我已经使用Kubernetes.net客户端库版本一段时间了,现在可以从容器中访问Kubernetes api。今天,我从客户端库版本1.6.11更新到了4.0.21,但这破坏了客户端的部分身份验证。
这是我得到的例外:
HttpRequestException. The SSL connection could not be established, see inner exception.
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
(rest of the stack trace ommited)
内部例外:
AuthenticationException. The remote certificate is invalid because of errors in the certificate chain: PartialChain.
at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
我使用默认的inClusterConfiguration来创建Kubernetes客户端的实例:
KubernetesClientConfiguration config = KubernetesClientConfiguration.InClusterConfig();
Kubernetes client = new Kubernetes(config);
在验证了我仍然可以使用存储在/var/run/secrets/kubernetes.io/serviceaccount/中的与pod的服务帐户相关联的令牌通过curl与API交谈之后。
我对SSL不太熟悉,但经过一番努力,我找到了一个解决办法,将ca.cert文件从serviceaccount目录复制到/usr/local/share/ca-certificates/并运行update-ca-certificates,但我确实想知道现在需要执行此操作有什么变化。
有没有什么方法可以配置客户端,使其自动完成或以其他方式解决?
从客户端的Github中,我发现了这个问题,这表明我的解决方案比我发现的更好。
KubernetesClientConfiguration config = KubernetesClientConfiguration.InClusterConfig();
config.TcpKeepAlive = false;
Kubernetes client = new Kubernetes(config);