在现有 Kubernetes 集群上安装 Rancher 时出现权限错误
Permission errors when installing Rancher on existing Kubernetes cluster
我正在尝试在第三方提供给我的 Kubernetes 集群上安装 Rancher。有人可以帮我解决我看到的这些错误吗?我不确定我是不是太蠢了,还是 Kubernetes 集群的设置方式有些奇怪。
在 rancher pods 我看到以下日志行:
2020/12/13 11:06:11 [INFO] Rancher version v2.5.3 (028c6dd04) is starting
2020/12/13 11:06:11 [INFO] Rancher arguments {ACMEDomains:[] AddLocal:true Embedded:false BindHost: HTTPListenPort:80 HTTPSListenPort:443 K8sMode:auto Debug:false Trace:false NoCACerts:true AuditLogPath:/var/log/auditlog/rancher-api-audit.log AuditLogMaxage:10 AuditLogMaxsize:100 AuditLogMaxbackup:10 AuditLevel:0 Agent:false Features:}
2020/12/13 11:06:11 [INFO] Listening on /tmp/log.sock
2020/12/13 11:06:11 [INFO] No access to list CRDs, assuming CRDs are pre-created.
2020/12/13 11:06:11 [ERROR] unable to retrieve feature multi-cluster-management in initialize features: features.management.cattle.io "multi-cluster-management" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to retrieve feature fleet in initialize features: features.management.cattle.io "fleet" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to create feature fleet in initialize features: features.management.cattle.io is forbidden: User "system:serviceaccount:default:rancher" cannot create resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to retrieve feature unsupported-storage-drivers in initialize features: features.management.cattle.io "unsupported-storage-drivers" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to create feature unsupported-storage-drivers in initialize features: features.management.cattle.io is forbidden: User "system:serviceaccount:default:rancher" cannot create resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to retrieve feature istio-virtual-service-ui in initialize features: features.management.cattle.io "istio-virtual-service-ui" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to create feature istio-virtual-service-ui in initialize features: features.management.cattle.io is forbidden: User "system:serviceaccount:default:rancher" cannot create resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to retrieve feature proxy in initialize features: features.management.cattle.io "proxy" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [FATAL] creating CRD store customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:default:rancher" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
我正在通过使用以下模板化 helm 来安装 rancher:
helm template rancher rancher-latest/rancher --namespace cattle-system --set hostname=rancher.my.org --set tls=external
这给了我下面的 yaml,我用 kubectl apply -f ...
安装
他,
安德鲁
---
# Source: rancher/templates/serviceAccount.yaml
kind: ServiceAccount
apiVersion: v1
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.5.3
heritage: Helm
release: rancher
---
# Source: rancher/templates/clusterRoleBinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.5.3
heritage: Helm
release: rancher
subjects:
- kind: ServiceAccount
name: rancher
namespace: cattle-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
---
# Source: rancher/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.5.3
heritage: Helm
release: rancher
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
- port: 443
targetPort: 444
protocol: TCP
name: https-internal
selector:
app: rancher
---
# Source: rancher/templates/deployment.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.5.3
heritage: Helm
release: rancher
spec:
replicas: 3
selector:
matchLabels:
app: rancher
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app: rancher
release: rancher
spec:
serviceAccountName: rancher
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- rancher
topologyKey: kubernetes.io/hostname
containers:
- image: rancher/rancher:v2.5.3
imagePullPolicy: IfNotPresent
name: rancher
ports:
- containerPort: 80
protocol: TCP
args:
# Public trusted CA - clear ca certs
- "--no-cacerts"
- "--http-listen-port=80"
- "--https-listen-port=443"
- "--add-local=true"
env:
- name: CATTLE_NAMESPACE
value: cattle-system
- name: CATTLE_PEER_SERVICE
value: rancher
livenessProbe:
httpGet:
path: /healthz
port: 80
initialDelaySeconds: 60
periodSeconds: 30
readinessProbe:
httpGet:
path: /healthz
port: 80
initialDelaySeconds: 5
periodSeconds: 30
resources:
{}
volumeMounts:
volumes:
---
# Source: rancher/templates/ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.5.3
heritage: Helm
release: rancher
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false" # turn off ssl redirect for external.
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
spec:
rules:
- host: rancher.my.org # hostname to access rancher server
http:
paths:
- backend:
serviceName: rancher
servicePort: 80
我已经重现了您的问题,为了安装 rancher,您必须 install cert-manager 或选择任何其他 SSL 配置。
您可以按照链接文档中的步骤进行操作,如果您选择安装 cert-manager,您只需 运行:
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.crds.yaml
$ kubectl create namespace cert-manager
$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--version v1.0.4
之后您可以部署问题中显示的 yamls,Rancher 将正确启动。
$ kubectl get pods -n cattle-system
rancher-65db98499b-hvnmc 1/1 Running 1 3m52s
rancher-65db98499b-pccdt 1/1 Running 0 3m52s
rancher-65db98499b-wbm28 1/1 Running 1 3m52s
rancher-webhook-7bc7ffdf7c-hrd8q 1/1 Running 0 101s
我通过在所有 CRD 所在的 cattle-system 命名空间中安装 rancher 来实现它。我想提供的 ClusterRoleBinding 要求调用方位于同一命名空间中是有道理的。
helm template rancher rancher-latest/rancher --namespace cattle-system --set hostname=rancher.my.org --set tls=external > rancher.yaml
kubectl apply -f rancher.yaml -n cattle-system
文档不是很清楚。
我正在尝试在第三方提供给我的 Kubernetes 集群上安装 Rancher。有人可以帮我解决我看到的这些错误吗?我不确定我是不是太蠢了,还是 Kubernetes 集群的设置方式有些奇怪。
在 rancher pods 我看到以下日志行:
2020/12/13 11:06:11 [INFO] Rancher version v2.5.3 (028c6dd04) is starting
2020/12/13 11:06:11 [INFO] Rancher arguments {ACMEDomains:[] AddLocal:true Embedded:false BindHost: HTTPListenPort:80 HTTPSListenPort:443 K8sMode:auto Debug:false Trace:false NoCACerts:true AuditLogPath:/var/log/auditlog/rancher-api-audit.log AuditLogMaxage:10 AuditLogMaxsize:100 AuditLogMaxbackup:10 AuditLevel:0 Agent:false Features:}
2020/12/13 11:06:11 [INFO] Listening on /tmp/log.sock
2020/12/13 11:06:11 [INFO] No access to list CRDs, assuming CRDs are pre-created.
