kubectl 容器无法与 Kubernetes 连接

kubectl container not able to connect with Kubernetes

我正在使用 RancherOS 作为主机并尝试设置 kubectl container. I have modified the image and just changed the kubectl version to the latest (1.8.0) and added proxy settings to the Dockerfile because without it, docker build was failing to run the apk 命令。此外,Kubernetes 由 Rancher 服务器管理。我从 Rancher UI 下载了 kubectl CLI 配置。如下所示:

apiVersion: v1
kind: Config
clusters:
- cluster:
    api-version: v1
    server: "https://rancher.dev.abc.net/r/projects/1a6842/kubernetes:6443"
  name: "test"
contexts:
- context:
    cluster: "test"
    user: "test"
  name: "test"
current-context: "test"
users:
- name: "test"
  user:
    token: "QmFzaWMgTnpV9UZ3hPVVV4TXpaRFJrSTFSRFpDTkNOa2hSUTNscGNsSXpjMXAxVUdacVZUWk9NWFZaYVVGd1NqUk5UazVDUkZSM1lWZFhUZz09"

Docker 文件:

FROM docker.artifactory.abc.net/alpine:3.6

# Required for apk to install openssl
ENV http_proxy='http://proxy.abc.net:8080'  \
    https_proxy='http://proxy.abc.net:8080' \
    no_proxy='localhost,abc.net'

ADD https://storage.googleapis.com/kubernetes-release/release/v1.8.0/bin/linux/amd64/kubectl /usr/local/bin/kubectl

ENV HOME=/config

RUN set -x && \
    apk add --no-cache curl ca-certificates && \
    chmod +x /usr/local/bin/kubectl && \
    \
    # Create non-root user (with a randomly chosen UID/GUI).
    adduser kubectl -Du 2342 -h /config && \
    \
    # Basic check it works.
    kubectl version --client

USER kubectl

ENTRYPOINT ["/usr/local/bin/kubectl"]

还尝试将以下内容添加到 Dockerfile 但无济于事。

COPY .kube/chain.pem /config/.kube/ca.crt
RUN cat /config/.kube/ca.crt

现在当我 运行 命令时,

$ docker run --rm --user $UID -v ~rancher/kubectl/.kube:/config/.kube kubectl:v1.8.0 version
Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.0", GitCommit:"6e937839ac04a38cac63e6a7a306c5d035fe7b0a", GitTreeState:"clean", BuildDate:"2017-09-28T22:57:57Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Unable to connect to the server: x509: certificate signed by unknown authority

如上所示,客户端版本显示正常,但在连接到服务器时失败。我在 ~rancher/kubectl/.kube 目录中复制了 ca.crt 文件。还尝试将文件重命名为 ca.pem 但它不起作用。不确定必须提供什么参数以便 kubectl 可以获取 crt 文件。

所以我终于让它工作了。 Dockerfile 没有变化。在上面显示的 .kube/config 文件中,我只需添加以下条目:

certificate-authority: /config/.kube/ca.crt

所以 .kube/config 文件现在看起来如下所示:

apiVersion: v1
kind: Config
clusters:
- cluster:
    api-version: v1
    certificate-authority: /config/.kube/ca.crt
    server: "https://rancher.dev.abc.net/r/projects/1a6842/kubernetes:6443"
  name: "test"
contexts:
- context:
    cluster: "test"
    user: "test"
  name: "test"
current-context: "test"
users:
- name: "test"
  user:
    token: "QmFzaWMgTnpV9UZ3hPVVV4TXpaRFJrSTFSRFpDTkNOa2hSUTNscGNsSXpjMXAxVUdacVZUWk9NWFZaYVVGd1NqUk5UazVDUkZSM1lWZFhUZz09"

终于可以看到服务器版本了。呸...

$ docker run --rm --user $UID -v ~rancher/kubectl/.kube:/config/.kube kubectl:v1.8.0 version
Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.0", GitCommit:"6e937839ac04a38cac63e6a7a306c5d035fe7b0a", GitTreeState:"clean", BuildDate:"2017-09-28T22:57:57Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"7+", GitVersion:"v1.7.2-rancher1", GitCommit:"eda266858c448156b6d6fee372ff43ffb458a70c", GitTreeState:"clean", BuildDate:"2017-08-03T17:22:27Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}