Kubernetes authentication using Keystone (--experimental-keystone-url)

10/3/2016

I have a Kubernetes cluster setup on coreOS. I've added the option --experimental-keystone-url which is set to keystone url and version 2.0 to my kube-apiserver config to enable Keystone Authentication. But by adding this option the kube-apiserver won't start. Any settings I may be missing here?

** EDIT ** Logs with v=9

I1006 09:53:55.637447   55310 round_trippers.go:299] curl -k -v -XGET  -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.3.3 (darwin/amd64) kubernetes/c641139" http://10.240.126.13:8080/api
I1006 09:53:55.718256   55310 round_trippers.go:318] GET http://10.240.126.13:8080/api 200 OK in 80 milliseconds
I1006 09:53:55.718294   55310 round_trippers.go:324] Response Headers:
I1006 09:53:55.718303   55310 round_trippers.go:327]     Content-Type: application/json
I1006 09:53:55.718314   55310 round_trippers.go:327]     Date: Thu, 06 Oct 2016 16:53:54 GMT
I1006 09:53:55.718326   55310 round_trippers.go:327]     Content-Length: 131
I1006 09:53:55.718389   55310 request.go:891] Response Body: {"kind":"APIVersions","versions":["v1"],"serverAddressByClientCIDRs":[{"clientCIDR":"0.0.0.0/0","serverAddress":"10.0.0.4:6443"}]}
I1006 09:53:55.718713   55310 round_trippers.go:299] curl -k -v -XGET  -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.3.3 (darwin/amd64) kubernetes/c641139" http://10.240.126.13:8080/apis
I1006 09:53:55.800450   55310 round_trippers.go:318] GET http://10.240.126.13:8080/apis 200 OK in 81 milliseconds
I1006 09:53:55.800488   55310 round_trippers.go:324] Response Headers:
I1006 09:53:55.800497   55310 round_trippers.go:327]     Date: Thu, 06 Oct 2016 16:53:55 GMT
I1006 09:53:55.800509   55310 round_trippers.go:327]     Content-Length: 1625
I1006 09:53:55.800520   55310 round_trippers.go:327]     Content-Type: application/json
I1006 09:53:55.800587   55310 request.go:891] Response Body: {"kind":"APIGroupList","groups":[{"name":"apps","versions":[{"groupVersion":"apps/v1alpha1","version":"v1alpha1"}],"preferredVersion":{"groupVersion":"apps/v1alpha1","version":"v1alpha1"},"serverAddressByClientCIDRs":[{"clientCIDR":"0.0.0.0/0","serverAddress":"10.0.0.4:6443"}]},{"name":"autoscaling","versions":[{"groupVersion":"autoscaling/v1","version":"v1"}],"preferredVersion":{"groupVersion":"autoscaling/v1","version":"v1"},"serverAddressByClientCIDRs":[{"clientCIDR":"0.0.0.0/0","serverAddress":"10.0.0.4:6443"}]},{"name":"batch","versions":[{"groupVersion":"batch/v1","version":"v1"},{"groupVersion":"batch/v2alpha1","version":"v2alpha1"}],"preferredVersion":{"groupVersion":"batch/v1","version":"v1"},"serverAddressByClientCIDRs":[{"clientCIDR":"0.0.0.0/0","serverAddress":"10.0.0.4:6443"}]},{"name":"extensions","versions":[{"groupVersion":"extensions/v1beta1","version":"v1beta1"}],"preferredVersion":{"groupVersion":"extensions/v1beta1","version":"v1beta1"},"serverAddressByClientCIDRs":[{"clientCIDR":"0.0.0.0/0","serverAddress":"10.0.0.4:6443"}]},{"name":"policy","versions":[{"groupVersion":"policy/v1alpha1","version":"v1alpha1"}],"preferredVersion":{"groupVersion":"policy/v1alpha1","version":"v1alpha1"},"serverAddressByClientCIDRs":[{"clientCIDR":"0.0.0.0/0","serverAddress":"10.0.0.4:6443"}]},{"name":"rbac.authorization.k8s.io","versions":[{"groupVersion":"rbac.authorization.k8s.io/v1alpha1","version":"v1alpha1"}],"preferredVersion":{"groupVersion":"rbac.authorization.k8s.io/v1alpha1","version":"v1alpha1"},"serverAddressByClientCIDRs":[{"clientCIDR":"0.0.0.0/0","serverAddress":"10.0.0.4:6443"}]}]}
