kubectl 没有选择正确的 kubeconfig
kubectl not picking up the correct kubeconfig
请在下面找到我正在执行的操作序列,以针对 kubectl 进行授权和身份验证,以便能够在 EKS Cluster 上执行部署
- SAML 登录
- 正在从 Artifactory 下载正确的 kubeconfig
- 使用下载的 kubeconfig # 此阶段出现问题!
Jenkins执行日志如下:
Logged in as: arn:aws:sts::XXXXXXXXXXXX:assumed-role/dev-role/testusername
Your new access key pair has been stored in the AWS configuration
Note that it will expire at 2021-02-08 15:18:59 +0000 UTC
To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile saml ec2 describe-instances).
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Compose Source Structure)
[Pipeline] sh
+ set -x
+ cat
+ kubectl config view
apiVersion: v1
clusters: []
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
+ rm -vf config
+ wget -nv --no-check-certificate https://testcompanyname.com.au/testrepo/jenkins/eks-nonprod-black-config
2021-02-08 14:19:35 URL:https://testcompanyname.com.au/testrepo/jenkins/eks-nonprod-black-config [2383/2383] -> "eks-nonprod-black-config" [1]
+ mv eks-nonprod-black-config config
+ pwd
/home/jenkins/agent/workspace/k8s-sync-from-cluster
+ ls -lrt
total 11640
-rwxrwxr-x 1 jenkins jenkins 11801948 Feb 28 2017 saml2aws
-rw-r--r-- 1 jenkins jenkins 2383 Jan 22 03:03 config
drwxr-xr-x 2 jenkins jenkins 4096 Feb 8 14:19 vars
drwxr-xr-x 3 jenkins jenkins 4096 Feb 8 14:19 test
drwxr-xr-x 3 jenkins jenkins 4096 Feb 8 14:19 src
-rw-r--r-- 1 jenkins jenkins 153 Feb 8 14:19 settings.gradle
drwxr-xr-x 9 jenkins jenkins 4096 Feb 8 14:19 resources
drwxr-xr-x 5 jenkins jenkins 4096 Feb 8 14:19 pipelines
-rw-r--r-- 1 jenkins jenkins 2841 Feb 8 14:19 gradlew.bat
-rwxr-xr-x 1 jenkins jenkins 5916 Feb 8 14:19 gradlew
drwxr-xr-x 3 jenkins jenkins 4096 Feb 8 14:19 gradle
drwxr-xr-x 3 jenkins jenkins 4096 Feb 8 14:19 csa-kubernetes-env
-rw-r--r-- 1 jenkins jenkins 1532 Feb 8 14:19 build.gradle
-rw-r--r-- 1 jenkins jenkins 208 Feb 8 14:19 README.md
+ cat config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
server: https://xxxxxxxxxxxxxxxxxxxxxxxxxx.gr7.ap-southeast-2.eks.amazonaws.com
name: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
contexts:
- context:
cluster: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
user: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
name: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
current-context: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
kind: Config
preferences: {}
users:
- name: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- ap-southeast-2
- eks
- get-token
- --cluster-name
- test-eks
command: aws
env:
- name: AWS_PROFILE
value: saml
+ kubectl config view --kubeconfig ./config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://7FE00E432DC6BEB1EB17DEF18DB1B926.gr7.ap-southeast-2.eks.amazonaws.com
name: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
contexts:
- context:
cluster: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
user: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
name: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
current-context: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
kind: Config
preferences: {}
users:
- name: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
user: {}
+ kubectl get namespaces --kubeconfig ./config
Please enter Username: Please enter Username: Please enter Username: error: EOF
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
ERROR: script returned exit code 1
Finished: FAILURE
因此,如您所见,问题是当我 cat 文件时有用户信息,但是当我 运行 kubectl 时,它会在不应该的情况下挑战凭据。
这听起来可能很愚蠢,但问题出在 kubectl 客户端版本上。
遇到的问题是因为我使用的是kubectl 1.9,升级到最新版本解决了这个问题。
@learner 我知道您已经通过将 kubectl 升级到较新版本解决了您的问题。
此外,我想提供有关 Kubernetes 组件版本及其之间关系的更多信息。
Kubernetes version skew support policy 描述了各种 Kubernetes 组件之间支持的最大版本偏差。您可以在 version-skew-policy 文档中找到更多信息。
我将描述一般规则来说明它是如何工作的。
假设 kube-apiserver 的版本为 1.n。在这种情况下:
kubelet 和 kube-proxy 支持 1.n, 1.(n-1), 和
1.(n-2).kube-controller-manager、kube-scheduler 和
cloud-controller-manager 在 1.n 和 1.(n-1).kubectl 在 1.(n+1)、1.n 和 1.(n-1).
