10

我已经通过 Kubespray 成功部署了 Kubernetes,一切似乎都运行良好。我可以通过 kubectl 访问集群并列出节点、pod、服务、机密等。也可以应用新的资源和仪表板端点为我提供仪表板登录页面。

我已经使用不同服务帐户的令牌(默认,kubernetes-dashboard,kubernetes-admin,...)登录......每次登录时,我都会得到与kubespray 仪表板警告禁止弹出窗口中描述的相同的弹出窗口。

所以我按照描述为默认服务帐户应用了集群角色绑定。当我现在使用默认帐户令牌登录时,我只得到一个

Unknown Server Error (404)
the server could not find the requested resource
Redirecting to previous state in 3 seconds...

框,之后将我重定向到登录页面。如果我通过kubectl proxy. 访问是基于公共集群 IP 的 HTTPS 和基于代理的 HTTP

我正在使用 Kubernetes 1.16.2 和最新的 Kubespray 主提交 18d19d9e

编辑:我销毁并重新配置集群以获得一个新的 Kubespray 配置实例,以使所有步骤具有确定性,添加更多信息......

kubectl -n kube-system logs --follow kubernetes-dashboard-556b9ff8f8-jbmgg --在登录尝试期间给了我

2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/login request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 POST /api/v1/login request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/token request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 POST /api/v1/token/refresh request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/token request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 POST /api/v1/token/refresh request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/overview/default?filterBy=&itemsPerPage=10&name=&page=1&sortBy=d,creationTimestamp request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 Getting config category
2019/12/16 12:35:03 Getting discovery and load balancing category
2019/12/16 12:35:03 Getting lists of all workloads
2019/12/16 12:35:03 the server could not find the requested resource
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 404 status code
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 Getting pod metrics
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Incoming HTTP/2.0 GET /api/v1/systembanner request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Incoming HTTP/2.0 GET /api/v1/rbac/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:12 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
2019/12/16 12:35:42 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.

我发现了一个奇怪的解决方法来让仪表板工作,但这对我们在生产中不可用,也许有人可以解释一下:

  1. 我以服务帐户为例kube-system:default(注意:此时未分配cluster-admin此帐户
  2. 我得到它的令牌并用它登录
  3. 仪表板显然向我显示了“禁止弹出窗口”
  4. 虽然仍然登录,但我运行kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=kube-system:default
  5. 我刷新了包含我的仪表板会话的浏览器选项卡......等等,一切都正确显示。

因此我无法注销并再次登录,我总是必须删除集群角色绑定,然后登录,然后再次应用集群角色绑定。

这似乎与 kubespray 配置的集群密切相关,所以任何人都能够使用 kubespray 重现这一点吗?

4

2 回答 2

9

如果您使用证书连接您的证书应该在 system:masters 组所以包括“主题:O=system:masters, CN=”

您还可以创建一个令牌,然后使用令牌代替证书:

您的集群角色可能绑定到“服务帐户”而不是您的组,您应该在 yaml 文件中检查您的组。您的服务帐户有一个访问令牌,使用它来进行身份验证而不是您的证书。

使用它来创建令牌并使用它。

kubectl describe secret $(kubectl get secret | grep cluster-admin | awk '{print $1}')

令牌:

更新 kubeconfig 以使用该令牌而不是您当前使用的证书对自己进行身份验证,并且您应该成功地作为该集群管理员服务帐户进行身份验证。

Kubernetes RBAC - 禁止尝试授予额外权限

于 2019-12-12T08:33:23.113 回答
6

好吧,这似乎是在 Kubespray Github repo issue #5347中发布的一个错误

于 2019-12-17T10:25:37.297 回答