我在k8s版本1.18.12-gke.1206的GKE上设置了一个私有集群,对集群端点的访问设置为启用公共端点访问,禁用授权网络。我在这个类型为https://kubernetes.github.io/ingress-nginx的集群上运行一个入口控制器。它使用configMap来存储配置。但不知何故,任何请求到这个控制器,给出一个未经授权的错误日志为:
2021-02-23 11:24:59.435 IST "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Endpoints: Unauthorized"
2021-02-23 11:24:45.072 IST "error retrieving resource lock sb-system/ingress-controller-leader-nginx: Unauthorized"
2021-02-23 11:24:40.727 IST "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.ConfigMap: Unauthorized"
2021-02-23 11:24:40.132 IST "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1beta1.Ingress: Unauthorized"
2021-02-23 11:24:37.318 IST "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Pod: Unauthorized"
2021-02-23 11:24:37.038 IST "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Service: Unauthorized"
2021-02-23 11:24:29.891 IST "error retrieving resource lock sb-system/ingress-controller-leader-nginx: Unauthorized"
2021-02-23 11:24:26.263 IST "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Secret: Unauthorized"
2021-02-23 11:24:18.259 IST "error retrieving resource lock sb-system/ingress-controller-leader-nginx: Unauthorized"
2021-02-23 11:24:09.907 IST "error retrieving resource lock sb-system/ingress-controller-leader-nginx: Unauthorized"
2021-02-23 11:24:06.612 IST "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Endpoints: Unauthorized"
2021-02-23 11:24:02.078 IST "error retrieving resource lock sb-system/ingress-controller-leader-nginx: Unauthorized"
我们尝试遵循这里提到的步骤。我们得到
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 233 100 233 0 0 17282 0 {-:--:-- --:--:-- --:--:-- 0
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User "system:anonymous" cannot get path "/"",
"reason": "Forbidden",
"details": {
},
"code": 403
}--:--:-- --:--:-- --:--:-- 17923
在最后一步,即:kubectl exec test -- curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $TOKEN_VALUE" https://10.0.0.1
我刚接触GCP和K8s,不知道我做错了什么。
您是否检查了您的ServiceAccount上的automountServiceAccountToken是否设置为false ?如果是,将其设置为true可能会有所帮助。
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-service-account
automountServiceAccountToken: false # set to true
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/use-the-default-service-account-to-access-the-api-server