获得未经授权的#39;在测试kubernetes api-server时

时间:2017-01-14 11:00:15

标签: kubernetes coreos kubectl kubelet

我有CoreOS alpha(1284.2.0)的Container Linux,我尝试安装kubernetes 1.5.2。

我注意到kube-proxy pod失败了,我搜索过,我注意到api-server清单可能没有正确配置。

我使用https://coreos.com/kubernetes/docs/latest/configure-kubectl.html

上的文档在我的mac pro桌面上配置了kubectl

当我执行kubectl get nodes时,我得到error: You must be logged in to the server (the server has asked for the client to provide credentials)

所以我尝试用curl测试。服务器的主机名是coreos-2.tux-in.com

ufk-osx-music:~ ufk$ curl http://coreos-2.tux-in.com:8080
curl: (7) Failed to connect to coreos-2.tux-in.com port 8080: Connection refused
ufk-osx-music:~ ufk$ curl https://coreos-2.tux-in.com
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
ufk-osx-music:~ ufk$ curl --insecure https://coreos-2.tux-in.com
Unauthorized

这是我的kube-apiserver.yaml

apiVersion: v1
kind: Pod
metadata:
  name: kube-apiserver
  namespace: kube-system
spec:
  hostNetwork: true
  containers:
  - name: kube-apiserver
    image: quay.io/coreos/hyperkube:v1.5.2_coreos.0
    command:
    - /hyperkube
    - apiserver
    - --bind-address=0.0.0.0
    - --etcd-servers=http://127.0.0.1:4001
    - --allow-privileged=true
    - --service-cluster-ip-range=10.3.0.0/24
    - --secure-port=443
    - --advertise-address=10.79.218.2
    - --admission-

    control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
        - --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem
        - --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
        - --client-ca-file=/etc/kubernetes/ssl/ca.pem
        - --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem
        - --runtime-config=extensions/v1beta1/networkpolicies=true
        - --anonymous-auth=false
        livenessProbe:
          httpGet:
            host: 127.0.0.1
            port: 8080
            path: /healthz
          initialDelaySeconds: 15
          timeoutSeconds: 15
        ports:
        - containerPort: 443
          hostPort: 443
          name: https
        - containerPort: 8080
          hostPort: 8080
          name: local
        volumeMounts:
        - mountPath: /etc/kubernetes/ssl
          name: ssl-certs-kubernetes
          readOnly: true
        - mountPath: /etc/ssl/certs
          name: ssl-certs-host
          readOnly: true
      volumes:
      - hostPath:
          path: /etc/kubernetes/ssl
        name: ssl-certs-kubernetes
      - hostPath:
          path: /usr/share/ca-certificates
        name: ssl-certs-host

这是我的kube-proxy.yaml

apiVersion: v1
kind: Pod
metadata:
  name: kube-proxy
  namespace: kube-system
spec:
  hostNetwork: true
  containers:
  - name: kube-proxy
    image: quay.io/coreos/hyperkube:v1.5.2_coreos.0
    command:
    - /hyperkube
    - proxy
    - --master=http://127.0.0.1:8080
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /etc/ssl/certs
      name: ssl-certs-host
      readOnly: true
  volumes:
  - hostPath:
      path: /usr/share/ca-certificates
    name: ssl-certs-host

这是控制器的kubeconfig文件controler-kubeconfig.yaml

current-context: tuxin-coreos-context
apiVersion: v1
clusters:
- cluster:
    server: http://127.0.0.1:8080
  name: tuxin-coreos-cluster
contexts:
- context:
    cluster: tuxin-coreos-cluster
  name: tuxin-coreos-context
kind: Config
preferences:
  colors: true
users:
- name: kubelet
  user:
    client-certificate: /etc/kubernetes/ssl/apiserver.pem
    client-key: /etc/kubernetes/ssl/apiserver-key.pem

非常感谢有关此问题的任何信息!

1 个答案:

答案 0 :(得分:0)

通常,我没有在.kube/config文件中使用正确的凭据。我也没有使用我在控制器的kubeconfig中输入的群集和上下文的相同名称。

这是工作.kube/config文件:

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /Users/ufk/Projects/tuxin-coreos/kubernetes/certs/ca.pem
    server: https://coreos-2.tux-in.com
  name: tuxin-coreos-cluster
contexts:
- context:
    cluster: tuxin-coreos-cluster
    user: default-admin
  name: tuxin-coreos-context
current-context: tuxin-coreos-context
kind: Config
preferences: {}
users:
- name: default-admin
  user:
    username: kubelet
    client-certificate: /Users/ufk/Projects/tuxin-coreos/kubernetes/certs/client.pem
    client-key: /Users/ufk/Projects/tuxin-coreos/kubernetes/certs/client-key.pem

我的控制器的kubeconfig:

current-context: tuxin-coreos-context
apiVersion: v1
clusters:
- cluster:
    server: http://127.0.0.1:8080
  name: tuxin-coreos-cluster
contexts:
- context:
    cluster: tuxin-coreos-cluster
  name: tuxin-coreos-context
kind: Config
preferences:
  colors: true
users:
- name: kubelet
  user:
    client-certificate: /etc/kubernetes/ssl/apiserver.pem
    client-key: /etc/kubernetes/ssl/apiserver-key.pem
相关问题
最新问题