spire icon indicating copy to clipboard operation
spire copied to clipboard

Published 20 hours ago verified publisher icon spiffe

Quickstart for Kubernetes fails with no identity issued

Open nick-lehmann opened this issue 3 years ago • 3 comments

  • Version: 0.12.0
  • Platform: Darwin Saturn.local 20.4.0 Darwin Kernel Version 20.4.0: Fri Mar 5 01:14:14 PST 2021; root:xnu-7195.101.1~3/RELEASE_X86_64 x86_64
  • Subsystem: server (i guess 🤷🏼‍♂️)

The Quickstart for Kubernetes tutorial seems to be broken currently. I followed the tutorial on my MacBook with minikube version 1.20 and checked out this version of the quickstart.

Everything works perfectly fine until the section Configure a Workload Container to Access SPIRE. The command that should fetch the SVID for the sample client unfortunately fails with the following error

> kubectl exec -it $(kubectl get pods -o=jsonpath='{.items[0].metadata.name}' -l app=client)  -- /bin/sh
/opt/spire # /opt/spire/bin/spire-agent api fetch -socketPath /run/spire/sockets/agent.sock
rpc error: code = PermissionDenied desc = no identity issued

Unfortunately, I am a total beginner when it comes to SPIRE so I have no clue what could possibly cause the error. I both tried the tutorial by following the instruction given on the webpage or by executing the parts of the test.sh script before the teardown but both ways fail. I also considered the steps described under Considerations When Using Minikube.

nick-lehmann avatar Jun 08 '21 07:06 nick-lehmann

@tanjunchen unfortuantely, no. I also did not investigate it further...

nick-lehmann avatar Feb 07 '22 10:02 nick-lehmann

@tanjunchen unfortuantely, no. I also did not investigate it further...

hello, you need to update the agent-daemonset yaml like

initContainers:
        - name: init
          # This is a small image with wait-for-it, choose whatever image
          # you prefer that waits for a service to be up. This image is built
          # from https://github.com/lqhl/wait-for-it
          image: tanjunchen/wait-for-it
          args: ["-t", "30", "spire-server:8081"]
          env:
          - name: MY_NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
      containers:
        - name: spire-agent
          image: tanjunchen/spire-agent:1.0.0
          args: ["-config", "/run/spire/config/agent.conf"]
          env:
          - name: MY_NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
          volumeMounts:
            - name: spire-config
              mountPath: /run/spire/config

and we need also to update agent-configmap yaml like

WorkloadAttestor "k8s" {
        plugin_data {
          # Defaults to the secure kubelet port by default.
          # Minikube does not have a cert in the cluster CA bundle that
          # can authenticate the kubelet cert, so skip validation.
          skip_kubelet_verification = true
          node_name_env = "MY_NODE_NAME"
        }
      }

due to the agent pod use hostNetwork mode.

tanjunchen avatar Feb 08 '22 06:02 tanjunchen

@tanjunchen thank you very much 👍🏻 I have done my work regarding spire, but hopefully this will help someone else in the future. If you think your solution is sufficient and works, please feel free to close this issue...

nick-lehmann avatar Feb 08 '22 08:02 nick-lehmann

Opened a new issue (#4147) that will cover this when implemented. Thanks for opening!

azdagron avatar May 08 '23 18:05 azdagron