在 curl 中使用 .kube/config 客户端证书

在 curl 中使用 .kube/config 客户端证书

如果你使用,kubectl get pod foo -v10你会看到一条curl线,但是这不起作用。

例子:

guettli@p15:~$ curl -k -v -XGET  -H "Accept: application/json;as=Table;v=v1;g=meta.k8s.io,application/json;as=Table;v=v1beta1;g=meta.k8s.io,application/json" -H "User-Agent: kubectl/v1.23.4 (linux/amd64) kubernetes/e6c093d" 'https://127.0.0.1:44529/api/v1/namespaces/default/pods/busybox' 

*   Trying 127.0.0.1:44529...
* Connected to 127.0.0.1 (127.0.0.1) port 44529 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=kube-apiserver
*  start date: Feb  2 10:34:41 2022 GMT
*  expire date: Feb  2 10:34:41 2023 GMT
*  issuer: CN=kubernetes
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55ef6413b5e0)
> GET /api/v1/namespaces/default/pods/busybox HTTP/2
> Host: 127.0.0.1:44529
> accept: application/json;as=Table;v=v1;g=meta.k8s.io,application/json;as=Table;v=v1beta1;g=meta.k8s.io,application/json
> user-agent: kubectl/v1.23.4 (linux/amd64) kubernetes/e6c093d
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 403 
< cache-control: no-cache, private
< content-type: application/json
< x-content-type-options: nosniff
< x-kubernetes-pf-flowschema-uid: d45b0ee7-7e06-463e-b8d1-6ab74852b967
< x-kubernetes-pf-prioritylevel-uid: 3be84978-2771-4afe-972d-50dec7f8b951
< content-length: 289
< date: Mon, 21 Feb 2022 17:20:21 GMT
< 

{"kind":"Status","apiVersion":"v1","metadata":{},
 "status":"Failure",
 "message":"pods \"busybox\" is forbidden: User \"system:anonymous\" cannot get resource \"pods\" in API group \"\" in the namespace \"default\"",
 "reason":"Forbidden",
 "details":{"name":"busybox","kind":"pods"},"code":403}

* Connection #0 to host 127.0.0.1 left intact

我如何使用中的客户端证书.kube/config

我使用 0.11.1 类型

答案1

我找到了这个解决方案:

cat .kube/config | yq .clusters[0].cluster.certificate-authority-data | base64 -d - > .kube/ca.pem

cat .kube/config | yq .users[0].user.client-certificate-data | base64 -d - > .kube/user.pem

cat .kube/config | yq .users[0].user.client-key-data | base64 -d - > .kube/user-key.pem
curl --cert .kube/user.pem --key .kube/user-key.pem --cacert .kube/ca.pem \
  -v -XGET  -H "Accept: application/json;as=Table;v=v1;g=meta.k8s.io,application/json;as=Table;v=v1beta1;g=meta.k8s.io,application/json" \
  -H "User-Agent: kubectl/v1.23.4 (linux/amd64) kubernetes/e6c093d" \
 'https://127.0.0.1:44529/api/v1/namespaces/default/pods/busybox'

答案2

我做了一些研究。我的解决方案如下:

由于标签名称中有破折号,因此需要使用引号:

cat ~/.kube/config | yq -r '.clusters[0].cluster."certificate-authority-data"' | base64 -d - > ~/.kube/ca.pem 
cat ~/.kube/config | yq -r '.users[0].user."client-certificate-data"' | base64 -d - > ~/.kube/user.pem
cat ~/.kube/config | yq -r '.users[0].user."client-key-data"' | base64 -d - > ~/.kube/user-key.pem

还有一个有用的变量:

SERVER_URL=$(cat ~/.kube/config | yq -r .clusters[0].cluster.server)

卷曲示例:

curl --cacert ~/.kube/ca.pem --cert ~/.kube/user.pem --key ~/.kube/user-key.pem -X GET  ${SERVER_URL}/api/v1/namespaces/default/pods/busybox

相关内容