创建自定义计划程序不起作用

时间:2016-06-02 08:10:53

标签: kubernetes

当我按these instructions创建自定义日程安排程序时,分配给my-scheduler(示例中为pod annotation-second-scheduler)的广告连播保持状态待定,并且永远不会安排。

我认为这是因为kube-scheduler无法从pod中访问主服务器。我不知道如何让这个工作。如何从pod中访问主服务器?我尝试在pod中运行kubectl proxy -p 8001,但这不起作用。

2 个答案:

答案 0 :(得分:1)

我使用https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/中提到的说明为本地集群创建的https://blog.tekspace.io/setup-kubernetes-cluster-with-ubuntu-16-04/中的说明几乎没有问题

这些错误是通过自定义调度程序容器(kubect logs命令)报告的:

E0628 21:05:29.128618       1 reflector.go:205] k8s.io/kubernetes/vendor/k8s.io/client-go/informers/factory.go:87: Failed to list *v1.PersistentVolumeClaim: persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:my-scheduler" cannot list persistentvolumeclaims at the cluster scope: clusterrole.rbac.authorization.k8s.io "kube-scheduler" not found
E0628 21:05:29.129945       1 reflector.go:205] k8s.io/kubernetes/vendor/k8s.io/client-go/informers/factory.go:87: Failed to list *v1.Service: services is forbidden: User "system:serviceaccount:kube-system:my-scheduler" cannot list services at the cluster scope: clusterrole.rbac.authorization.k8s.io "kube-scheduler" not found
E0628 21:05:29.132968       1 reflector.go:205] k8s.io/kubernetes/vendor/k8s.io/client-go/informers/factory.go:87: Failed to list *v1.StorageClass: storageclasses.storage.k8s.io is forbidden: User "system:serviceaccount:kube-system:my-scheduler" cannot list storageclasses.storage.k8s.io at the cluster scope: clusterrole.rbac.authorization.k8s.io "kube-scheduler" not found
E0628 21:05:29.151367       1 reflector.go:205] k8s.io/kubernetes/vendor/k8s.io/client-go/informers/factory.go:87: Failed to list *v1.PersistentVolume: persistentvolumes is forbidden: User "system:serviceaccount:kube-system:my-scheduler" cannot list persistentvolumes at the cluster scope: clusterrole.rbac.authorization.k8s.io "kube-scheduler" not found
E0628 21:05:29.152097       1 reflector.go:205] k8s.io/kubernetes/vendor/k8s.io/client-go/informers/factory.go:87: Failed to list *v1beta1.ReplicaSet: replicasets.extensions is forbidden: User "system:serviceaccount:kube-system:my-scheduler" cannot list replicasets.extensions at the cluster scope: clusterrole.rbac.authorization.k8s.io "kube-scheduler" not found
E0628 21:05:29.153187       1 reflector.go:205] k8s.io/kubernetes/cmd/kube-scheduler/app/server.go:594: Failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:kube-system:my-scheduler" cannot list pods at the cluster scope: clusterrole.rbac.authorization.k8s.io "kube-scheduler" not found
E0628 21:05:29.153201       1 reflector.go:205] k8s.io/kubernetes/vendor/k8s.io/client-go/informers/factory.go:87: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:kube-system:my-scheduler" cannot list nodes at the cluster scope: clusterrole.rbac.authorization.k8s.io "kube-scheduler" not found
E0628 21:05:29.153300       1 reflector.go:205] k8s.io/kubernetes/vendor/k8s.io/client-go/informers/factory.go:87: Failed to list *v1.ReplicationController: replicationcontrollers is forbidden: User "system:serviceaccount:kube-system:my-scheduler" cannot list replicationcontrollers at the cluster scope: clusterrole.rbac.authorization.k8s.io "kube-scheduler" not found
E0628 21:05:29.153338       1 reflector.go:205] k8s.io/kubernetes/vendor/k8s.io/client-go/informers/factory.go:87: Failed to list *v1beta1.PodDisruptionBudget: poddisruptionbudgets.policy is forbidden: User "system:serviceaccount:kube-system:my-scheduler" cannot list poddisruptionbudgets.policy at the cluster scope: clusterrole.rbac.authorization.k8s.io "kube-scheduler" not found
E0628 21:05:29.153757       1 reflector.go:205] k8s.io/kubernetes/vendor/k8s.io/client-go/informers/factory.go:87: Failed to list *v1beta1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:kube-system:my-scheduler" cannot list statefulsets.apps at the cluster scope: clusterrole.rbac.authorization.k8s.io "kube-scheduler" not found
E0628 21:05:30.147954       1 reflector.go:205] k8s.io/kubernetes/vendor/k8s.io/client-go/informers/factory.go:87: Failed to list *v1.StorageClass: storageclasses.storage.k8s.io is forbidden: User "system:serviceaccount:kube-system:my-scheduler" cannot list storageclasses.storage.k8s.io at the cluster scope: clusterrole.rbac.authorization.k8s.io "kube-scheduler" not found
E0628 21:05:30.149547       1 reflector.go:205] k8s.io/kubernetes/vendor/k8s.io/client-go/informers/factory.go:87: Failed to list *v1.PersistentVolumeClaim: persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:my-scheduler" cannot list persistentvolumeclaims at the cluster scope: clusterrole.rbac.authorization.k8s.io "kube-scheduler" not found
E0628 21:05:30.149562       1 reflector.go:205] k8s.io/kubernetes/vendor/k8s.io/client-go/informers/factory.go:87: Failed to list *v1.Service: services is forbidden: User "system:serviceaccount:kube-system:my-scheduler" cannot list services at the cluster scope: clusterrole.rbac.authorization.k8s.io "kube-scheduler" not found

