我使用 kubeadm 安装了一个全新的 1.16.0 工作节点,我得到以下结果:
Kubernetes version: Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.6", GitCommit:"96fac5cd13a5dc064f7d9f4f23030a6aeface6cc", GitTreeState:"clean", BuildDate:"2019-08-19T11:13:49Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.0", GitCommit:"e8462b5b5dc2584fdcd18e6bcfe9f1e4d970a529", GitTreeState:"clean", BuildDate:"2019-06-19T16:32:14Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
OS: 18.04.3 LTS (Bionic Beaver)
Kernel: Linux kube-node-5 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Name: kube-proxy
Selector: k8s-app=kube-proxy
Node-Selector: beta.kubernetes.io/os=linux
Labels: k8s-app=kube-proxy
Annotations: deprecated.daemonset.template.generation: 2
Desired Number of Nodes Scheduled: 8
Current Number of Nodes Scheduled: 8
Number of Nodes Scheduled with Up-to-date Pods: 8
Number of Nodes Scheduled with Available Pods: 8
Number of Nodes Misscheduled: 0
Pods Status: 8 Running / 0 Waiting / 0 Succeeded / 0 Failed
Pod Template:
Labels: k8s-app=kube-proxy
Service Account: kube-proxy
Containers:
kube-proxy:
Image: k8s.gcr.io/kube-proxy:v1.15.0
Port: <none>
Host Port: <none>
Command:
/usr/local/bin/kube-proxy
--config=/var/lib/kube-proxy/config.conf
--hostname-override=$(NODE_NAME)
Environment:
NODE_NAME: (v1:spec.nodeName)
Mounts:
/lib/modules from lib-modules (ro)
/run/xtables.lock from xtables-lock (rw)
/var/lib/kube-proxy from kube-proxy (rw)
Volumes:
kube-proxy:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: kube-proxy
Optional: false
xtables-lock:
Type: HostPath (bare host directory volume)
Path: /run/xtables.lock
HostPathType: FileOrCreate
lib-modules:
Type: HostPath (bare host directory volume)
Path: /lib/modules
HostPathType:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 3h55m daemonset-controller Error creating: Pod "kube-proxy-nz5bk" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 3h38m daemonset-controller Error creating: Pod "kube-proxy-l26kw" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 3h21m daemonset-controller Error creating: Pod "kube-proxy-fjcpd" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 3h7m daemonset-controller Error creating: Pod "kube-proxy-msqnx" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 3h7m daemonset-controller Error creating: Pod "kube-proxy-pssv5" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 3h7m daemonset-controller Error creating: Pod "kube-proxy-59cx8" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 3h7m daemonset-controller Error creating: Pod "kube-proxy-t9nh2" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 3h7m daemonset-controller Error creating: Pod "kube-proxy-5hp6c" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 3h7m daemonset-controller Error creating: Pod "kube-proxy-hbbl4" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 3h7m daemonset-controller Error creating: Pod "kube-proxy-zph4z" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 3h7m daemonset-controller Error creating: Pod "kube-proxy-prj9w" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 3h7m daemonset-controller Error creating: Pod "kube-proxy-rhnjq" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 177m (x9 over 3h7m) daemonset-controller (combined from similar events): Error creating: Pod "kube-proxy-whdnm" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 166m daemonset-controller Error creating: Pod "kube-proxy-2xhgt" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 149m daemonset-controller Error creating: Pod "kube-proxy-zd429" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 132m daemonset-controller Error creating: Pod "kube-proxy-wzn8x" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 124m daemonset-controller Error creating: Pod "kube-proxy-l8csx" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 124m daemonset-controller Error creating: Pod "kube-proxy-6jxpl" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 124m daemonset-controller Error creating: Pod "kube-proxy-jk29x" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 124m daemonset-controller Error creating: Pod "kube-proxy-p7db2" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 124m daemonset-controller Error creating: Pod "kube-proxy-kf8qz" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 124m daemonset-controller Error creating: Pod "kube-proxy-l5wjh" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 124m daemonset-controller Error creating: Pod "kube-proxy-d8brg" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 124m daemonset-controller Error creating: Pod "kube-proxy-6w2ql" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 124m daemonset-controller Error creating: Pod "kube-proxy-d4n47" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning FailedCreate 122m (x7 over 124m) daemonset-controller (combined from similar events): Error creating: Pod "kube-proxy-2lnpb" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
不太有趣的事情是,所有其他节点在创建 kube-proxy pod 时绝对没有问题。 只有这一个节点因上述错误而失败。
我已经尝试了各种方法来解决此问题,但尚未找到解决方案。 以前使用 kubeadm 的安装是完美无缺的。
我有一种感觉,我缺少一个 PodSecurityPolicy 和一个绑定到 kube-proxy 角色。 我肯定错过了一些东西,但我不知道。
尝试从不同的 relese 向现有集群添加新节点非常奇怪。 以 1.1.15 为例,已弃用的 kubelet 安全控制 AllowPrivileged 请参考发布 CHANGELOG-1.15.md
已弃用的 kubelet 安全控制 AllowPrivileged、HostNetworkSources、HostPIDSources 和 HostIPCSources 已被移除。这些限制的执行应改为通过准入控制(如 PodSecurityPolicy(来完成
。
在我看来,您应该删除此节点(请参阅这些文档之前(:
- 安全地排空节点,同时遵守 PodDisruptionBudget
- 节点
- 集群管理
- 升级 kubeadm 集群
之后,您应该根据最佳实践升级集群。
请注意,在开始将集群升级到 v1.16.0 版本之前,请执行以下操作: 关于上一版本中的其他值得注意的更改。
- 紧急升级说明