我尝试在任何kube从属节点上运行:
$ kubectl top nodes
获取错误:
Error from server (Forbidden): User "system:node:ip-10-43-0-13" cannot get services/proxy in the namespace "kube-system". (get services http:heapster:)
在主节点上它有效:
$ kubectl top nodes
NAME CPU(cores) CPU% MEMORY(bytes) MEMORY%
ip-10-43-0-10 95m 4% 2144Mi 58%
ip-10-43-0-11 656m 32% 1736Mi 47%
ip-10-43-0-12 362m 18% 2030Mi 55%
ip-10-43-0-13 256m 12% 2412Mi 65%
ip-10-43-0-14 254m 12% 2512Mi 68%
好,我该怎么办?我想
给予system:node
组的权限 kubectl create clusterrolebinding bu-node-admin-binding --clusterrole=cluster-admin --group=system:node
它无济于事
好,检查群集角色:
$ kubectl describe clusterrole system:node
Name: system:node
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
configmaps [] [] [get]
endpoints [] [] [get]
events [] [] [create patch update]
localsubjectaccessreviews.authorization.k8s.io [] [] [create]
nodes [] [] [create get list watch delete patch update]
nodes/status [] [] [patch update]
persistentvolumeclaims [] [] [get]
persistentvolumes [] [] [get]
pods [] [] [get list watch create delete]
pods/eviction [] [] [create]
pods/status [] [] [update]
secrets [] [] [get]
services [] [] [get list watch]
subjectaccessreviews.authorization.k8s.io [] [] [create]
tokenreviews.authentication.k8s.io [] [] [create]
尝试修补规则:
kubectl patch clusterrole system:node --type='json' -p='[{"op": "add", "path": "/rules/0", "value":{"apiGroups": [""], "resources": ["services/proxy"], "verbs": ["get", "list", "watch"]}}]'
现在:
$ kubectl describe clusterrole system:node
Name: system:node
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
...
services/proxy [] [] [get list watch]
...
top nodes
仍然不起作用
它起作用的唯一方法是:
kubectl create clusterrolebinding bu-node-admin-binding --clusterrole=cluster-admin --user=system:node:ip-10-43-0-13
这也有效,但也可以特定于节点:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: top-nodes-watcher
rules:
- apiGroups: [""]
resources: ["services/proxy"]
verbs: ["get", "watch", "list"]
---
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: top-nodes-watcher-binding
subjects:
- kind: User
name: system:node:ip-10-43-0-13
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: top-nodes-watcher
apiGroup: rbac.authorization.k8s.io
我应该将其应用于每个从节点。我只能为一个小组或角色做吗?我在做什么错?
更多详细信息:
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.4", GitCommit:"793658f2d7ca7f064d2bdf606519f9fe1229c381", GitTreeState:"clean", BuildDate:"2017-08-17T08:48:23Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.2", GitCommit:"922a86cfcd65915a9b2f69f3f193b8907d741d9c", GitTreeState:"clean", BuildDate:"2017-07-21T08:08:00Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
我真正需要的是物理节点内存和CPU使用%
注意力
简单地解决此问题(在所有从属节点中使用kubectl top节点),您可以将kubeconfig复制到主人上的kubeconfig在主人上使用。
> 。并解释您为什么遇到这个问题,我认为您正在使用Kubelet的Kubeconfig作为奴隶节点中的kubectl。(如果没有,请纠正我)。
在k8s v1.7 中,kubernetes弃用了 system :: node 角色,而是使用节点授权器和noderternection进行默认。您可以从此处读取有关 System :: Node 的文档。因此,当您尝试修补系统::节点时,它不会生效。kubelet使用指定系统:节点:[node_name] 对约束指定的节点的行为。
我结束了下一个:
- 从
kube-apiserver
--admission-control
删除NodeRestriction
选项 - 从
--authorization-mode
选项中删除Node
,仅RBAC
留在这里 - 用
kubectl patch clusterrole system:node --type='json' -p='[{"op": "add", "path": "/rules/0", "value":{"apiGroups": [""], "resources": ["services/proxy"], "verbs": ["get", "list", "watch"]}}]'
修补的
system:node
角色