rootsongjc
/
kubernetes-handbook
mirror of https://github.com/rootsongjc/kubernetes-handbook.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #235 from lcybo/master 

Add case: node user forbidden in v1.8+.
pull/238/head
Jimmy Song 2018-06-19 21:27:28 +08:00 committed by GitHub
parent 00b4ec647a 3985a5a18f
commit 02c0a75c3b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 27 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
practice/dashboard-addon-installation.md
View File

@ -207,6 +207,7 @@ Dashboard 的访问地址不变,重新访问 <http://172.20.0.113:8080/api/v1/
1. 按照教程安装后发现dashboard pod 无法启动
场景一:
```
kubectl -n kube-system describe pod dashboard-xxxxxxx
```
@ -216,6 +217,31 @@ Dashboard 的访问地址不变,重新访问 <http://172.20.0.113:8080/api/v1/
可以尝试删除所有相关“资源”再重试一次secret、serviceaccount、service、pod、deployment
场景二:
```bash
kubectl describe pod -n kube-system kubernetes-dashboard-7b7bf9bcbd-xxxxx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 49s default-scheduler Successfully assigned kubernetes-dashboard-7b7bf9bcbd-625cb to 192.168.1.101
Normal SuccessfulMountVolume 49s kubelet, 192.168.1.101 MountVolume.SetUp succeeded for volume "tmp-volume"
Warning FailedMount 17s (x7 over 49s) kubelet, 192.168.1.101 MountVolume.SetUp failed for volume "kubernetes-dashboard-certs" : secrets "kubernetes-dashboard-certs" is forbidden: User "system:node:192.168.1.233" cannot get secrets in the namespace "kube-system": no path found to object
Warning FailedMount 17s (x7 over 49s) kubelet, 192.168.1.101 MountVolume.SetUp failed for volume "kubernetes-dashboard-token-27kdp" : secrets "kubernetes-dashboard-token-27kdp" is forbidden: User "system:node:192.168.1.233" cannot get secrets in the namespace "kube-system": no path found to object
```
通过官方文档:[RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions)。可以了解到对于k8s1.8+版本system:node不会进行默认绑定。因此对于分配到其他node的pod会出现forbidden。
需要手动bind各个node
```bash
kubectl create clusterrolebinding node233 --clusterrole=system:node --user=system:node:192.168.1.233
kubectl describe pod -n kube-system kubernetes-dashboard-7b7bf9bcbd-xxxxx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 15s default-scheduler Successfully assigned kubernetes-dashboard-7b7bf9bcbd-pq6pk to 192.168.1.101
Normal SuccessfulMountVolume 15s kubelet, 192.168.1.101 MountVolume.SetUp succeeded for volume "tmp-volume"
Normal SuccessfulMountVolume 15s kubelet, 192.168.1.101 MountVolume.SetUp succeeded for volume "kubernetes-dashboard-certs"
Normal SuccessfulMountVolume 15s kubelet, 192.168.1.101 MountVolume.SetUp succeeded for volume "kubernetes-dashboard-token-8rj79"
Normal Pulling 15s kubelet, 192.168.1.101 pulling image "registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.8.3"
```
## 参考