在 centos 7 上运行kubectl get cs时,我收到以下错误消息。
No resources found.
Error from server (Forbidden): componentstatuses is forbidden:
User "system:node:<server-name>" cannot list componentstatuses at the cluster scope
我可以确认 api 服务器正在运行kubectl cluster-info
Kubernetes master is running at https://<server-IP>:6443
KubeDNS is running at https://<server-IP>:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
我也在下面有~/.bash_profile
export http_proxy=http://<proxy-server-IP>:3128
export https_proxy=http://<proxy-server-IP>:3128
export no_proxy=$no_proxy,127.0.0.1,localhost,<server-IP>,<server-name>
export KUBECONFIG=/etc/kubernetes/kubelet.conf
不仅kubectl get cs产生错误消息,kubectl apply -f kubernetes-dashboard.yaml生成类似的错误消息
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=secrets", GroupVersionKind: "/v1, Kind=Secret"
Name: "kubernetes-dashboard-certs", Namespace: "kube-system"
Object: &{map["kind":"Secret" "metadata":map["labels":map["k8s-app":"kubernetes-dashboard"] "name":"kubernetes-dashboard-certs" "namespace":"kube-system" "annotations":map["kubectl.kubernetes.io/last-applied-configuration":""]] "type":"Opaque" "apiVersion":"v1"]}
from server for: "https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml":
secrets "kubernetes-dashboard-certs" is forbidden:
User "system:node:<server-name>" cannot get secrets in the namespace "kube-system":
no path found to object
export KUBECONFIG=/etc/kubernetes/kubelet.conf
是完全不正确的;由于错误消息正在愉快地尝试通知您,您正在尝试以Node而不是用户或ServiceAccount之一的身份执行群集操作。 RBAC 几乎是明确设计的,旨在阻止您执行当前正在执行的操作。您绝不希望Node能够读取敏感凭据或在群集范围内创建任意Pod。
如果您想对此更加谨慎,请 ssh 进入主节点并使用通常在/etc/kubernetes/admin.conf中找到的cluster-admin凭证(或类似文件 - 取决于您的集群的配置方式(。如果您还没有cluster-admin凭据,请创建一个 X.509 证书,该证书由 apiserver 信任的 CA 签名,组织(在 X.509 用语中O=(cluster-admin,然后为自己创建一个ClusterRoleBinding为cluster-admin的ServiceAccount(或其他任何东西(,然后从那里开始。
尝试以下代码片段
1(sudo su
2(kubectl get cs
重新安装 CentOS 7 并按照以下步骤操作后,我能够正确调出大师
- 安装 docker-ce 并添加代理
- 安装 kubeadm,kubectl,kubelet
- 禁用防火墙并关闭交换
-
.bash_profile的出口no_proxy
export no_proxy=$no_proxy,127.0.0.1,localhost,<master-server-name>,<master-server-ip>,10.96.0.0/12,10.244.0.0/16 -
kubeadm init
kubeadm init --apiserver-advertise-address=<master-server-ip> --pod-network-cidr=10.244.0.0/16 mkdir -p $HOME/.kube cp -f /etc/kubernetes/admin.conf $HOME/.kube/config chown $(id -u):$(id -g) $HOME/.kube/config -
使用
kubectl get cs进行测试NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-0 Healthy {"health": "true"}
无需手动安装 etcd 或导出 KUBECONFIG。