红帽全球峰会8.7. 在 kube-system 项目中存储管理员级别的 secret 的替代方案
默认情况下,管理员 secret 存储在 kube-system 项目中。如果您在 install-config.yaml 文件中将 credentialsMode 参数配置为 Manual,则必须使用以下替代方案之一:
- 要手动管理长期云凭证,请按照手动创建长期凭证中的步骤操作。
- 要实现在集群外为各个组件管理的短期凭证,请按照配置 GCP 集群以使用短期凭证中的步骤操作。
8.7.1. 手动创建长期凭证
在无法访问云身份和访问管理(IAM)API 的环境中,或者管理员更不希望将管理员级别的凭证 secret 存储在集群 kube-system 命名空间中时,可以在安装前将 Cloud Credential Operator(CCO)放入手动模式。
流程
在安装程序使用的 GCP 帐户中添加以下粒度权限:
例 8.1. 所需的 GCP 权限
- compute.machineTypes.list
- compute.regions.list
- compute.zones.list
- dns.changes.create
- dns.changes.get
- dns.managedZones.create
- dns.managedZones.delete
- dns.managedZones.get
- dns.managedZones.list
- dns.networks.bindPrivateDNSZone
- dns.resourceRecordSets.create
- dns.resourceRecordSets.delete
- dns.resourceRecordSets.list
如果您没有将
install-config.yaml配置文件中的credentialsMode参数设置为Manual,请修改值,如下所示:配置文件片段示例
apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...
apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...Copy to Clipboard Copied! Toggle word wrap Toggle overflow 如果您之前还没有创建安装清单文件,请运行以下命令:
openshift-install create manifests --dir <installation_directory>
$ openshift-install create manifests --dir <installation_directory>Copy to Clipboard Copied! Toggle word wrap Toggle overflow 其中
<installation_directory>是安装程序在其中创建文件的目录。运行以下命令,使用安装文件中的发行镜像设置
$RELEASE_IMAGE变量:RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')$ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')Copy to Clipboard Copied! Toggle word wrap Toggle overflow 运行以下命令,从 OpenShift Container Platform 发行镜像中提取
CredentialsRequest自定义资源 (CR) 列表:oc adm release extract \ --from=$RELEASE_IMAGE \ --credentials-requests \ --included \ --install-config=<path_to_directory_with_installation_configuration>/install-config.yaml \ --to=<path_to_directory_for_credentials_requests>
$ oc adm release extract \ --from=$RELEASE_IMAGE \ --credentials-requests \ --included \1 --install-config=<path_to_directory_with_installation_configuration>/install-config.yaml \2 --to=<path_to_directory_for_credentials_requests>3 Copy to Clipboard Copied! Toggle word wrap Toggle overflow 此命令为每个
CredentialsRequest对象创建一个 YAML 文件。CredentialsRequest对象示例apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: name: <component_credentials_request> namespace: openshift-cloud-credential-operator ... spec: providerSpec: apiVersion: cloudcredential.openshift.io/v1 kind: GCPProviderSpec predefinedRoles: - roles/storage.admin - roles/iam.serviceAccountUser skipServiceCheck: true ...apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: name: <component_credentials_request> namespace: openshift-cloud-credential-operator ... spec: providerSpec: apiVersion: cloudcredential.openshift.io/v1 kind: GCPProviderSpec predefinedRoles: - roles/storage.admin - roles/iam.serviceAccountUser skipServiceCheck: true ...Copy to Clipboard Copied! Toggle word wrap Toggle overflow 在之前生成的
openshift-install清单目录中为 secret 创建 YAML 文件。secret 必须使用在spec.secretRef中为每个CredentialsRequest定义的命名空间和 secret 名称存储。带有 secret 的
CredentialsRequest对象示例apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: name: <component_credentials_request> namespace: openshift-cloud-credential-operator ... spec: providerSpec: apiVersion: cloudcredential.openshift.io/v1 ... secretRef: name: <component_secret> namespace: <component_namespace> ...apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: name: <component_credentials_request> namespace: openshift-cloud-credential-operator ... spec: providerSpec: apiVersion: cloudcredential.openshift.io/v1 ... secretRef: name: <component_secret> namespace: <component_namespace> ...Copy to Clipboard Copied! Toggle word wrap Toggle overflow Secret对象示例apiVersion: v1 kind: Secret metadata: name: <component_secret> namespace: <component_namespace> data: service_account.json: <base64_encoded_gcp_service_account_file>
