Elkeid icon indicating copy to clipboard operation
Elkeid copied to clipboard

Published 20 hours ago verified publisher icon bytedance

容器集群-安全组件安装问题

Open AceCoronnet9034 opened this issue 7 months ago • 10 comments

问题描述: 我在Elkeid平台系统管理->容器集群->添加集群页面添加了一个k8s集群。添加完安装安全组件安装指引中提供的步骤(三个master节点均有操作),完成了所有步骤。更改完kube-apiserver.yaml后,集群状态正常,无报错日志。但elkeid平台依然显示入侵&威胁检测状态:未安装。且确实未获取数据。

针对这个现象,我做了哪些操作: 1,删除集群重新在平台添加后再次尝试那些步骤。 2,检查核对了audit-policy.yaml和audit.kubeconfig文件内容,确定与平台生成的内容一致。 3,依次重启了k8s集群的三个master节点。 4,查看apiserver日志(无异常)。

环境信息: OS:Ubuntu 20.04.6 LTS K8S:v1.22.10 内核版本:1 5.4.0-189-generic

文件路径: /etc/kubernetes/elkeid-audit/audit-policy.yaml /etc/kubernetes/elkeid-audit/audit.kubeconfig

kube-apiserver.yaml内容: apiVersion: v1 kind: Pod metadata: annotations: kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 172.20.1.1:6443 creationTimestamp: null labels: component: kube-apiserver tier: control-plane name: kube-apiserver namespace: kube-system spec: containers:

  • command:
    • kube-apiserver
    • --advertise-address=172.20.1.1
    • --allow-privileged=true
    • --authorization-mode=Node,RBAC
    • --audit-policy-file=/etc/kubernetes/audit/audit-policy.yaml
    • --audit-webhook-config-file=/etc/kubernetes/audit/audit.kubeconfig
    • --client-ca-file=/etc/kubernetes/pki/ca.crt
    • --enable-admission-plugins=NodeRestriction
    • --enable-bootstrap-token-auth=true
    • --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    • --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    • --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    • --etcd-servers=https://127.0.0.1:2379
    • --feature-gates=TTLAfterFinished=true
    • --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    • --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    • --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    • --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    • --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    • --requestheader-allowed-names=front-proxy-client
    • --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    • --requestheader-extra-headers-prefix=X-Remote-Extra-
    • --requestheader-group-headers=X-Remote-Group
    • --requestheader-username-headers=X-Remote-User
    • --secure-port=6443
    • --service-account-issuer=https://kubernetes.default.svc.cluster.local
    • --service-account-key-file=/etc/kubernetes/pki/sa.pub
    • --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
    • --service-cluster-ip-range=10.96.0.0/12
    • --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    • --tls-private-key-file=/etc/kubernetes/pki/apiserver.key image: k8s.gcr.io/kube-apiserver:v1.22.10 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 8 httpGet: host: 172.20.1.1 path: /livez port: 6443 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 15 name: kube-apiserver readinessProbe: failureThreshold: 3 httpGet: host: 172.20.1.1 path: /readyz port: 6443 scheme: HTTPS periodSeconds: 1 timeoutSeconds: 15 resources: requests: cpu: 250m startupProbe: failureThreshold: 24 httpGet: host: 172.20.1.1 path: /livez port: 6443 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 15 volumeMounts:
    • mountPath: /etc/ssl/certs name: ca-certs readOnly: true
    • mountPath: /etc/kubernetes/audit/ name: elkeid-audit readOnly: true
    • mountPath: /etc/ca-certificates name: etc-ca-certificates readOnly: true
    • mountPath: /etc/pki name: etc-pki readOnly: true
    • mountPath: /etc/kubernetes/pki name: k8s-certs readOnly: true
    • mountPath: /etc/localtime name: localtime readOnly: true
    • mountPath: /usr/local/share/ca-certificates name: usr-local-share-ca-certificates readOnly: true
    • mountPath: /usr/share/ca-certificates name: usr-share-ca-certificates readOnly: true hostNetwork: true priorityClassName: system-node-critical securityContext: seccompProfile: type: RuntimeDefault volumes:
  • hostPath: path: /etc/ssl/certs type: DirectoryOrCreate name: ca-certs
  • hostPath: path: /etc/kubernetes/elkeid-audit type: Directory name: elkeid-audit
  • hostPath: path: /etc/ca-certificates type: DirectoryOrCreate name: etc-ca-certificates
  • hostPath: path: /etc/pki type: DirectoryOrCreate name: etc-pki
  • hostPath: path: /etc/kubernetes/pki type: DirectoryOrCreate name: k8s-certs
  • hostPath: path: /etc/localtime type: File name: localtime
  • hostPath: path: /usr/local/share/ca-certificates type: DirectoryOrCreate name: usr-local-share-ca-certificates
  • hostPath: path: /usr/share/ca-certificates type: DirectoryOrCreate name: usr-share-ca-certificates status: {}

AceCoronnet9034 avatar Jul 16 '24 07:07 AceCoronnet9034