我正在尝试使用适当的Kubernetes URL和其他详细信息将Kubernetes作为云添加到Jenkins服务器。当我添加细节并测试连接 我收到以下错误
连接到https://192.168.X.XX:6443时出错:执行失败:GET at:https://192.168.X.XX:6443/api/v1/namespaces/default/pods。消息:用户"系统:匿名"无法在命名空间中列出窗格"默认" .."
我尝试使用--insecure选项执行curl,但会记录相同的跟随错误。
消息:用户"系统:匿名"无法在命名空间中列出窗格"默认" .."
我尝试使用以下kubectl命令添加jenkins和用户凭据以登录jenkins as clusteradminrole
kubectl create rolebinding jenkins-admin-binding --clusterrole = admin --user = jenkins - namespace = default
但仍然是同样的错误。
有什么遗失?
编辑1:尝试按照建议执行以下操作
openssl genrsa -out jenkins.key 2048
openssl req -new -key jenkins.key -out jenkins.csr -subj" / CN = jenkins / O = admin_jenkins"
openssl x509 -req -in jenkins.csr -CA /etc/kubernetes/pki/ca.crt-CAkey /etc/kubernetes/pki/ca.key-CAcreateserial -out jenkins.crt -days 500
kubectl config set-credentials jenkins --client-certificate = / root / pods / admin_jenkins / .certs / jenkins.crt --client-key = / root / pods / admin_jenkins / .certs / jenkins.key
kubectl config set-context jenkins-context --cluster = kubernetes --namespace = default --user = jenkins
kubectl create -f role.yaml(描述的角色文件)
kubectl create -f role-binding.yaml
即使在此之后
kubectl --context=jenkins-context get deployments
gives the following error
"Error from server (Forbidden): User "jenkins" cannot list deployments.extensions in the namespace "default". (get deployments.extensions)"
更新2:
after following above steps
"kubectl --context=jenkins-context get deployments" was successful.
i did the whole exercise after doing a kubeadm reset and it worked
但是当我尝试使用其插件将其添加为云时,问题仍然存在于将K8与Jenkins集成。
答案 0 :(得分:2)
您是否定义了角色admin?如果没有定义管理员角色。在下面的文件中你可以参考它。
https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/
更新:
1.你可以像这样创建文件role.yaml并创建角色。然后运行kubectl apply -f role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: admin
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]
您需要传递具有此角色的客户端证书才能进行身份验证。
从您的第二个问题尝试使用此帐户验证jenkin应用程序用户。我不确定这种方法对你有用。
于9/25/17更新
Username: admin
Group: jenkins
openssl genrsa -out admin.key 2048
openssl req -new -key admin.key -out admin.csr -subj "/CN=admin/O=jenkins"
#Run this as root user in master node
openssl x509 -req -in admin.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out admin.crt -days 500
mkdir .certs/
mv admin.* .certs/
kubectl config set-credentials admin --client-certificate=/home/jenkin/.certs/admin.crt --client-key=/home/jenkin/.certs/admin.key
kubectl config set-context admin-context --cluster=kubernetes --namespace=jenkins --user=admin
将其保存在文件中并创建角色
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: jenkins
name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: deployment-manager-binding
namespace: jenkins
subjects:
- kind: User
name: admin
apiGroup: ""
roleRef:
kind: Role
name: deployment-manager
apiGroup: ""
运行get pods命令
kubectl --context=admin-context get pods