默认服务帐户无法使用jenkins上的kubernetes插件

时间:2017-05-17 07:57:48

标签: jenkins kubernetes kubernetes-helm

我已经配置了Kubernetes插件来启动奴隶。 但是我遇到访问控制问题。 当主人试图启动新的pod(奴隶)时获得错误

  

配置代理Kubernetes Pod模板时遇到意外的异常   io.fabric8.kubernetes.client.KubernetesClientException:执行失败:POST:https://kubernetes.default/api/v1/namespaces/npd-test/pods。消息:禁止!已配置的服务帐户无权访问。服务帐户可能已被撤销..       在io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:315)       at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:266)       在io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:237)       at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:230)       在io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleCreate(OperationSupport.java:208)       at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleCreate(BaseOperation.java:643)       在io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:300)       在org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud $ ProvisioningCallback.call(KubernetesCloud.java:636)       在org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud $ ProvisioningCallback.call(KubernetesCloud.java:581)       在jenkins.util.ContextResettingExecutorService $ 2.call(ContextResettingExecutorService.java:46)       at java.util.concurrent.FutureTask.run(FutureTask.java:266)       在java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)       at java.util.concurrent.ThreadPoolExecutor $ Worker.run(ThreadPoolExecutor.java:617)       在java.lang.Thread.run(Thread.java:745)

我已检查位于/var/run/secrets/kubernetes.io/serviceaccount/token的默认服务帐户的访问权限,并尝试使用该令牌在https://kubernetes.default/api/v1/namespaces/npd-test/pods.中创建一个广告连播并且有效。

不确定插件为什么抱怨服务帐户无权访问。

我尝试使用None凭据和Kubernetes服务帐户凭据(无法指定帐户)配置Kubernetes插件,但都不起作用。

2 个答案:

答案 0 :(得分:1)

奇怪的是,服务帐户通常适合您,但在Jenkins中没有工作。在我的设置中,我必须添加一个RoleBinding来为服务帐户提供edit角色(我的命名空间实际上是jenkins但我在这里更改它以匹配您的命名空间。)

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: jenkins
  namespace: npd-test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit
subjects:
- kind: ServiceAccount
  name: default
  namespace: npd-test

在我这样做之后,我就像这样配置了Kubernetes Cloud插件,它对我有用。

Kubernetes URL: https://kubernetes.default.svc.cluster.local
Kubernetes server certificate key:
Disable https certificate check: off
Kubernetes Namespace: npd-test
Credentials: - none -

答案 1 :(得分:0)

以下内容将创建一个服务帐户,以从名称空间 jenkins 构建到名称空间 build 。我省略了规则,但是如果您需要它们,我也可以添加它们。

apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
  namespace: jenkins

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: jenkins
  namespace: build

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: jenkins
  namespace: build
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
subjects:
- kind: ServiceAccount
  name: jenkins
  namespace: jenkins
相关问题
最新问题