Kubernetes v1.12与kubectl exec的问题
我一直在使用凯尔西·海托尔(Kelsey Hightower)的优秀《库伯内特斯艰难之路指南》(Kubernetes the hard way guide)学习库伯内特斯(Kubernetes) 使用本指南,我在GCE上安装了v1.12。除了kubectl exec之外,一切都运转良好:Kubernetes v1.12与kubectl exec的问题,kubernetes,exec,kubectl,Kubernetes,Exec,Kubectl,我一直在使用凯尔西·海托尔(Kelsey Hightower)的优秀《库伯内特斯艰难之路指南》(Kubernetes the hard way guide)学习库伯内特斯(Kubernetes) 使用本指南,我在GCE上安装了v1.12。除了kubectl exec之外,一切都运转良好: $ kubectl exec -it shell-demo – /bin/bash --kubeconfig=/root/certsconfigs/admin.kubeconfig error: unable
$ kubectl exec -it shell-demo – /bin/bash --kubeconfig=/root/certsconfigs/admin.kubeconfig
error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)
KUBECONFIG=/root/certsconfigs/admin.KUBECONFIGadmin.kubeconfig.kube/configroot@controller-1:/root/deployment/kubernetes# kubectl get pods
NAME READY STATUS
shell-demo 1/1 Running 0 23m
root@controller-1:/root/deployment/kubernetes# kubectl -v8 exec -it shell-demo – /bin/bash
I1118 15:18:16.898428 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig
I1118 15:18:16.899531 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig
I1118 15:18:16.900611 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig
I1118 15:18:16.902851 11117 round_trippers.go:383] GET ://127.0.0.1:6443/api/v1/namespaces/default/pods/shell-demo
I1118 15:18:16.902946 11117 round_trippers.go:390] Request Headers:
I1118 15:18:16.903016 11117 round_trippers.go:393] Accept: application/json, /
I1118 15:18:16.903091 11117 round_trippers.go:393] User-Agent: kubectl/v1.12.0 (linux/amd64) kubernetes/0ed3388
I1118 15:18:16.918699 11117 round_trippers.go:408] Response Status: 200 OK in 15 milliseconds
I1118 15:18:16.918833 11117 round_trippers.go:411] Response Headers:
I1118 15:18:16.918905 11117 round_trippers.go:414] Content-Type: application/json
I1118 15:18:16.918974 11117 round_trippers.go:414] Content-Length: 2176
I1118 15:18:16.919053 11117 round_trippers.go:414] Date: Sun, 18 Nov 2018 15:18:16 GMT
I1118 15:18:16.919218 11117 request.go:942] Response Body: {“kind”:“Pod”,“apiVersion”:“v1”,“metadata”:{“name”:“shell-demo”,“namespace”:“default”,“selfLink”:"/api/v1/namespaces/default/pods/shell-demo",“uid”:“99f320f8-eb42-11e8-a053-42010af0000b”,“resourceVersion”:“13213”,“creationTimestamp”:“2018-11-18T14:59:51Z”},“spec”:{“volumes”:[{“name”:“shared-data”,“emptyDir”:{}},{“name”:“default-token-djprb”,“secret”:{“secretName”:“default-token-djprb”,“defaultMode”:420}}],“containers”:[{“name”:“nginx”,“image”:“nginx”,“resources”:{},“volumeMounts”:[{“name”:“shared-data”,“mountPath”:"/usr/share/nginx/html"},{“name”:“default-token-djprb”,“readOnly”:true,“mountPath”:"/var/run/secrets/kubernetes.io/serviceaccount"}],“terminationMessagePath”:"/dev/termination-log",“terminationMessagePolicy”:“File”,“imagePullPolicy”:“Always”}],“restartPolicy”:“Always”,“terminationGracePeriodSeconds”:30,“dnsPolicy”:“ClusterFirst”,“serviceAccountName”:“default”,“serviceAccount”:“default”,“nodeName”:“worker-1”,“securityContext”:{},“schedulerName”:“default-scheduler”,“tolerations”:[{“key”:"node.kubernet [truncated 1152 chars]
I1118 15:18:16.925240 11117 round_trippers.go:383] POST …
error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)
根据您的日志,kubectl和apiserver之间的连接正常,并且正在正确地进行身份验证 为了满足exec请求,apiserver会联系运行pod的kubelet,而这种连接是被禁止的 您的kubelet配置为对请求进行身份验证/授权,而apiserver凭据未被授权针对kubelet的API发出exec请求 根据禁止的消息,您的apiserver正在验证为kubelet的“kubernetes”用户 您可以使用以下命令授予该用户对kubelet API的完全权限:
kubectl create clusterrolebinding-apiserver-kubelet-admin--user=kubernetes--clusterrole=system:kubelet-api-admin根据您的日志,kubectl和apiserver之间的连接正常,并且正在正确地进行身份验证 为了满足exec请求,apiserver会联系运行pod的kubelet,而这种连接是被禁止的 您的kubelet配置为对请求进行身份验证/授权,而apiserver凭据未被授权针对kubelet的API发出exec请求 根据禁止的消息,您的apiserver正在验证为kubelet的“kubernetes”用户 您可以使用以下命令授予该用户对kubelet API的完全权限:
kubectl create clusterrolebinding-apiserver-kubelet-admin--user=kubernetes--clusterrole=system:kubelet-api-admin--kubelet客户端证书--kubelet客户端密钥kube apiserver--kubelet客户端证书--kubelet客户端密钥kube apiserver