通过host无法访问被纳管集群，被纳管集群ks-apiserver报错token not found in cache

qd19zzx

我们有一个hosti集群和一个被纳管集群m，之前通过host都是可以直接访问集群m的。
今天突然发现通过host无法选择集群m的项目，点击集群m后会返回401，并且跳的login界面。

查看被纳管集群m上的ks-apiserver的log，有如下错误

E1218 20:40:10.012922       1 jwt_token.go:45] token not found in cache
E1218 20:40:10.012939       1 authentication.go:60] Unable to authenticate the request due to error: token not found in cache
E1218 20:40:35.047541       1 token.go:65] token not found in cache
E1218 20:40:35.047570       1 jwt_token.go:45] token not found in cache
E1218 20:40:35.047589       1 authentication.go:60] Unable to authenticate the request due to error: token not found in cache
E1218 20:40:45.012798       1 token.go:65] token not found in cache
E1218 20:40:45.012827       1 jwt_token.go:45] token not found in cache
E1218 20:40:45.012844       1 authentication.go:60] Unable to authenticate the request due to error: token not found in cache
E1218 20:40:46.044399       1 token.go:65] token not found in cache
E1218 20:40:46.044425       1 jwt_token.go:45] token not found in cache
E1218 20:40:46.044442       1 authentication.go:60] Unable to authenticate the request due to error: token not found in cache
E1218 20:40:55.019939       1 token.go:65] token not found in cache
E1218 20:40:55.019969       1 jwt_token.go:45] token not found in cache
E1218 20:40:55.019987       1 authentication.go:60] Unable to authenticate the request due to error: token not found in cache
E1218 20:41:05.013632       1 token.go:65] token not found in cache
E1218 20:41:05.013661       1 jwt_token.go:45] token not found in cache
E1218 20:41:05.013678       1 authentication.go:60] Unable to authenticate the request due to error: token not found in cache
E1218 20:41:10.045320       1 token.go:65] token not found in cache
E1218 20:41:10.045350       1 jwt_token.go:45] token not found in cache
E1218 20:41:10.045367       1 authentication.go:60] Unable to authenticate the request due to error: token not found in cache

qd19zzx

host集群ks-apiserver上有token超时的错误

2020/12/18 19:50:02 http: proxy error: context canceled
2020/12/18 20:02:21 http: proxy error: context canceled
2020/12/18 20:12:29 http: proxy error: context canceled
2020/12/18 20:12:30 http: proxy error: context canceled
2020/12/18 20:12:30 http: proxy error: context canceled
2020/12/18 20:12:37 http: proxy error: context canceled
E1218 20:25:08.219883       1 ldap_provider.go:101] LDAP Result Code 49 "Invalid Credentials":
E1218 20:25:08.219999       1 authenticator.go:108] LDAP Result Code 49 "Invalid Credentials":
E1218 20:25:08.220015       1 handler.go:275] incorrect password
E1218 20:25:08.222138       1 login_recoder.go:75] LoginRecord.iam.kubesphere.io "A0041454-7tjl7" is invalid: [metadata.generateName: Invalid value: "A0041454-": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'), metadata.name: Invalid value: "A0041454-7tjl7": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')]
E1218 20:25:08.222163       1 handler.go:279] LoginRecord.iam.kubesphere.io "A0041454-7tjl7" is invalid: [metadata.generateName: Invalid value: "A0041454-": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'), metadata.name: Invalid value: "A0041454-7tjl7": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')]
I1218 20:25:08.222186       1 apiserver.go:539] 100.77.248.93 - "POST /oauth/token HTTP/1.1" 500 697 6ms
E1218 20:44:16.565604       1 ldap_provider.go:101] LDAP Result Code 49 "Invalid Credentials":
E1218 20:44:16.565727       1 authenticator.go:108] LDAP Result Code 49 "Invalid Credentials":
E1218 20:44:16.565743       1 handler.go:275] incorrect password
I1218 20:44:16.569795       1 apiserver.go:539] 100.77.248.93 - "POST /oauth/token HTTP/1.1" 401 32 31ms
2020/12/18 20:45:17 http: proxy error: context canceled
E1218 20:48:05.008286       1 jwt.go:51] token is expired by 5s
E1218 20:48:05.008315       1 token.go:57] token is expired by 5s
E1218 20:48:05.008326       1 jwt_token.go:45] token is expired by 5s
E1218 20:48:05.008338       1 authentication.go:60] Unable to authenticate the request due to error: token is expired by 5s
E1218 20:48:05.062430       1 jwt.go:51] token is expired by 5s
E1218 20:48:05.062457       1 token.go:57] token is expired by 5s
E1218 20:48:05.062472       1 jwt_token.go:45] token is expired by 5s
E1218 20:48:05.062484       1 authentication.go:60] Unable to authenticate the request due to error: token is expired by 5s

yuswift

分别在host集群和member集群执行
kubectl -n kubesphere-system get cm kubesphere-config -o yaml | grep -v “apiVersion” | grep jwtSecret
看看两个secret是否一致

qd19zzx

yuswift 检查过是一致的

Connor

yuswift

都是一致的

Connor

yuswift

Connor

kubectl get loginrecords.iam.kubesphere.io
发现M集群是空的，没有同步过来，其他整M集群都是有数据的

qd19zzx

问题原因找到了更新一下
m集群的kubesphere-config accessTokenMaxAge这里需要设置成0，查看源码0意味着永不超期。kubesphere-config可能有人误改成了10h，所以通过host无法登录m。
问题虽然解决了但是逻辑还是不太清楚，10h的超期时间还不够吗？为什么m
集群设置成10h超期，ks-apiserver会一直报token not found in cache的错误

apiVersion: v1
data:
  kubesphere.yaml: |
    authentication:
      authenticateRateLimiterMaxTries: 10
      authenticateRateLimiterDuration: 10m0s
      loginHistoryRetentionPeriod: 24h
      maximumClockSkew: 10s
      multipleLogin: true
      kubectlImage: kubespheredev/kubectl:v1.0.0
      jwtSecret: "XC14lrpYMKbWC30ut1UYdd2KYV0kQpqs"
      oauthOptions:
        accessTokenMaxAge: 0

hongming

qd19zzx

token 由 host cluster 签发，host cluster需要对签发的token进行缓存，以便对token进行管理（吊销）。
member cluster 只需要校验 token 的签名是否正确
设置 cluster role 后ks-installer会修改member cluster 中accessTokenMaxAge这个字段