docker - Istio 允许在 Docker Desktop Kubernetes 上使用第三方 JWT

Question

我使用的是 docker desktop 自带的预打包 Kubernetes 集群。我在 Windows 机器上，使用 WSL 2 在 Ubuntu-18.04 VM 上运行 Kubernetes。在我的 Kubernetes 集群上，我运行:

istioctl install --set profile=demo --set values.global.jwtPolicy=third-party-jwt

但我得到消息:

Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/v1.9/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.

在那之后，它会一直卡住直到超时:

Processing resources for Istiod. Waiting for Deployment/istio-system/istiod

有没有办法在我的集群中启用第三方 JWT？

Answer 1

在您收到的错误消息中，有一个链接指向有关该特定问题的文档:

• Istio.io: Latest: Docs: Ops: Best practices: Security: Configure third party service account tokens

引用官方文档:

Configure third party service account tokens

To authenticate with the Istio control plane, the Istio proxy will use a Service Account token. Kubernetes supports two forms of these tokens:

Third party tokens, which have a scoped audience and expiration.First party tokens, which have no expiration and are mounted into all pods.Because the properties of the first party token are less secure, Istio will default to using third party tokens. However, this feature is not enabled on all Kubernetes platforms.

If you are using istioctl to install, support will be automatically detected. This can be done manually as well, and configured by passing --set values.global.jwtPolicy=third-party-jwt or --set values.global.jwtPolicy=first-party-jwt.

To determine if your cluster supports third party tokens, look for the TokenRequest API. If this returns no response, then the feature is not supported:

$ kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))'

{
    "name": "serviceaccounts/token",
    "singularName": "",
    "namespaced": true,
    "group": "authentication.k8s.io",
    "version": "v1",
    "kind": "TokenRequest",
    "verbs": [
        "create"
    ]
}

While most cloud providers support this feature now, many local development tools and custom installations may not prior to Kubernetes 1.20. To enable this feature, please refer to the Kubernetes documentation.

---

我不确定使用 Docker Desktop 创建的 Kubernetes (1.19.7) 是否支持此功能，但 Kubernetes 文档显示了如何启用它:

Service Account Token Volume Projection

FEATURE STATE: Kubernetes v1.20 [stable]

Note:

To enable and use token request projection, you must specify each of the following command line arguments to kube-apiserver:

--service-account-issuer
--service-account-key-file
--service-account-signing-key-file
--api-audiences

您可以在带有 Kubernetes 的 Docker 桌面中以一种有点笨拙的方式编辑您的 kubeapi-server list 。您可以按照以下答案(我是该答案的作者)阅读更多相关信息:

• Stackoverflow.com: Questions: Location of Kubernetes config directory with Docker Desktop on Windows

---

解决方法

当您在主机上使用 Docker 时，您还可以考虑使用 minikube 及其 --driver=docker。它支持第三方 JWT token ，如 Istio 文档中所述(它从 $ kubectl get --raw ... 命令生成响应)。

A side note!

I've tested this on a minikube version 1.19.0 and Kubernetes version 1.20.2.