2020/12/13 11:06:11 [ERROR] unable to retrieve feature multi-cluster-management in initialize features: features.management.cattle.io "multi-cluster-management" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to retrieve feature fleet in initialize features: features.management.cattle.io "fleet" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to create feature fleet in initialize features: features.management.cattle.io is forbidden: User "system:serviceaccount:default:rancher" cannot create resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to retrieve feature unsupported-storage-drivers in initialize features: features.management.cattle.io "unsupported-storage-drivers" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to create feature unsupported-storage-drivers in initialize features: features.management.cattle.io is forbidden: User "system:serviceaccount:default:rancher" cannot create resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to retrieve feature istio-virtual-service-ui in initialize features: features.management.cattle.io "istio-virtual-service-ui" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to create feature istio-virtual-service-ui in initialize features: features.management.cattle.io is forbidden: User "system:serviceaccount:default:rancher" cannot create resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to retrieve feature proxy in initialize features: features.management.cattle.io "proxy" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [FATAL] creating CRD store customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:default:rancher" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
我正在通过使用以下模板化 helm 来安装 rancher:
helm template rancher rancher-latest/rancher --namespace cattle-system --set hostname=rancher.my.org --set tls=external
这给了我下面的 yaml,我用 kubectl apply -f ...
他,
安德鲁
---
# Source: rancher/templates/serviceAccount.yaml
kind: ServiceAccount
apiVersion: v1
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.5.3
heritage: Helm
release: rancher
---
# Source: rancher/templates/clusterRoleBinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.5.3
heritage: Helm
release: rancher
subjects:
- kind: ServiceAccount
name: rancher
namespace: cattle-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
---
# Source: rancher/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.5.3
heritage: Helm
release: rancher
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
- port: 443
targetPort: 444
protocol: TCP
name: https-internal
selector:
app: rancher
---
# Source: rancher/templates/deployment.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.5.3
heritage: Helm
release: rancher
spec:
replicas: 3
selector:
matchLabels:
app: rancher
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app: rancher
release: rancher
spec:
serviceAccountName: rancher
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- rancher
topologyKey: kubernetes.io/hostname
containers:
- image: rancher/rancher:v2.5.3
imagePullPolicy: IfNotPresent
name: rancher
ports:
- containerPort: 80
protocol: TCP
args:
# Public trusted CA - clear ca certs
- "--no-cacerts"
- "--http-listen-port=80"
- "--https-listen-port=443"
- "--add-local=true"
env:
- name: CATTLE_NAMESPACE
value: cattle-system
- name: CATTLE_PEER_SERVICE
value: rancher
livenessProbe:
httpGet:
path: /healthz
port: 80
initialDelaySeconds: 60
periodSeconds: 30
readinessProbe:
httpGet:
path: /healthz
port: 80
initialDelaySeconds: 5
periodSeconds: 30
resources:
{}
volumeMounts:
volumes:
---
# Source: rancher/templates/ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.5.3
heritage: Helm
release: rancher
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false" # turn off ssl redirect for external.
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
spec:
rules:
- host: rancher.my.org # hostname to access rancher server
http:
paths:
- backend:
serviceName: rancher
servicePort: 80
我已经重现了您的问题,为了安装 rancher,您必须 install cert-manager 或选择任何其他 SSL 配置。
您可以按照链接文档中的步骤进行操作,如果您选择安装 cert-manager,您只需 运行:
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.crds.yaml
$ kubectl create namespace cert-manager
$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--version v1.0.4
之后您可以部署问题中显示的 yamls,Rancher 将正确启动。
$ kubectl get pods -n cattle-system
rancher-65db98499b-hvnmc 1/1 Running 1 3m52s
rancher-65db98499b-pccdt 1/1 Running 0 3m52s
rancher-65db98499b-wbm28 1/1 Running 1 3m52s
rancher-webhook-7bc7ffdf7c-hrd8q 1/1 Running 0 101s
我通过在所有 CRD 所在的 cattle-system 命名空间中安装 rancher 来实现它。我想提供的 ClusterRoleBinding 要求调用方位于同一命名空间中是有道理的。
helm template rancher rancher-latest/rancher --namespace cattle-system --set hostname=rancher.my.org --set tls=external > rancher.yaml
kubectl apply -f rancher.yaml -n cattle-system
文档不是很清楚。