Add case: node user forbidden in v1.8+.
parent
00b4ec647a
commit
3985a5a18f
|
@ -207,6 +207,7 @@ Dashboard 的访问地址不变,重新访问 <http://172.20.0.113:8080/api/v1/
|
|||
|
||||
1. 按照教程安装后,发现dashboard pod 无法启动
|
||||
|
||||
场景一:
|
||||
```
|
||||
kubectl -n kube-system describe pod dashboard-xxxxxxx
|
||||
```
|
||||
|
@ -215,7 +216,32 @@ Dashboard 的访问地址不变,重新访问 <http://172.20.0.113:8080/api/v1/
|
|||
|
||||
可以尝试删除所有相关“资源”再重试一次,如:secret、serviceaccount、service、pod、deployment
|
||||
|
||||
|
||||
|
||||
场景二:
|
||||
```bash
|
||||
kubectl describe pod -n kube-system kubernetes-dashboard-7b7bf9bcbd-xxxxx
|
||||
Events:
|
||||
Type Reason Age From Message
|
||||
---- ------ ---- ---- -------
|
||||
Normal Scheduled 49s default-scheduler Successfully assigned kubernetes-dashboard-7b7bf9bcbd-625cb to 192.168.1.101
|
||||
Normal SuccessfulMountVolume 49s kubelet, 192.168.1.101 MountVolume.SetUp succeeded for volume "tmp-volume"
|
||||
Warning FailedMount 17s (x7 over 49s) kubelet, 192.168.1.101 MountVolume.SetUp failed for volume "kubernetes-dashboard-certs" : secrets "kubernetes-dashboard-certs" is forbidden: User "system:node:192.168.1.233" cannot get secrets in the namespace "kube-system": no path found to object
|
||||
Warning FailedMount 17s (x7 over 49s) kubelet, 192.168.1.101 MountVolume.SetUp failed for volume "kubernetes-dashboard-token-27kdp" : secrets "kubernetes-dashboard-token-27kdp" is forbidden: User "system:node:192.168.1.233" cannot get secrets in the namespace "kube-system": no path found to object
|
||||
```
|
||||
通过官方文档:[RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions)。可以了解到,对于k8s1.8+版本,system:node不会进行默认绑定。因此对于分配到其他node的pod,会出现forbidden。
|
||||
需要手动bind各个node:
|
||||
```bash
|
||||
kubectl create clusterrolebinding node233 --clusterrole=system:node --user=system:node:192.168.1.233
|
||||
kubectl describe pod -n kube-system kubernetes-dashboard-7b7bf9bcbd-xxxxx
|
||||
Events:
|
||||
Type Reason Age From Message
|
||||
---- ------ ---- ---- -------
|
||||
Normal Scheduled 15s default-scheduler Successfully assigned kubernetes-dashboard-7b7bf9bcbd-pq6pk to 192.168.1.101
|
||||
Normal SuccessfulMountVolume 15s kubelet, 192.168.1.101 MountVolume.SetUp succeeded for volume "tmp-volume"
|
||||
Normal SuccessfulMountVolume 15s kubelet, 192.168.1.101 MountVolume.SetUp succeeded for volume "kubernetes-dashboard-certs"
|
||||
Normal SuccessfulMountVolume 15s kubelet, 192.168.1.101 MountVolume.SetUp succeeded for volume "kubernetes-dashboard-token-8rj79"
|
||||
Normal Pulling 15s kubelet, 192.168.1.101 pulling image "registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.8.3"
|
||||
```
|
||||
|
||||
## 参考
|
||||
|
||||
|
|
Loading…
Reference in New Issue