity 部分中的“防止跨站点请求伪造漏洞”在此处输入图片描述

    1. 更安全的方法:“配置全局安全”选项中的“启用代理兼容性”在此处输入图片描述

    2. 如果你的访问问题是由于 crumb token 问题,你可以关注这个简短的指南来解决它。

如果有帮助的话请告诉我。

相关内容