在 HA kubernetes 集群中挂载默认令牌时返回 forbidden
forbidden returned when mounting the default tokens in HA kubernetes cluster
我在 kubernetes 中安装默认令牌时遇到问题,它不再适用于我,我想在 Github 上创建问题之前直接询问,所以我的设置基本上由 HA 裸机集群组成使用手动部署的 etcd(包括证书 ca、密钥)。部署 运行 节点注册,我无法部署 pods,总是给出错误:
MountVolume.SetUp failed for volume "default-token-ddj5s" : secrets "default-token-ddj5s" is forbidden: User "system:node:tweak-node-1" cannot get secrets in the namespace "default": no path found to object
其中 tweak-node-1 是我的节点名称和主机名之一,我发现了一些类似的问题:
- https://github.com/kubernetes/kubernetes/issues/18239
- https://github.com/kubernetes/kubernetes/issues/25828
但 none 接近于解决我的问题,因为问题不是 same.I 在尝试 运行 pods 时仅使用默认名称空间并尝试同时设置 RBAC ABAC,两者都给出了相同的结果,这是我用来部署显示 etcd 配置版本的模板:
apiVersion: kubeadm.k8s.io/v1alpha1
kind: MasterConfiguration
api:
advertiseAddress: IP1
bindPort: 6443
authorizationMode: ABAC
kubernetesVersion: 1.8.5
etcd:
endpoints:
- https://IP1:2379
- https://IP2:2379
- https://IP3:2379
caFile: /opt/cfg/etcd/pki/etcd-ca.crt
certFile: /opt/cfg/etcd/pki/etcd.crt
keyFile: /opt/cfg/etcd/pki/etcd.key
dataDir: /var/lib/etcd
etcdVersion: v3.2.9
networking:
podSubnet: 10.244.0.0/16
apiServerCertSANs:
- IP1
- IP2
- IP3
- DNS-NAME1
- DNS-NAME2
- DNS-NAME3
您的节点必须使用与其节点 API 对象名称匹配的凭据,如 https://kubernetes.io/docs/admin/authorization/node/#overview
中所述
In order to be authorized by the Node authorizer, kubelets must use a credential that identifies them as being in the system:nodes group, with a username of system:node:. This group and user name format match the identity created for each kubelet as part of kubelet TLS bootstrapping.
更新
所以具体的解决方案,问题是因为我使用的是版本 1.8.x 并且正在手动复制证书和密钥每个 kubelet 没有自己的 system:node 绑定或特定密钥如 https://kubernetes.io/docs/admin/authorization/node/#overview 中指定:
RBAC Node Permissions In 1.8, the binding will not be created at all.
When using RBAC, the system:node cluster role will continue to be
created, for compatibility with deployment methods that bind other
users or groups to that role.
我用两种方法修复了:
1 - 使用 kubeadm join 而不是从 master1
复制 /etc/kubernetes 文件
2 - 部署后为 system:node
修补集群角色绑定
kubectl patch clusterrolebinding system:node -p '{"apiVersion":
"rbac.authorization.k8s.io/v1beta1","kind":
"ClusterRoleBinding","metadata": {"name": "system:node"},"subjects":
[{"kind": "Group","name": "system:nodes"}]}'
我在 kubernetes 中安装默认令牌时遇到问题,它不再适用于我,我想在 Github 上创建问题之前直接询问,所以我的设置基本上由 HA 裸机集群组成使用手动部署的 etcd(包括证书 ca、密钥)。部署 运行 节点注册,我无法部署 pods,总是给出错误:
MountVolume.SetUp failed for volume "default-token-ddj5s" : secrets "default-token-ddj5s" is forbidden: User "system:node:tweak-node-1" cannot get secrets in the namespace "default": no path found to object
其中 tweak-node-1 是我的节点名称和主机名之一,我发现了一些类似的问题: - https://github.com/kubernetes/kubernetes/issues/18239 - https://github.com/kubernetes/kubernetes/issues/25828
但 none 接近于解决我的问题,因为问题不是 same.I 在尝试 运行 pods 时仅使用默认名称空间并尝试同时设置 RBAC ABAC,两者都给出了相同的结果,这是我用来部署显示 etcd 配置版本的模板:
apiVersion: kubeadm.k8s.io/v1alpha1
kind: MasterConfiguration
api:
advertiseAddress: IP1
bindPort: 6443
authorizationMode: ABAC
kubernetesVersion: 1.8.5
etcd:
endpoints:
- https://IP1:2379
- https://IP2:2379
- https://IP3:2379
caFile: /opt/cfg/etcd/pki/etcd-ca.crt
certFile: /opt/cfg/etcd/pki/etcd.crt
keyFile: /opt/cfg/etcd/pki/etcd.key
dataDir: /var/lib/etcd
etcdVersion: v3.2.9
networking:
podSubnet: 10.244.0.0/16
apiServerCertSANs:
- IP1
- IP2
- IP3
- DNS-NAME1
- DNS-NAME2
- DNS-NAME3
您的节点必须使用与其节点 API 对象名称匹配的凭据,如 https://kubernetes.io/docs/admin/authorization/node/#overview
中所述In order to be authorized by the Node authorizer, kubelets must use a credential that identifies them as being in the system:nodes group, with a username of system:node:. This group and user name format match the identity created for each kubelet as part of kubelet TLS bootstrapping.
更新
所以具体的解决方案,问题是因为我使用的是版本 1.8.x 并且正在手动复制证书和密钥每个 kubelet 没有自己的 system:node 绑定或特定密钥如 https://kubernetes.io/docs/admin/authorization/node/#overview 中指定:
RBAC Node Permissions In 1.8, the binding will not be created at all.
When using RBAC, the system:node cluster role will continue to be created, for compatibility with deployment methods that bind other users or groups to that role.
我用两种方法修复了:
1 - 使用 kubeadm join 而不是从 master1
2 - 部署后为 system:node
修补集群角色绑定kubectl patch clusterrolebinding system:node -p '{"apiVersion":
"rbac.authorization.k8s.io/v1beta1","kind":
"ClusterRoleBinding","metadata": {"name": "system:node"},"subjects":
[{"kind": "Group","name": "system:nodes"}]}'