7.13. 验证信任配置
您可以通过检查 Trustee pod 和 logs 来验证 Trustee 配置。
流程
运行以下命令来设置默认项目:
$ oc project trustee-operator-system
运行以下命令检查 Trustee pod:
$ oc get pods -n trustee-operator-system
输出示例
NAME READY STATUS RESTARTS AGE trustee-deployment-8585f98449-9bbgl 1/1 Running 0 22m trustee-operator-controller-manager-5fbd44cd97-55dlh 2/2 Running 0 59m
运行以下命令设置
POD_NAME环境变量:$ POD_NAME=$(oc get pods -l app=kbs -o jsonpath='{.items[0].metadata.name}' -n trustee-operator-system)运行以下命令检查 pod 日志:
$ oc logs -n trustee-operator-system $POD_NAME
输出示例
[2024-05-30T13:44:24Z INFO kbs] Using config file /etc/kbs-config/kbs-config.json [2024-05-30T13:44:24Z WARN attestation_service::rvps] No RVPS address provided and will launch a built-in rvps [2024-05-30T13:44:24Z INFO attestation_service::token::simple] No Token Signer key in config file, create an ephemeral key and without CA pubkey cert [2024-05-30T13:44:24Z INFO api_server] Starting HTTPS server at [0.0.0.0:8080] [2024-05-30T13:44:24Z INFO actix_server::builder] starting 12 workers [2024-05-30T13:44:24Z INFO actix_server::server] Tokio runtime found; starting in existing Tokio runtime
运行以下命令,验证
kbs-service是否在节点端口上公开:$ oc get svc kbs-service -n trustee-operator-system
输出示例
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kbs-service NodePort 198.51.100.54 <none> 8080:31862/TCP 23h
运行以下命令来获取 Trustee 部署 pod 名称:
$ oc get pods -n trustee-operator-system | grep -i trustee-deployment
输出示例
NAME READY STATUS RESTARTS AGE trustee-deployment-d746679cd-plq82 1/1 Running 0 2m32s
运行以下命令来获取 worker 节点 IP 地址:
$ oc get po trustee-deployment-d746679cd-plq82 -o custom-columns="NODE-IP:.status.hostIP"
输出示例
NODE-IP 192.168.122.36
访问 Trustee 的 URL 是
http://<worker_node_ip>:<node_port>,例如http://192.168.122.36:31862。运行以下命令,验证
peer-pods-cm配置映射中的AA_KBC_PARAMS值是否与 Trustee URL 相同:$ oc get cm peer-pods-cm -n openshift-sandboxed-containers-operator -o yaml | grep AA_KBC_PARAMS
输出示例
AA_KBC_PARAMS: cc_kbc::http://192.168.122.36:31862
