Kubernetes:Spring 云数据流服务器的服务帐户权限问题
Kubernetes : Service Accounts Permissions issue with Spring Cloud Data Flow Server
我一直在尝试使用 minikube 在本地为 Kubernetes 设置 Spring 云数据流服务器。已按照 link 此处的安装说明进行操作:SCDF Installation Reference
我收到以下 SCDF 服务器错误:
11:32:52.095 [main] DEBUG io.fabric8.kubernetes.client.Config - Trying to configure client namespace from Kubernetes service account namespace path...
11:32:52.096 [main] DEBUG io.fabric8.kubernetes.client.Config - Found service account namespace at: [/var/run/secrets/kubernetes.io/serviceaccount/namespace].
2018-04-24 11:33:14.348 WARN 1 --- [ main] o.s.cloud.kubernetes.StandardPodUtils : Failed to get pod with name:[scdf-server-869d56967c-97lsd]. You should look into this if things aren't working as you expect. Are you missing serviceaccount permissions?
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.default.svc/api/v1/namespaces/default/pods/scdf-server-869d56967c-97lsd. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods "scdf-server-869d56967c-97lsd" is forbidden: User "system:serviceaccount:default:default" cannot get pods in the namespace "default".
版本详情如下:
- Spring 云数据流服务器:1.4.0.RELEASE
- 使用 minikube 的 Kubernetes 本地部署
- Kubernetes 版本:1.10
The latest releases of kubernetes have enabled RBAC on the api-server. If your target platform has RBAC enabled you must ask a cluster-admin to create the roles and role-bindings for you before deploying the dataflow server. They associate the dataflow service account with the roles it needs to be run with.
$ kubectl create -f src/kubernetes/server/server-roles.yaml
$ kubectl create -f src/kubernetes/server/server-rolebinding.yaml
你是否执行了这些步骤?
最新版本的 minikube 默认启用了 RBAC。
对于启用 RBAC 的集群,我们已在安装部分添加了关于此事的注释。
“最新版本的 kubernetes 已经在 api-server 上启用了 RBAC。如果您的目标平台启用了 RBAC,您必须要求集群管理员创建角色和角色-在部署数据流服务器之前为您绑定。它们将数据流服务帐户与它需要 运行 的角色相关联。"
然而,对于 minikube,您可以运行以下命令并重试安装。
kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default
或者,如果您使用的是 helm-chart,则可以禁用 RBAC 并在 minikube 上使用以下命令安装图表。
helm init
helm repo add incubator https://kubernetes-charts-incubator.storage.googleapis.com
helm repo update
helm install --name my-release --set server.service.type=NodePort --set rbac.create=false incubator/spring-cloud-data-flow
我一直在尝试使用 minikube 在本地为 Kubernetes 设置 Spring 云数据流服务器。已按照 link 此处的安装说明进行操作:SCDF Installation Reference
我收到以下 SCDF 服务器错误:
11:32:52.095 [main] DEBUG io.fabric8.kubernetes.client.Config - Trying to configure client namespace from Kubernetes service account namespace path...
11:32:52.096 [main] DEBUG io.fabric8.kubernetes.client.Config - Found service account namespace at: [/var/run/secrets/kubernetes.io/serviceaccount/namespace].
2018-04-24 11:33:14.348 WARN 1 --- [ main] o.s.cloud.kubernetes.StandardPodUtils : Failed to get pod with name:[scdf-server-869d56967c-97lsd]. You should look into this if things aren't working as you expect. Are you missing serviceaccount permissions?
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.default.svc/api/v1/namespaces/default/pods/scdf-server-869d56967c-97lsd. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods "scdf-server-869d56967c-97lsd" is forbidden: User "system:serviceaccount:default:default" cannot get pods in the namespace "default".
版本详情如下:
- Spring 云数据流服务器:1.4.0.RELEASE
- 使用 minikube 的 Kubernetes 本地部署
- Kubernetes 版本:1.10
The latest releases of kubernetes have enabled RBAC on the api-server. If your target platform has RBAC enabled you must ask a cluster-admin to create the roles and role-bindings for you before deploying the dataflow server. They associate the dataflow service account with the roles it needs to be run with.
$ kubectl create -f src/kubernetes/server/server-roles.yaml
$ kubectl create -f src/kubernetes/server/server-rolebinding.yaml
你是否执行了这些步骤?
最新版本的 minikube 默认启用了 RBAC。
对于启用 RBAC 的集群,我们已在安装部分添加了关于此事的注释。
“最新版本的 kubernetes 已经在 api-server 上启用了 RBAC。如果您的目标平台启用了 RBAC,您必须要求集群管理员创建角色和角色-在部署数据流服务器之前为您绑定。它们将数据流服务帐户与它需要 运行 的角色相关联。"
然而,对于 minikube,您可以运行以下命令并重试安装。
kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default
或者,如果您使用的是 helm-chart,则可以禁用 RBAC 并在 minikube 上使用以下命令安装图表。
helm init
helm repo add incubator https://kubernetes-charts-incubator.storage.googleapis.com
helm repo update
helm install --name my-release --set server.service.type=NodePort --set rbac.create=false incubator/spring-cloud-data-flow