apiVersion: v1 kind: Secret metadata: name: <component_secret> namespace: <component_namespace> data: service_account.json: <base64_encoded_gcp_service_account_file>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
在升级使用手动维护凭证的集群前,您必须确保 CCO 处于可升级状态。
8.7.2. 将 GCP 集群配置为使用短期凭证
要安装配置为使用 GCP Workload Identity 的集群,您必须配置 CCO 实用程序并为集群创建所需的 GCP 资源。
8.7.2.1. 配置 Cloud Credential Operator 工具
当 Cloud Credential Operator(CCO)以手动模式运行时,要从集群外部创建和管理云凭证,提取并准备 CCO 实用程序(ccoctl)二进制文件。
ccoctl 工具是在 Linux 环境中运行的 Linux 二进制文件。
先决条件
- 您可以访问具有集群管理员权限的 OpenShift Container Platform 帐户。
-
已安装 OpenShift CLI(
oc)。
您已在安装程序使用的 GCP 帐户中添加了以下身份验证选项之一:
- IAM Workload Identity Pool Admin 角色。
以下粒度权限:
例 8.2. 所需的 GCP 权限
- compute.projects.get
- iam.googleapis.com/workloadIdentityPoolProviders.create
- iam.googleapis.com/workloadIdentityPoolProviders.get
- iam.googleapis.com/workloadIdentityPools.create
- iam.googleapis.com/workloadIdentityPools.delete
- iam.googleapis.com/workloadIdentityPools.get
- iam.googleapis.com/workloadIdentityPools.undelete
- iam.roles.create
- iam.roles.delete
- iam.roles.list
- iam.roles.undelete
- iam.roles.update
- iam.serviceAccounts.create
- iam.serviceAccounts.delete
- iam.serviceAccounts.getIamPolicy
- iam.serviceAccounts.list
- iam.serviceAccounts.setIamPolicy
- iam.workloadIdentityPoolProviders.get
- iam.workloadIdentityPools.delete
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.setIamPolicy
- storage.buckets.create
- storage.buckets.delete
- storage.buckets.get
- storage.buckets.getIamPolicy
- storage.buckets.setIamPolicy
- storage.objects.create
- storage.objects.delete
- storage.objects.list
流程
运行以下命令,为 OpenShift Container Platform 发行镜像设置变量:
RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')$ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')Copy to Clipboard Copied! Toggle word wrap Toggle overflow 运行以下命令,从 OpenShift Container Platform 发行镜像获取 CCO 容器镜像:
CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret)
$ CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret)Copy to Clipboard Copied! Toggle word wrap Toggle overflow 注意确保
$RELEASE_IMAGE的架构与将使用ccoctl工具的环境架构相匹配。运行以下命令,将 CCO 容器镜像中的
ccoctl二进制文件提取到 OpenShift Container Platform 发行镜像中:oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \ -a ~/.pull-secret
$ oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \1 -a ~/.pull-secretCopy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- 对于
<rhel_version>,请指定与主机使用的 Red Hat Enterprise Linux (RHEL) 版本对应的值。如果没有指定值,则默认使用ccoctl.rhel8。以下值有效:-
rhel8: 为使用 RHEL 8 的主机指定这个值。 -
rhel9:为使用 RHEL 9 的主机指定这个值。
-
运行以下命令更改权限以使
ccoctl可执行:chmod 775 ccoctl.<rhel_version>
$ chmod 775 ccoctl.<rhel_version>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
验证
要验证
ccoctl是否准备就绪,可以尝试显示帮助文件。运行命令时使用相对文件名,例如:./ccoctl.rhel9
$ ./ccoctl.rhel9Copy to Clipboard Copied! Toggle word wrap Toggle overflow 输出示例
OpenShift credentials provisioning tool Usage: ccoctl [command] Available Commands: aws Manage credentials objects for AWS cloud azure Manage credentials objects for Azure gcp Manage credentials objects for Google cloud help Help about any command ibmcloud Manage credentials objects for IBM Cloud nutanix Manage credentials objects for Nutanix Flags: -h, --help help for ccoctl Use "ccoctl [command] --help" for more information about a command.
