最近更新时间:2023.10.30 15:47:57
首次发布时间:2023.10.30 15:47:57
通过直连连接方式注册腾讯云 TKE 集群到分布式云原生平台,但查看部分资源报错 “OtherError:HTTP request failed”,查看日志显示 shuttle IP 不通。
腾讯云 TKE 集群的身份伪装功能,导致分布式云原生平台与腾讯云 TKE 集群访问不通。
client-certificate-data
,示例如下:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURERENDQWZTZ0F3SUJBZ0lJUEJhWVAwa1IwUjB3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpBM01UTXhNekExTWpKYUZ3MDBNekEzTVRNeE16QTFNakphTURZeApFakFRQmdOVkJBb1RDWFJyWlRwMWMyVnljekVnTUI0R0ExVUVBeE1YTVRBd01ESTRPVEUxTVRJMUxURTJPRGt5Ck5UTTFNakl3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFQyZUJWTHpyUzk3VkkKQnljcmlqWFlZZmVFNXRrQmU5MEViQXJuMmlJUUVyZkh6YlJzWVlndyt6ZitrRTdnODZOV1NvRERNcm5hQU9ESwpQeFlHbm83OGJQVEcwb05mazFDeE9IOFF1ZXFOanM5cEpONjFrUzRPRTBQQ1NhTkdjZXBjRUFJd0xRY2JmL1pyCndrM0NlUzE1VjNjemVwOGdUUmNGRUVPZDRISHVFVkpvdlp1Q0ttMlVBWGZkN1JLek9lTjBLLzF5QmJXaVBlVXEKMlJBVWVXZnJPeFM3UjFJaFVNbzhnTTZzN1NHWWZYdGFUN0prQWMraExxWjdWcTJMZ1FXU3lBWTBrSElrd2ZHVgpVY0w0Yll4eWJGYnVHL1Y5NC9ZLytIRnd5MG9uR3VHSTU1QjQ3K1JKcE5obnNuUXJZZUJsVVVCbHlxMElPUmg0CkV3bzhxcHp2QWdNQkFBR2pQekE5TUE0R0ExVWREd0VCL3dRRUF3SUNoREFkQmdOVkhTVUVGakFVQmdnckJnRUYKQlFjREFnWUlLd1lCQlFVSEF3RXdEQVlEVlIwVEFRSC9CQUl3QURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQQpPdDJjL2g4S1E1b2U0UndMK05pVFNMWlZTWitzKzFCV0RvenMrbXJSTUJDWnl6cGpsYkVZN2FoSnkrVXBhb2lrCndMcUZVK0FPY1pzaEYxak9uY3hXSytLTWtzY1cwcVVJZVBKTUxNNlNxR3pyRzE1YUtpL1lha1kvMzgydDFiSlkKTWdYbDFPbE00bEptZUZWcE5nNGhtM0lHd2xXMWgvVkNqRVpUQ3lNWnNZcTNORzFZRHlmSy9zTVowM2xJOFpFRAovNFEyMlUzRk42bW9zc1NKNnN5QkZETWNSdXpPNXlLVmQ0ZDc1cjVTVGVrdmluT0VLZXpjOFhWOFIwdUtEd1dOClFjZkxlNEt6REs4dzZuVU1xSkxSeXcxUmJnd1lEei9hWUs2VHB5OVNvZFNUNDNsQW1jZXRYV0tuTFE5VTlhM04KY2QxMi9BanNlaVo0OGduWURGMm1Ddz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
client-certificate-data
进行 base64 解码,并保存在tke.crt
文件中,示例如下:-----BEGIN CERTIFICATE----- MIIDDDCCAfSgAwIBAgIIPBaYP0kR0R0wDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE AxMKa3ViZXJuZXRlczAeFw0yMzA3MTMxMzA1MjJaFw00MzA3MTMxMzA1MjJaMDYx EjAQBgNVBAoTCXRrZTp1c2VyczEgMB4GA1UEAxMXMTAwMDI4OTE1MTI1LTE2ODky NTM1MjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT2eBVLzrS97VI BycrijXYYfeE5tkBe90EbArn2iIQErfHzbRsYYgw+zf+kE7g86NWSoDDMrnaAODK PxYGno78bPTG0oNfk1CxOH8QueqNjs9pJN61kS4OE0PCSaNGcepcEAIwLQcbf/Zr wk3CeS15V3czep8gTRcFEEOd4HHuEVJovZuCKm2UAXfd7RKzOeN0K/1yBbWiPeUq 2RAUeWfrOxS7R1IhUMo8gM6s7SGYfXtaT7JkAc+hLqZ7Vq2LgQWSyAY0kHIkwfGV UcL4bYxybFbuG/V94/Y/+HFwy0onGuGI55B47+RJpNhnsnQrYeBlUUBlyq0IORh4 Ewo8qpzvAgMBAAGjPzA9MA4GA1UdDwEB/wQEAwIChDAdBgNVHSUEFjAUBggrBgEF BQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEA Ot2c/h8KQ5oe4RwL+NiTSLZVSZ+s+1BWDozs+mrRMBCZyzpjlbEY7ahJy+Upaoik wLqFU+AOcZshF1jOncxWK+KMkscW0qUIePJMLM6SqGzrG15aKi/YakY/382t1bJY MgXl1OlM4lJmeFVpNg4hm3IGwlW1h/VCjEZTCyMZsYq3NG1YDyfK/sMZ03lI8ZED /4Q22U3FN6mossSJ6syBFDMcRuzO5yKVd4d75r5STekvinOEKezc8XV8R0uKDwWN QcfLe4KzDK8w6nUMqJLRyw1RbgwYDz/aYK6Tpy9SodST43lAmcetXWKnLQ9U9a3N cd12/AjseiZ48gnYDF2mCw== -----END CERTIFICATE-----
[localhost]> openssl x509 -in tke.crt -noout -subject # openssl x509 解析命令 subject= /0=tke:users/CN=100028915125-1689253522 # 回显结果,获取 CN 序列为 100028915125-1689253522
kubectl edit deployment kubernetes-proxy
更新 Kubernetes-proxy , 添加如下参数即可。--trusted-impersonation-users=<CN>