问题出在my-scheduler.yaml文件中:在roleref中,将名称字段从kube-scheduler更改为system:kube-scheduler。在更改yaml文件之前,请使用以下命令进行验证:

 kubectl get clusterrole  --all-namespaces | grep -i kube

它应该列出system:kube-scheduler而不是仅列出kube-scheduler。

然后,它可能会在自定义计划程序容器中打印这些错误:

E0628 21:22:39.937271       1 reflector.go:205] k8s.io/kubernetes/vendor/k8s.io/client-go/informers/factory.go:87: Failed to list *v1.StorageClass: storageclasses.storage.k8s.io is forbidden: User "system:serviceaccount:kube-system:my-scheduler" cannot list storageclasses.storage.k8s.io at the cluster scope
E0628 21:22:40.940461       1 reflector.go:205] k8s.io/kubernetes/vendor/k8s.io/client-go/informers/factory.go:87: Failed to list *v1.StorageClass: storageclasses.storage.k8s.io is forbidden: User "system:serviceaccount:kube-system:my-scheduler" cannot list storageclasses.storage.k8s.io at the cluster scope
E0628 21:22:41.943323       1 reflector.go:205] k8s.io/kubernetes/vendor/k8s.io/client-go/informers/factory.go:87: Failed to list *v1.StorageClass: storageclasses.storage.k8s.io is forbidden: User "system:serviceaccount:kube-system:my-scheduler" cannot list storageclasses.storage.k8s.io at the cluster scope
E0628 21:22:42.946263       1 reflector.go:205] k8s.io/kubernetes/vendor/k8s.io/client-go/informers/factory.go:87: Failed to list *v1.StorageClass: storageclasses.storage.k8s.io is forbidden: User "system:serviceaccount:kube-system:my-scheduler" cannot list storageclasses.storage.k8s.io at the cluster scope

在这种情况下,请添加以下行:

- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - watch
  - list
  - get

此命令输出的末尾(这将打开一个文件供您编辑):

kubectl edit clusterrole system:kube-scheduler

答案 1 :(得分:0)

来自user guide section on accessing the cluster API from a pod at kubernetes.io

  

从pod访问API时,查找和验证   api服务器有些不同。

     

在pod中找到apiserver的推荐方法是使用   kubernetes DNS名称,它将解析为服务IP   被送到apiserver。

     

向apiserver进行身份验证的推荐方法是使用服务   帐户凭证。通过kube-system,pod与服务相关联   帐户和该服务帐户的凭证(令牌)被放置   进入该pod中每个容器的文件系统树中   /var/run/secrets/kubernetes.io/serviceaccount/token

     

如果可用,则将证书包放入文件系统树中   每个容器在   /var/run/secrets/kubernetes.io/serviceaccount/ca.crt,应该是   用于验证apiserver的服务证书。

     

最后,用于命名空间API的默认命名空间   操作放在一个文件中   /var/run/secrets/kubernetes.io/serviceaccount/namespace in each container

     

在pod中,推荐的连接API的方法是:

     
      
  • 将kubectl代理作为容器中的一个容器运行,或作为容器内的后台进程运行。这代表Kubernetes
      API到pod的localhost接口,以便其他进程进入   pod的任何容器都可以访问它。请参阅使用
    的这个示例   pod中的kubectl代理。
    •   
  • 使用Go客户端库,并使用client.NewInCluster()工厂创建客户端。这处理定位和   向apiserver进行身份验证。
    •   
     

在每种情况下,pod的凭据都用于通信   安全地使用apiserver。

相关问题
最新问题