-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
容器集群-安全组件安装问题 #657
Comments
可以使用 curl -k 测试下 agent_center 审计日志是否正常监听,地址在下载到的 audit webhook config file 中 server 字段中(端口为 6754) |
比如curl -k -X POST -H "Content-Type: application/json" --data '{"kind":"Event"}' https://{URL} |
默认生成的文件中,server字段为server: https://127.0.0.1:6754/rawdata/audit。这里127.0.0.1:6754是表示我需要在k8s节点主机上安装agent_center服务吗?我elkeid部署是按照"单机docker快速部署 (单机测试环境推荐)"文档使用docker部署的,elkeid本身并没有监听6754端口。 |
需要确保 k8s 能够访问通 agent_center 所在的 6754 端口,该端口用于接收审计日志。docker 部署的 ac 应该也会监听对应端口,可以在docker run的时候指定端口映射 |
我给elkeid_community容器添加了6754端口映射(allinone部署方式只有这个容器),然后使用命令curl -k -X POST -H "Content-Type: application/json" --data '{"kind":"Event"}' https://172.20.1.10:6754显示结果curl: (56) OpenSSL SSL_read: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate, errno 0。在容器内执行curl得到的结果为curl: (58) NSS: client certificate not found (nickname not specified)。正常的返回结果应该是什么? |
可以重新配置一下 k8s 看看能不能正常接收到审计日志 |
重新配置了k8s依然是未安装,我查看master1节点的kube-apiserver日志如下:AUDIT: id="a5b2abcc-17b3-4d0e-967c-e8d8e0e23ffb" stage="ResponseComplete" ip="172.20.1.1" method="patch" user="system:node:master-1" groups=""system:nodes","system:authenticated"" as="" asgroups="" user-agent="kubelet/v1.22.10 (linux/amd64) kubernetes/eae22ba" namespace="" uri="/api/v1/nodes/master-1/status?timeout=10s" response="200" |
需要确保证书正确,重启 kube-apiserver(可以通过移动并恢复apiserver YAML文件的方式触发重启),然后建议通过 netstat 等工具查看是否有请求 6754 的网络连接 |
hello,这个问题有结果吗?我也遇到了。我使用的docker部署,6754端口我是通过iptables转发进去的,在容器里面看有收到容器集群发给6754端口的网络连接。但是找不到为啥安全组件一直不上线 |
已经解决,k8s会验证服务端证书的IP范围和证书是否一直,docker生成的证书为127.0.0.1 |
问题描述:
我在Elkeid平台系统管理->容器集群->添加集群页面添加了一个k8s集群。添加完安装安全组件安装指引中提供的步骤(三个master节点均有操作),完成了所有步骤。更改完kube-apiserver.yaml后,集群状态正常,无报错日志。但elkeid平台依然显示入侵&威胁检测状态:未安装。且确实未获取数据。
针对这个现象,我做了哪些操作:
1,删除集群重新在平台添加后再次尝试那些步骤。
2,检查核对了audit-policy.yaml和audit.kubeconfig文件内容,确定与平台生成的内容一致。
3,依次重启了k8s集群的三个master节点。
4,查看apiserver日志(无异常)。
环境信息:
OS:Ubuntu 20.04.6 LTS
K8S:v1.22.10
内核版本:1 5.4.0-189-generic
文件路径:
/etc/kubernetes/elkeid-audit/audit-policy.yaml
/etc/kubernetes/elkeid-audit/audit.kubeconfig
kube-apiserver.yaml内容:
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 172.20.1.1:6443
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
image: k8s.gcr.io/kube-apiserver:v1.22.10
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 8
httpGet:
host: 172.20.1.1
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
name: kube-apiserver
readinessProbe:
failureThreshold: 3
httpGet:
host: 172.20.1.1
path: /readyz
port: 6443
scheme: HTTPS
periodSeconds: 1
timeoutSeconds: 15
resources:
requests:
cpu: 250m
startupProbe:
failureThreshold: 24
httpGet:
host: 172.20.1.1
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
volumeMounts:
name: ca-certs
readOnly: true
name: elkeid-audit
readOnly: true
name: etc-ca-certificates
readOnly: true
name: etc-pki
readOnly: true
name: k8s-certs
readOnly: true
name: localtime
readOnly: true
name: usr-local-share-ca-certificates
readOnly: true
name: usr-share-ca-certificates
readOnly: true
hostNetwork: true
priorityClassName: system-node-critical
securityContext:
seccompProfile:
type: RuntimeDefault
volumes:
path: /etc/ssl/certs
type: DirectoryOrCreate
name: ca-certs
path: /etc/kubernetes/elkeid-audit
type: Directory
name: elkeid-audit
path: /etc/ca-certificates
type: DirectoryOrCreate
name: etc-ca-certificates
path: /etc/pki
type: DirectoryOrCreate
name: etc-pki
path: /etc/kubernetes/pki
type: DirectoryOrCreate
name: k8s-certs
path: /etc/localtime
type: File
name: localtime
path: /usr/local/share/ca-certificates
type: DirectoryOrCreate
name: usr-local-share-ca-certificates
path: /usr/share/ca-certificates
type: DirectoryOrCreate
name: usr-share-ca-certificates
status: {}
The text was updated successfully, but these errors were encountered: