测试 kubernetes api-server 时得到 'Unauthorized'
getting 'Unauthorized' when testing kubernetes api-server
我有 CoreOS alpha (1284.2.0) 的 Container Linux,我尝试安装 kubernetes 1.5.2。
我注意到 kube-proxy pod 出现故障,我进行了搜索,发现 api-server 清单可能配置不正确。
我使用 https://coreos.com/kubernetes/docs/latest/configure-kubectl.html
上的文档在我的 mac pro 桌面上配置了 kubectl
当我执行 kubectl get nodes 我得到 error: You must be logged in to the server (the server has asked for the client to provide credentials).
所以我尝试使用 curl 进行测试。服务器的主机名是 coreos-2.tux-in.com.
ufk-osx-music:~ ufk$ curl http://coreos-2.tux-in.com:8080
curl: (7) Failed to connect to coreos-2.tux-in.com port 8080: Connection refused
ufk-osx-music:~ ufk$ curl https://coreos-2.tux-in.com
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ufk-osx-music:~ ufk$ curl --insecure https://coreos-2.tux-in.com
Unauthorized
这是我的 kube-apiserver.yaml:
apiVersion: v1
kind: Pod
metadata:
name: kube-apiserver
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-apiserver
image: quay.io/coreos/hyperkube:v1.5.2_coreos.0
command:
- /hyperkube
- apiserver
- --bind-address=0.0.0.0
- --etcd-servers=http://127.0.0.1:4001
- --allow-privileged=true
- --service-cluster-ip-range=10.3.0.0/24
- --secure-port=443
- --advertise-address=10.79.218.2
- --admission-
control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
- --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem
- --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
- --client-ca-file=/etc/kubernetes/ssl/ca.pem
- --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem
- --runtime-config=extensions/v1beta1/networkpolicies=true
- --anonymous-auth=false
livenessProbe:
httpGet:
host: 127.0.0.1
port: 8080
path: /healthz
initialDelaySeconds: 15
timeoutSeconds: 15
ports:
- containerPort: 443
hostPort: 443
name: https
- containerPort: 8080
hostPort: 8080
name: local
volumeMounts:
- mountPath: /etc/kubernetes/ssl
name: ssl-certs-kubernetes
readOnly: true
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
volumes:
- hostPath:
path: /etc/kubernetes/ssl
name: ssl-certs-kubernetes
- hostPath:
path: /usr/share/ca-certificates
name: ssl-certs-host
这是我的 kube-proxy.yaml:
apiVersion: v1
kind: Pod
metadata:
name: kube-proxy
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-proxy
image: quay.io/coreos/hyperkube:v1.5.2_coreos.0
command:
- /hyperkube
- proxy
- --master=http://127.0.0.1:8080
securityContext:
privileged: true
volumeMounts:
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
volumes:
- hostPath:
path: /usr/share/ca-certificates
name: ssl-certs-host
这是控制器的 kubeconfig 文件 controler-kubeconfig.yaml:
current-context: tuxin-coreos-context
apiVersion: v1
clusters:
- cluster:
server: http://127.0.0.1:8080
name: tuxin-coreos-cluster
contexts:
- context:
cluster: tuxin-coreos-cluster
name: tuxin-coreos-context
kind: Config
preferences:
colors: true
users:
- name: kubelet
user:
client-certificate: /etc/kubernetes/ssl/apiserver.pem
client-key: /etc/kubernetes/ssl/apiserver-key.pem
如能提供有关此问题的任何信息,我们将不胜感激!
welp 总的来说,我没有在 .kube/config 文件中使用正确的凭据。而且我也没有使用我在控制器的 kubeconfig 中输入的相同名称的集群和上下文。
这是工作 .kube/config 文件:
apiVersion: v1
clusters:
- cluster:
certificate-authority: /Users/ufk/Projects/tuxin-coreos/kubernetes/certs/ca.pem
server: https://coreos-2.tux-in.com
name: tuxin-coreos-cluster
contexts:
- context:
cluster: tuxin-coreos-cluster
user: default-admin
name: tuxin-coreos-context
current-context: tuxin-coreos-context
kind: Config
preferences: {}
users:
- name: default-admin
user:
username: kubelet
client-certificate: /Users/ufk/Projects/tuxin-coreos/kubernetes/certs/client.pem
client-key: /Users/ufk/Projects/tuxin-coreos/kubernetes/certs/client-key.pem
我的控制器的 kubeconfig:
current-context: tuxin-coreos-context
apiVersion: v1
clusters:
- cluster:
server: http://127.0.0.1:8080
name: tuxin-coreos-cluster
contexts:
- context:
cluster: tuxin-coreos-cluster
name: tuxin-coreos-context
kind: Config
preferences:
colors: true
users:
- name: kubelet
user:
client-certificate: /etc/kubernetes/ssl/apiserver.pem
client-key: /etc/kubernetes/ssl/apiserver-key.pem
我有 CoreOS alpha (1284.2.0) 的 Container Linux,我尝试安装 kubernetes 1.5.2。
我注意到 kube-proxy pod 出现故障,我进行了搜索,发现 api-server 清单可能配置不正确。
我使用 https://coreos.com/kubernetes/docs/latest/configure-kubectl.html
上的文档在我的 mac pro 桌面上配置了kubectl
当我执行 kubectl get nodes 我得到 error: You must be logged in to the server (the server has asked for the client to provide credentials).
所以我尝试使用 curl 进行测试。服务器的主机名是 coreos-2.tux-in.com.
ufk-osx-music:~ ufk$ curl http://coreos-2.tux-in.com:8080
curl: (7) Failed to connect to coreos-2.tux-in.com port 8080: Connection refused
ufk-osx-music:~ ufk$ curl https://coreos-2.tux-in.com
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ufk-osx-music:~ ufk$ curl --insecure https://coreos-2.tux-in.com
Unauthorized
这是我的 kube-apiserver.yaml:
apiVersion: v1
kind: Pod
metadata:
name: kube-apiserver
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-apiserver
image: quay.io/coreos/hyperkube:v1.5.2_coreos.0
command:
- /hyperkube
- apiserver
- --bind-address=0.0.0.0
- --etcd-servers=http://127.0.0.1:4001
- --allow-privileged=true
- --service-cluster-ip-range=10.3.0.0/24
- --secure-port=443
- --advertise-address=10.79.218.2
- --admission-
control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
- --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem
- --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
- --client-ca-file=/etc/kubernetes/ssl/ca.pem
- --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem
- --runtime-config=extensions/v1beta1/networkpolicies=true
- --anonymous-auth=false
livenessProbe:
httpGet:
host: 127.0.0.1
port: 8080
path: /healthz
initialDelaySeconds: 15
timeoutSeconds: 15
ports:
- containerPort: 443
hostPort: 443
name: https
- containerPort: 8080
hostPort: 8080
name: local
volumeMounts:
- mountPath: /etc/kubernetes/ssl
name: ssl-certs-kubernetes
readOnly: true
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
volumes:
- hostPath:
path: /etc/kubernetes/ssl
name: ssl-certs-kubernetes
- hostPath:
path: /usr/share/ca-certificates
name: ssl-certs-host
这是我的 kube-proxy.yaml:
apiVersion: v1
kind: Pod
metadata:
name: kube-proxy
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-proxy
image: quay.io/coreos/hyperkube:v1.5.2_coreos.0
command:
- /hyperkube
- proxy
- --master=http://127.0.0.1:8080
securityContext:
privileged: true
volumeMounts:
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
volumes:
- hostPath:
path: /usr/share/ca-certificates
name: ssl-certs-host
这是控制器的 kubeconfig 文件 controler-kubeconfig.yaml:
current-context: tuxin-coreos-context
apiVersion: v1
clusters:
- cluster:
server: http://127.0.0.1:8080
name: tuxin-coreos-cluster
contexts:
- context:
cluster: tuxin-coreos-cluster
name: tuxin-coreos-context
kind: Config
preferences:
colors: true
users:
- name: kubelet
user:
client-certificate: /etc/kubernetes/ssl/apiserver.pem
client-key: /etc/kubernetes/ssl/apiserver-key.pem
如能提供有关此问题的任何信息,我们将不胜感激!
welp 总的来说,我没有在 .kube/config 文件中使用正确的凭据。而且我也没有使用我在控制器的 kubeconfig 中输入的相同名称的集群和上下文。
这是工作 .kube/config 文件:
apiVersion: v1
clusters:
- cluster:
certificate-authority: /Users/ufk/Projects/tuxin-coreos/kubernetes/certs/ca.pem
server: https://coreos-2.tux-in.com
name: tuxin-coreos-cluster
contexts:
- context:
cluster: tuxin-coreos-cluster
user: default-admin
name: tuxin-coreos-context
current-context: tuxin-coreos-context
kind: Config
preferences: {}
users:
- name: default-admin
user:
username: kubelet
client-certificate: /Users/ufk/Projects/tuxin-coreos/kubernetes/certs/client.pem
client-key: /Users/ufk/Projects/tuxin-coreos/kubernetes/certs/client-key.pem
我的控制器的 kubeconfig:
current-context: tuxin-coreos-context
apiVersion: v1
clusters:
- cluster:
server: http://127.0.0.1:8080
name: tuxin-coreos-cluster
contexts:
- context:
cluster: tuxin-coreos-cluster
name: tuxin-coreos-context
kind: Config
preferences:
colors: true
users:
- name: kubelet
user:
client-certificate: /etc/kubernetes/ssl/apiserver.pem
client-key: /etc/kubernetes/ssl/apiserver-key.pem