我有一个全新的Kubernetes v1.8集群,有两个节点(启用了RBAC)。 Jenkins被部署为StatefulSet,并且也建议了ServiceAccount / Role和RoleBindings(from here)。群集信息:
$ kubectl cluster-info
Kubernetes master is running at https://10.182.255.35:6443
当我尝试在Jenkins设置中设置Kubernetes云时,我收到错误403(禁止)。我跟着pugin指南并在Jenkins中创建了“Kubernetes服务帐户”凭据并尝试配置新的云。 Jenkins configuration screenshot。以下是插件的调试日志:
Nov 02, 2017 7:40:57 PM FINE org.csanchez.jenkins.plugins.kubernetes.KubernetesFactoryAdapter
Creating Kubernetes client: KubernetesFactoryAdapter [serviceAddress=https://10.182.255.35:6443, namespace=default, caCertData=null, credentials=org.csanchez.jenkins.plugins.kubernetes.ServiceAccountCredential@99ee54b6, skipTlsVerify=true, connectTimeout=0, readTimeout=0]
Nov 02, 2017 7:40:57 PM FINE org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud
Error connecting to https://10.182.255.35:6443
java.io.IOException: Unexpected response code for CONNECT: 403
at okhttp3.internal.connection.RealConnection.createTunnel(RealConnection.java:371)
...(skipped)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:605)
Caused: io.fabric8.kubernetes.client.KubernetesClientException: Operation: [list] for kind: [Pod] with name: [null] in namespace: [default] failed.
at io.fabric8.kubernetes.client.KubernetesClientException.launderThrowable(KubernetesClientException.java:62)
...(skipped)
同时,如果我尝试使用此pod中的serviceAccount进行API调用,那么它正在运行:
$ kubectl exec -ti jenkins-0 bash (ssh into the pod)
bash-4.3$ KUBE_TOKEN=$(</var/run/secrets/kubernetes.io/serviceaccount/token)
bash-4.3$ curl -sSk -H "Authorization: Bearer $KUBE_TOKEN"
https://10.182.255.35:6443/api/v1/namespaces/default/pods
{
"kind": "PodList",
"apiVersion": "v1",
"metadata": {
"selfLink": "/api/v1/namespaces/default/pods",
"resourceVersion": "90645"
},
"items": [
{
...(skipped)
答案 0 :(得分:1)
回答我自己的问题:问题在于我的代理设置。您需要在群集设置期间在no_proxy环境变量中指定实例IP。
答案 1 :(得分:0)
我没有足够的积分来投票,但我只想确认这与@Symydo 提到的代理设置有关。因此,要么在 Pod 的 NO_PROXY 环境变量中添加 IP 实例,要么在不需要时删除代理设置。