答案是:

绝对不可以!

因为请求先验证的是 --requestheader-client-ca-file CA 然后才是--client-ca-file. 。

那获取的用户名就会通不过了。

所以会影响K8S集群正常使用。

果然,上周五,我就遇到这种情况了。

只好重新生成另一个证书再试罗~~

参考URL:

~~~~~~~~~~~~~~~~~~~~~~~~~~~

https://kubernetes.io/docs/tasks/access-kubernetes-api/configure-aggregation-layer/

https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/

CA Reusage and Conflicts

The Kubernetes apiserver has two client CA options:

  • --client-ca-file
  • --requestheader-client-ca-file

Each of these functions independently and can conflict with each other, if not used correctly.

  • --client-ca-file: When a request arrives to the Kubernetes apiserver, if this option is enabled, the Kubernetes apiserver checks the certificate of the request. If it is signed by one of the CA certificates in the file referenced by --client-ca-file, then the request is treated as a legitimate request, and the user is the value of the common name CN=, while the group is the organization O=. See the documentaton on TLS authentication.
  • --requestheader-client-ca-file: When a request arrives to the Kubernetes apiserver, if this option is enabled, the Kubernetes apiserver checks the certificate of the request. If it is signed by one of the CA certificates in the file reference by --requestheader-client-ca-file, then the request is treated as a potentially legitimate request. The Kubernetes apiserver then checks if the common name CN= is one of the names in the list provided by --requestheader-allowed-names. If the name is allowed, the request is approved; if it is not, the request is not.

If both --client-ca-file and --requestheader-client-ca-file are provided, then the request first checks the --requestheader-client-ca-file CA and then the --client-ca-file. Normally, different CAs, either root CAs or intermediate CAs, are used for each of these options; regular client requests match against --client-ca-file, while aggregation requests match against --requestheader-client-ca-file. However, if both use the same CA, then client requests that normally would pass via --client-ca-file will fail, because the CA will match the CA in --requestheader-client-ca-file, but the common name CN= will not match one of the acceptable common names in --requestheader-allowed-names. This can cause your kubelets and other control plane components, as well as end-users, to be unable to authenticate to the Kubernetes apiserver.

For this reason, use different CA certs for the --client-ca-file option - to authorize control plane components and end-users - and the --requestheader-client-ca-file option - to authorize aggregation apiserver requests.

Warning: Do not reuse a CA that is used in a different context unless you understand the risks and the mechanisms to protect the CA’s usage.

If you are not running kube-proxy on a host running the API server, then you must make sure that the system is enabled with the following kube-apiserver flag:

--enable-aggregator-routing=true

k8s中的api server的ca证书,可以和front proxy ca证书一样么?的更多相关文章

  1. k8s 组件介绍-API Server

    API Server简介 k8s API Server提供了k8s各类资源对象(pod,RC,Service等)的增删改查及watch等HTTP Rest接口,是整个系统的数据总线和数据中心. kub ...

  2. k8s之API Server认证

    集群安全性 在生产环境中,必须保障集群用户的角色以及权限问题,不能给所有用户都赋予管理员权限. 1.集群的安全性必须考虑如下几个目标 (1)保证容器与其所在宿主机的隔离 (2)限制容器给基础设置或其他 ...

  3. k8s集群中部署prometheus server

    1.概述 本文档主要介绍如何在k8s集群中部署prometheus server用来作为监控的数据采集服务器,这样做可以很方便的对k8s集群中的指标.pod的.节点的指标进行采集和监控. 2.下载镜像 ...

  4. 深度剖析Kubernetes API Server三部曲 - part 2

    欢迎来到深入学习Kubernetes API Server的系列文章的第二部分.在上一部分中我们对APIserver总体,相关术语及request请求流进行探讨说明.在本部分文章中,我们主要聚焦于探究 ...

  5. k8s使用自定义证书将客户端认证接入到API Server

    自定义证书使用kubectl认证接入API Serverkubeconfig是API Server的客户端连入API Server时使用的认证格式的客户端配置文件.使用kubectl config v ...

  6. K8S Api Server认证

    目录 认证类型 基于CA证书的双向认证 apiserver端配置 生成客户端私钥和证书 master核心组件与apiserver的认证方式 HTTP Token认证 HTTP Basic认证 kube ...

  7. k8s api server ha 连接配置问题

    常见的lb 负载有硬件的f5 big-ip  ,同时对于互联网公司大家常用的是nginx  haproxy 了解k8s 集群高可用的都知道 api server  是无状态的(etcd 解决了),但是 ...

  8. kubernetes 之kubelet客户端证书过期问题处理 KubeClientCertificateExpiration apiserver (monitoring/k8s warning) Kubernetes API certificate is expiring in less than 7 days.

    aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAB4gAAAKMCAYAAAAZj+XuAAABfGlDQ1BJQ0MgUHJvZmlsZQAAKJFjYG ...

  9. Docker系列(三):将.Net Core Api部署到Kubernetes (K8s)中

    1.新建一个WebApi项目,并添加Dockerfile文件: FROM microsoft/dotnet:2.1-aspnetcore-runtime AS base WORKDIR /app EX ...

随机推荐

  1. Shell-cat url-list.txt | xargs wget -c

    假如你有一个文件包含了很多你希望下载的 URL,你能够使用 xargs下载所有链接: cat url-list.txt | xargs wget -c

  2. python异步编程模块asyncio学习(二)

    尽管asyncio应用通常作为单线程运行,不过仍被构建为并发应用.由于I/O以及其他外部事件的延迟和中断,每个协程或任务可能按一种不可预知的顺序执行.为了支持安全的并发执行,asyncio包含了thr ...

  3. 利用iscroll实现上拉加载下拉刷新

    1.首先引用isScroll插件 说明:页面加载时初始化isScroll,然后调用pullDownAction()和pullUpAction(),每次切换tab时,只需要对pullDownAction ...

  4. 递归求i^2的和

    题目描述: 用递归方法求f(n)=累加i^2,(i=1~n) #include<iostream> double fac(int n){ double s; if(n==1) s=1; e ...

  5. WARN: Establishing SSL connection

    在我们使用连接MySQL数据库时会出现这样的提示: Tue Aug 29 13:24:29 CST 2017 WARN: Establishing SSL connection without ser ...

  6. BZOJ 3620: 似乎在梦中见过的样子

    似乎在梦中见过的样子.... 一道水题调了这么久,还半天想不出来怎么 T 的...佩服自己(果然蒟蒻) 这题想想 KMP 但是半天没思路瞟了一眼题解发现暴力枚举起始点,然后 KMP 如图: O( n2 ...

  7. 使用python脚本批量删除阿里云oss中的mp4文件

    #encoding:utf-8 ''' oss中有一些mp4文件需要删除,首先定位出这些文件放在txt文本中 然后通过python操作oss进行批量删除 ''' import oss2 auth = ...

  8. eclipse:显示堆内存

    如下图 :

  9. 如何保障Web应用安全性

    通过加密算法对关键数据进行加密 通过过滤器防御跨站脚本攻击XSS.跨域请求伪造CRSF和SQL注入 通过安全框架( Shiro.Spring Security )进行认证和授权 设置IP黑白名单来进行 ...

  10. 【MySql】删除操作

    删除表内数据,用 delete.格式为: delete from 表名 where 删除条件; 实例:删除学生表内姓名为张三的记录. delete from student where T_name ...