“kubectl exec”导致“错误:无法升级连接:未经授权”

时间:2017-06-14 10:10:20

标签: docker kubernetes coreos

我在启用了k8s 1.6.4 RBAC的群集上尝试了kubectl exec,并且返回的错误是:error: unable to upgrade connection: Unauthorized。同一个容器上的docker exec成功。否则,kubectl正在运行。 kubectl隧道通过SSH连接,但我不认为这是问题。

已启用kubelet authn但未启用authz。 docs默认情况下authz是AlwaysAllow,所以我就这样离开了。

我觉得它与this issue类似。但错误信息有点不同。

提前致谢!

kubectl exec命令的详细日志:

I0614 16:50:11.003677   64104 round_trippers.go:398] curl -k -v -XPOST  -H "X-Stream-Protocol-Version: v4.channel.k8s.io" -H "X-Stream-Protocol-Version: v3.channel.k8s.io" -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true
I0614 16:50:11.003705   64104 round_trippers.go:398] curl -k -v -XPOST  -H "X-Stream-Protocol-Version: v4.channel.k8s.io" -H "X-Stream-Protocol-Version: v3.channel.k8s.io" -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" -H "User-Agent: kubectl/v1.6.4 (darwin/amd64) kubernetes/d6f4332" https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true
I0614 16:50:11.169474   64104 round_trippers.go:417] POST https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true 401 Unauthorized in 165 milliseconds
I0614 16:50:11.169493   64104 round_trippers.go:423] Response Headers:
I0614 16:50:11.169497   64104 round_trippers.go:426]     Date: Wed, 14 Jun 2017 08:50:11 GMT
I0614 16:50:11.169500   64104 round_trippers.go:426]     Content-Length: 12
I0614 16:50:11.169502   64104 round_trippers.go:426]     Content-Type: text/plain; charset=utf-8
I0614 16:50:11.169506   64104 round_trippers.go:417] POST https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true 401 Unauthorized in 165 milliseconds
I0614 16:50:11.169509   64104 round_trippers.go:423] Response Headers:
I0614 16:50:11.169512   64104 round_trippers.go:426]     Date: Wed, 14 Jun 2017 08:50:11 GMT
I0614 16:50:11.169545   64104 round_trippers.go:426]     Content-Length: 12
I0614 16:50:11.169548   64104 round_trippers.go:426]     Content-Type: text/plain; charset=utf-8
F0614 16:50:11.169635   64104 helpers.go:119] error: unable to upgrade connection: Unauthorized

3 个答案:

答案 0 :(得分:3)

这是一个RTFM时刻......解决方案基本上是遵循this page上针对authn,authz或两者的所有步骤。

我遗漏了导致错误的--kubelet-client-certificate--kubelet-client-key。如果没有这些标记,当您执行kube-apiserver时,kubectl exec将无法使用kubelet进行身份验证。

我最初尝试配置authn是通过阅读kubelet守护程序的文档(即不是上面的那个)。因此严重疏忽。

答案 1 :(得分:1)

在我的情况下(在学习Kubernetes 困难之路时,我必须配置RBAC权限以允许Kubernetes API服务器访问每个工作节点上的Kubelet API。我创建了{{1 }}和ClusterRole来访问Kubelet API

ClusterRoleBinding

参考文献:

答案 2 :(得分:0)

在我的minikube群集版本1.12.3上运行此操作
如果您正在运行minikube集群,请升级minikube,它将得到修复。

检查您的minikube版本:

$ minikube update-check
CurrentVersion: v1.12.3
LatestVersion: v1.13.0

Minikube docs
升级(Mac OS):

brew upgrade minikube