我在启用了k8s 1.6.4 RBAC的群集上尝试了kubectl exec,并且返回的错误是:error: unable to upgrade connection: Unauthorized。同一个容器上的docker exec成功。否则,kubectl正在运行。 kubectl隧道通过SSH连接,但我不认为这是问题。
已启用kubelet authn但未启用authz。 docs默认情况下authz是AlwaysAllow,所以我就这样离开了。
我觉得它与this issue类似。但错误信息有点不同。
提前致谢!
kubectl exec命令的详细日志:
I0614 16:50:11.003677 64104 round_trippers.go:398] curl -k -v -XPOST -H "X-Stream-Protocol-Version: v4.channel.k8s.io" -H "X-Stream-Protocol-Version: v3.channel.k8s.io" -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true
I0614 16:50:11.003705 64104 round_trippers.go:398] curl -k -v -XPOST -H "X-Stream-Protocol-Version: v4.channel.k8s.io" -H "X-Stream-Protocol-Version: v3.channel.k8s.io" -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" -H "User-Agent: kubectl/v1.6.4 (darwin/amd64) kubernetes/d6f4332" https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true
I0614 16:50:11.169474 64104 round_trippers.go:417] POST https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true 401 Unauthorized in 165 milliseconds
I0614 16:50:11.169493 64104 round_trippers.go:423] Response Headers:
I0614 16:50:11.169497 64104 round_trippers.go:426] Date: Wed, 14 Jun 2017 08:50:11 GMT
I0614 16:50:11.169500 64104 round_trippers.go:426] Content-Length: 12
I0614 16:50:11.169502 64104 round_trippers.go:426] Content-Type: text/plain; charset=utf-8
I0614 16:50:11.169506 64104 round_trippers.go:417] POST https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true 401 Unauthorized in 165 milliseconds
I0614 16:50:11.169509 64104 round_trippers.go:423] Response Headers:
I0614 16:50:11.169512 64104 round_trippers.go:426] Date: Wed, 14 Jun 2017 08:50:11 GMT
I0614 16:50:11.169545 64104 round_trippers.go:426] Content-Length: 12
I0614 16:50:11.169548 64104 round_trippers.go:426] Content-Type: text/plain; charset=utf-8
F0614 16:50:11.169635 64104 helpers.go:119] error: unable to upgrade connection: Unauthorized
答案 0 :(得分:3)
这是一个RTFM时刻......解决方案基本上是遵循this page上针对authn,authz或两者的所有步骤。
我遗漏了导致错误的--kubelet-client-certificate和--kubelet-client-key。如果没有这些标记,当您执行kube-apiserver时,kubectl exec将无法使用kubelet进行身份验证。
我最初尝试配置authn是通过阅读kubelet守护程序的文档(即不是上面的那个)。因此严重疏忽。
答案 1 :(得分:1)
在我的情况下(在学习Kubernetes 困难之路时,我必须配置RBAC权限以允许Kubernetes API服务器访问每个工作节点上的Kubelet API。我创建了{{1 }}和ClusterRole来访问Kubelet API
ClusterRoleBinding参考文献:
答案 2 :(得分:0)
在我的minikube群集版本1.12.3上运行此操作
如果您正在运行minikube集群,请升级minikube,它将得到修复。
检查您的minikube版本:
$ minikube update-check
CurrentVersion: v1.12.3
LatestVersion: v1.13.0
Minikube docs
升级(Mac OS):
brew upgrade minikube