OpenShift credentials provisioning tool Usage: ccoctl [command] Available Commands: aws Manage credentials objects for AWS cloud azure Manage credentials objects for Azure gcp Manage credentials objects for Google cloud help Help about any command ibmcloud Manage credentials objects for IBM Cloud nutanix Manage credentials objects for Nutanix Flags: -h, --help help for ccoctl Use "ccoctl [command] --help" for more information about a command.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
8.7.2.2. 使用 Cloud Credential Operator 实用程序创建 GCP 资源
您可以使用 ccoctl gcp create-all 命令自动创建 GCP 资源。
默认情况下,ccoctl 在运行命令的目录中创建对象。要在其他目录中创建对象,请使用 --output-dir 标志。此流程使用 <path_to_ccoctl_output_dir> 来引用这个目录。
先决条件
您必须:
-
提取并准备好
ccoctl二进制文件。
流程
运行以下命令,使用安装文件中的发行镜像设置
$RELEASE_IMAGE变量:RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')$ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')Copy to Clipboard Copied! Toggle word wrap Toggle overflow 运行以下命令,从 OpenShift Container Platform 发行镜像中提取
CredentialsRequest对象列表:oc adm release extract \ --from=$RELEASE_IMAGE \ --credentials-requests \ --included \ --install-config=<path_to_directory_with_installation_configuration>/install-config.yaml \ --to=<path_to_directory_for_credentials_requests>
$ oc adm release extract \ --from=$RELEASE_IMAGE \ --credentials-requests \ --included \1 --install-config=<path_to_directory_with_installation_configuration>/install-config.yaml \2 --to=<path_to_directory_for_credentials_requests>3 Copy to Clipboard Copied! Toggle word wrap Toggle overflow 注意此命令可能需要一些时间才能运行。
运行以下命令,使用
ccoctl工具处理所有CredentialsRequest对象:ccoctl gcp create-all \ --name=<name> \ --region=<gcp_region> \ --project=<gcp_project_id> \ --credentials-requests-dir=<path_to_credentials_requests_directory>
$ ccoctl gcp create-all \ --name=<name> \1 --region=<gcp_region> \2 --project=<gcp_project_id> \3 --credentials-requests-dir=<path_to_credentials_requests_directory>4 Copy to Clipboard Copied! Toggle word wrap Toggle overflow 注意如果您的集群使用
TechPreviewNoUpgrade功能集启用的技术预览功能,则必须包含--enable-tech-preview参数。
验证
要验证 OpenShift Container Platform secret 是否已创建,列出
<path_to_ccoctl_output_dir>/manifests目录中的文件:ls <path_to_ccoctl_output_dir>/manifests
$ ls <path_to_ccoctl_output_dir>/manifestsCopy to Clipboard Copied! Toggle word wrap Toggle overflow 输出示例
cluster-authentication-02-config.yaml openshift-cloud-controller-manager-gcp-ccm-cloud-credentials-credentials.yaml openshift-cloud-credential-operator-cloud-credential-operator-gcp-ro-creds-credentials.yaml openshift-cloud-network-config-controller-cloud-credentials-credentials.yaml openshift-cluster-api-capg-manager-bootstrap-credentials-credentials.yaml openshift-cluster-csi-drivers-gcp-pd-cloud-credentials-credentials.yaml openshift-image-registry-installer-cloud-credentials-credentials.yaml openshift-ingress-operator-cloud-credentials-credentials.yaml openshift-machine-api-gcp-cloud-credentials-credentials.yaml
cluster-authentication-02-config.yaml openshift-cloud-controller-manager-gcp-ccm-cloud-credentials-credentials.yaml openshift-cloud-credential-operator-cloud-credential-operator-gcp-ro-creds-credentials.yaml openshift-cloud-network-config-controller-cloud-credentials-credentials.yaml openshift-cluster-api-capg-manager-bootstrap-credentials-credentials.yaml openshift-cluster-csi-drivers-gcp-pd-cloud-credentials-credentials.yaml openshift-image-registry-installer-cloud-credentials-credentials.yaml openshift-ingress-operator-cloud-credentials-credentials.yaml openshift-machine-api-gcp-cloud-credentials-credentials.yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow 您可以通过查询 GCP 来验证是否已创建 IAM 服务帐户。如需更多信息,请参阅有关列出 IAM 服务帐户的 GCP 文档。
8.7.2.3. 整合 Cloud Credential Operator 实用程序清单
要为单个组件在集群外实现短期安全凭证,您必须将创建 Cloud Credential Operator 实用程序 (ccoctl) 的清单文件移到安装程序的正确目录中。
先决条件
- 您已使用托管集群的云平台配置了帐户。
-
您已配置了 Cloud Credential Operator 实用程序 (
ccoctl)。 -
已使用
ccoctl工具创建了集群所需的云供应商资源。
流程
在安装程序使用的 GCP 帐户中添加以下粒度权限:
例 8.3. 所需的 GCP 权限
- compute.machineTypes.list
- compute.regions.list
- compute.zones.list
- dns.changes.create
- dns.changes.get
- dns.managedZones.create
- dns.managedZones.delete
- dns.managedZones.get
- dns.managedZones.list
- dns.networks.bindPrivateDNSZone
- dns.resourceRecordSets.create
- dns.resourceRecordSets.delete
- dns.resourceRecordSets.list
如果您没有将
install-config.yaml配置文件中的credentialsMode参数设置为Manual,请修改值,如下所示:配置文件片段示例
apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...
apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...Copy to Clipboard Copied! Toggle word wrap Toggle overflow 如果您之前还没有创建安装清单文件,请运行以下命令:
openshift-install create manifests --dir <installation_directory>
$ openshift-install create manifests --dir <installation_directory>Copy to Clipboard Copied! Toggle word wrap Toggle overflow 其中
<installation_directory>是安装程序在其中创建文件的目录。运行以下命令,将
ccoctl工具生成的清单复制到安装程序创建的manifests目录中:cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/
$ cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/Copy to Clipboard Copied! Toggle word wrap Toggle overflow 将包含私钥的
tls目录复制到安装目录中:cp -a /<path_to_ccoctl_output_dir>/tls .
$ cp -a /<path_to_ccoctl_output_dir>/tls .Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}