我的集群目前已关闭,无法在其上启动新的 Pod。 我尝试使用 kops 从 1.9.1 升级到 1.9.3 并添加 pvc 调整大小准入控制。 随着滚动升级的发生,我注意到新节点没有正确联机(即使滚动升级认为它们是(。我中止了滚动升级。 我发现豆荚抱怨:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
kube api 服务器显示:
I0524 14:27:43.871432 1 rbac.go:116] RBAC DENY: user "system:kube-proxy" groups ["system:authenticated"] cannot "get" resource "nodes" named "ip-10-23-2-5.ec2.internal" cluster-wide
I0524 14:27:43.873562 1 rbac.go:116] RBAC DENY: user "kubelet" groups ["system:nodes" "system:authenticated"] cannot "list" resource "nodes" cluster-wide
I0524 14:27:43.873783 1 rbac.go:116] RBAC DENY: user "kubelet" groups ["system:nodes" "system:authenticated"] cannot "list" resource "services" cluster-wide
I0524 14:27:43.887303 1 rbac.go:116] RBAC DENY: user "system:kube-scheduler" groups ["system:authenticated"] cannot "list" resource "replicasets.extensions" cluster-wide
I0524 14:27:43.887569 1 rbac.go:116] RBAC DENY: user "system:kube-scheduler" groups ["system:authenticated"] cannot "list" resource "persistentvolumeclaims" cluster-wide
I0524 14:27:43.949818 1 rbac.go:116] RBAC DENY: user "kubelet" groups ["system:nodes" "system:authenticated"] cannot "list" resource "pods" cluster-wide
I0524 14:27:43.956233 1 rbac.go:116] RBAC DENY: user "system:kube-scheduler" groups ["system:authenticated"] cannot "list" resource "statefulsets.apps" cluster-wide
I0524 14:27:43.958076 1 rbac.go:116] RBAC DENY: user "system:kube-scheduler" groups ["system:authenticated"] cannot "list" resource "services" cluster-wide
I0524 14:27:43.958564 1 rbac.go:116] RBAC DENY: user "system:kube-scheduler" groups ["system:authenticated"] cannot "list" resource "nodes" cluster-wide
I0524 14:27:43.972226 1 rbac.go:116] RBAC DENY: user "kubelet" groups ["system:nodes" "system:authenticated"] cannot "create" resource "nodes" cluster-wide
请帮忙
终于解决了这个问题。api 日志中的错误具有误导性,并且由于没有具有与某些 Pod 关联的适当权限的服务帐户而持续存在。
根本问题是滚动升级使一个主节点"就绪",但 apiserver 在没有服务帐户准入控制的情况下运行。 因此,新的豆荚被路由到那里并且没有出现。 通过更正所有主节点的准入控制解决了此问题。