I1006 09:53:55.801876   55310 round_trippers.go:299] curl -k -v -XGET  -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.3.3 (darwin/amd64) kubernetes/c641139" http://10.240.126.13:8080/api/v1/nodes
I1006 09:53:55.885365   55310 round_trippers.go:318] GET http://10.240.126.13:8080/api/v1/nodes 200 OK in 83 milliseconds
I1006 09:53:55.885409   55310 round_trippers.go:324] Response Headers:
I1006 09:53:55.885425   55310 round_trippers.go:327]     Content-Type: application/json
I1006 09:53:55.885439   55310 round_trippers.go:327]     Date: Thu, 06 Oct 2016 16:53:55 GMT
I1006 09:53:55.885531   55310 request.go:891] Response Body: {"kind":"NodeList","apiVersion":"v1","metadata":{"selfLink":"/api/v1/nodes","resourceVersion":"711"},"items":[{"metadata":{"name":"10.0.0.5","selfLink":"/api/v1/nodes/10.0.0.5","uid":"1228dcb6-8be5-11e6-a1ca-fa163ebf0693","resourceVersion":"709","creationTimestamp":"2016-10-06T16:51:04Z","labels":{"beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/os":"linux","kubernetes.io/hostname":"10.0.0.5"},"annotations":{"volumes.kubernetes.io/controller-managed-attach-detach":"true"}},"spec":{"externalID":"10.0.0.5"},"status":{"capacity":{"alpha.kubernetes.io/nvidia-gpu":"0","cpu":"1","memory":"4051648Ki","pods":"110"},"allocatable":{"alpha.kubernetes.io/nvidia-gpu":"0","cpu":"1","memory":"4051648Ki","pods":"110"},"conditions":[{"type":"OutOfDisk","status":"False","lastHeartbeatTime":"2016-10-06T16:53:45Z","lastTransitionTime":"2016-10-06T16:51:04Z","reason":"KubeletHasSufficientDisk","message":"kubelet has sufficient disk space available"},{"type":"MemoryPressure","status":"False","lastHeartbeatTime":"2016-10-06T16:53:45Z","lastTransitionTime":"2016-10-06T16:51:04Z","reason":"KubeletHasSufficientMemory","message":"kubelet has sufficient memory available"},{"type":"Ready","status":"True","lastHeartbeatTime":"2016-10-06T16:53:45Z","lastTransitionTime":"2016-10-06T16:51:05Z","reason":"KubeletReady","message":"kubelet is posting ready status"}],"addresses":[{"type":"LegacyHostIP","address":"10.0.0.5"},{"type":"InternalIP","address":"10.0.0.5"}],"daemonEndpoints":{"kubeletEndpoint":{"Port":10250}},"nodeInfo":{"machineID":"748cfc5d0ac0444e85d1cccb08411403","systemUUID":"2CB10D3F-EBBF-49E1-8FE6-FF888C4427E8","bootID":"c37560e4-ea62-4640-b2ed-f6ba4368716a","kernelVersion":"4.5.0-coreos-r1","osImage":"Debian GNU/Linux 8 (jessie)","containerRuntimeVersion":"docker://1.10.3","kubeletVersion":"v1.3.4+coreos.0","kubeProxyVersion":"v1.3.4+coreos.0","operatingSystem":"linux","architecture":"amd64"},"images":[{"names":["gcr.io/google_containers/hyperkube:v1.3.4"],"sizeBytes":404164189},{"names":["gcr.io/google_containers/pause-amd64:3.0"],"sizeBytes":746888}]}}]}
I1006 09:53:55.886761   55310 meta.go:86] Calling Accessor on non-internal object: *api.NodeList
-- tkcode
keystone
kubernetes

0 Answers