注意:CoreDNS 和 etcd 是独立的项目,有自己的版本。
请在下面找到我正在执行的操作序列,以针对 kubectl 进行授权和身份验证,以便能够在 EKS Cluster 上执行部署
- SAML 登录
- 正在从 Artifactory 下载正确的 kubeconfig
- 使用下载的 kubeconfig # 此阶段出现问题!
Jenkins执行日志如下:
Logged in as: arn:aws:sts::XXXXXXXXXXXX:assumed-role/dev-role/testusername
Your new access key pair has been stored in the AWS configuration
Note that it will expire at 2021-02-08 15:18:59 +0000 UTC
To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile saml ec2 describe-instances).
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Compose Source Structure)
[Pipeline] sh
+ set -x
+ cat
+ kubectl config view
apiVersion: v1
clusters: []
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
+ rm -vf config
+ wget -nv --no-check-certificate https://testcompanyname.com.au/testrepo/jenkins/eks-nonprod-black-config
2021-02-08 14:19:35 URL:https://testcompanyname.com.au/testrepo/jenkins/eks-nonprod-black-config [2383/2383] -> "eks-nonprod-black-config" [1]
+ mv eks-nonprod-black-config config
+ pwd
/home/jenkins/agent/workspace/k8s-sync-from-cluster
+ ls -lrt
total 11640
-rwxrwxr-x 1 jenkins jenkins 11801948 Feb 28 2017 saml2aws
-rw-r--r-- 1 jenkins jenkins 2383 Jan 22 03:03 config
drwxr-xr-x 2 jenkins jenkins 4096 Feb 8 14:19 vars
drwxr-xr-x 3 jenkins jenkins 4096 Feb 8 14:19 test
drwxr-xr-x 3 jenkins jenkins 4096 Feb 8 14:19 src
-rw-r--r-- 1 jenkins jenkins 153 Feb 8 14:19 settings.gradle
drwxr-xr-x 9 jenkins jenkins 4096 Feb 8 14:19 resources
drwxr-xr-x 5 jenkins jenkins 4096 Feb 8 14:19 pipelines
-rw-r--r-- 1 jenkins jenkins 2841 Feb 8 14:19 gradlew.bat
-rwxr-xr-x 1 jenkins jenkins 5916 Feb 8 14:19 gradlew
drwxr-xr-x 3 jenkins jenkins 4096 Feb 8 14:19 gradle
drwxr-xr-x 3 jenkins jenkins 4096 Feb 8 14:19 csa-kubernetes-env
-rw-r--r-- 1 jenkins jenkins 1532 Feb 8 14:19 build.gradle
-rw-r--r-- 1 jenkins jenkins 208 Feb 8 14:19 README.md
+ cat config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
server: https://xxxxxxxxxxxxxxxxxxxxxxxxxx.gr7.ap-southeast-2.eks.amazonaws.com
name: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
contexts:
- context:
cluster: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
user: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
name: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
current-context: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
kind: Config
preferences: {}
users:
- name: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- ap-southeast-2
- eks
- get-token
- --cluster-name
- test-eks
command: aws
env:
- name: AWS_PROFILE
value: saml
+ kubectl config view --kubeconfig ./config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://7FE00E432DC6BEB1EB17DEF18DB1B926.gr7.ap-southeast-2.eks.amazonaws.com
name: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
contexts:
- context:
cluster: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
user: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
name: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
current-context: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
kind: Config
preferences: {}
users:
- name: arn:aws:eks:ap-southeast-2:XXXXXXXXXXXX:cluster/test-eks
user: {}
+ kubectl get namespaces --kubeconfig ./config
Please enter Username: Please enter Username: Please enter Username: error: EOF
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
ERROR: script returned exit code 1
Finished: FAILURE
因此,如您所见,问题是当我 cat 文件时有用户信息,但是当我 运行 kubectl 时,它会在不应该的情况下挑战凭据。
这听起来可能很愚蠢,但问题出在 kubectl 客户端版本上。
遇到的问题是因为我使用的是kubectl 1.9,升级到最新版本解决了这个问题。
@learner 我知道您已经通过将 kubectl 升级到较新版本解决了您的问题。
此外,我想提供有关 Kubernetes 组件版本及其之间关系的更多信息。
Kubernetes version skew support policy 描述了各种 Kubernetes 组件之间支持的最大版本偏差。您可以在 version-skew-policy 文档中找到更多信息。
我将描述一般规则来说明它是如何工作的。
假设 kube-apiserver 的版本为 1.n。在这种情况下:
kubelet和kube-proxy支持 1.n, 1.(n-1), 和 1.(n-2).kube-controller-manager、kube-scheduler和cloud-controller-manager在 1.n 和 1.(n-1). 处受支持
kubectl在 1.(n+1)、1.n 和 1.(n-1).
注意:CoreDNS 和 etcd 是独立的项目,有自己的版本。