2

我正在尝试将 --admission-control=ServiceAccount 添加到我的 kube-apiserver 调用中,以便能够托管来自 kubernetes-ui 和 apiserver 的 https 连接。我在控制器管理器上得到这个。

Mar 25 18:39:51 master kube-controller-manager[1388]: I0325 18:39:51.425556 1388 event.go:211] Event(api.ObjectReference{Kind:"ReplicaSet", Namespace:"default", Name:"nginx4-3088538572", UID:"aefae1a6-f2b8-11e5-8269-0401bd450a01", APIVersion:"extensions", ResourceVersion:"252", FieldPath:""}): type: 'Warning' reason: 'FailedCreate' Error creating: pods "nginx4-3088538572-" is forbidden: no API token found for service account default/default, retry after the token is automatically created and added to the service account

现在我的默认服务帐户看起来像这样

cesco@desktop: ~/code/go/src/bitbucket.org/cescoferraro/cluster/terraform on master [+!?]
$ kubectl get serviceaccount default -o wide
NAME      SECRETS   AGE
default   0         2m
cesco@desktop: ~/code/go/src/bitbucket.org/cescoferraro/cluster/terraform on master [+!?]
$ kubectl get serviceaccount default -o json
{
    "kind": "ServiceAccount",
    "apiVersion": "v1",
    "metadata": {
        "name": "default",
        "namespace": "default",
        "selfLink": "/api/v1/namespaces/default/serviceaccounts/default",
        "uid": "eaa3c6e1-f2cd-11e5-973f-0401bd52ec01",
        "resourceVersion": "30",
        "creationTimestamp": "2016-03-25T21:09:52Z"
    }
}

我正在使用令牌对 kubernetes 进行身份验证,并且整个集群在 https 上运行。

控制器经理

ExecStart=/opt/bin/kube-controller-manager \
                              --address=0.0.0.0 \
                              --root-ca-file=/home/core/ssl/ca.pem \
                              --service-account-private-key-file=/home/core/ssl/kube-key.pem  \
                              --master=https://${COREOS_PRIVATE_IPV4}:6443 \
                              --logtostderr=true \
                              --kubeconfig=/home/core/.kube/config  \
                              --cluster-cidr=10.132.0.0/16 \
                              --register-retry-count 100

API服务器

ExecStart=/opt/bin/kube-apiserver \
                          --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota \
                          --logtostderr=true  \
                          --insecure-bind-address=${MASTER_PRIVATE} \
                          --insecure-port=8080  \
                          --bind-address=0.0.0.0  \
                          --secure-port=6443  \
                          --runtime-config=api/v1 \
                          --allow-privileged=true \
                          --service-cluster-ip-range=10.100.0.0/16 \
                          --advertise-address=${MASTER_PUBLIC} \
                          --token-auth-file=/data/kubernetes/token.csv \
                          --etcd-cafile=/home/core/ssl/ca.pem   \
                          --etcd-certfile=/home/core/ssl/etcd1.pem  \
                          --etcd-keyfile=/home/core/ssl/etcd1-key.pem \
                          --etcd-servers=https://${MASTER_PRIVATE}:2379,https://${DATABASE_PRIVATE}:2379 \
                          --cert-dir=/home/core/ssl \
                          --client-ca-file=/home/core/ssl/ca.pem \
                          --tls-cert-file=/home/core/ssl/kubelet.pem \
                          --tls-private-key-file=/home/core/ssl/kubelet-key.pem \
                          --kubelet-certificate-authority=/home/core/ssl/ca.pem \
                          --kubelet-client-certificate=/home/core/ssl/kubelet.pem \
                          --kubelet-client-key=/home/core/ssl/kubelet-key.pem \
                          --kubelet-https=true

.kube/配置

ExecStart=/opt/bin/kubectl config set-cluster CLUSTER  \
                                        --server=https://${MASTER_PRIVATE}:6443 \
                                        --certificate-authority=/home/core/ssl/ca.pem
ExecStart=/opt/bin/kubectl config set-credentials admin  \
                                        --token=elezxaMiqXVcXXU7lRYZ4akrlAtxY5Za \
                                        --certificate-authority=/home/core/ssl/ca.pem \
                                        --client-key=/home/core/ssl/kubelet-key.pem \
                                        --client-certificate=/home/core/ssl/kubelet.pem
ExecStart=/opt/bin/kubectl config set-context default-system \
                                        --cluster=CLUSTER \
                                        --user=admin
ExecStart=/opt/bin/kubectl config use-context default-system

更新 1

根据@Jordan Liggitt 的回答,我在 apiserver 调用中添加了 --service-account-key-file=/home/core/ssl/kubelet-key.pem 但现在我得到了

Mar 26 11:19:30 master kube-apiserver[1874]: F0326 11:19:30.556591    1874 server.go:410] Invalid Authentication Config: asn1: structure error: tags don't match (16 vs {class:0 tag:2 length:1 isCompound:false}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 set:false omitEmpty:false} tbsCertificate @2
4

2 回答 2

3

使用 1.6 版本,如果您在创建服务帐户时提到它,您可以自动挂载令牌,如下所示:

apiVersion: v1 kind: ServiceAccount metadata: name: sysdig automountServiceAccountToken: true

于 2017-05-18T23:15:57.570 回答
2

确保使用服务帐户密钥(用于签署生成的服务帐户令牌)启动控制器管理器,并使用相应的公钥(用于在身份验证期间验证令牌)启动 API 服务器

于 2016-03-25T23:55:52.937 回答