我的群集目前已关闭,我无法在其上启动新的广告连播。我尝试使用kops从1.9.1升级到1.9.3并添加pvc resize admissionControl。随着滚动升级的发生,我注意到新节点没有正常上线(即使滚动升级认为它们是)。我放弃了滚动升级。我发现豆荚抱怨:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
kube api服务器显示:
I0524 14:27:43.871432 1 rbac.go:116] RBAC DENY: user "system:kube-proxy" groups ["system:authenticated"] cannot "get" resource "nodes" named "ip-10-23-2-5.ec2.internal" cluster-wide
I0524 14:27:43.873562 1 rbac.go:116] RBAC DENY: user "kubelet" groups ["system:nodes" "system:authenticated"] cannot "list" resource "nodes" cluster-wide
I0524 14:27:43.873783 1 rbac.go:116] RBAC DENY: user "kubelet" groups ["system:nodes" "system:authenticated"] cannot "list" resource "services" cluster-wide
I0524 14:27:43.887303 1 rbac.go:116] RBAC DENY: user "system:kube-scheduler" groups ["system:authenticated"] cannot "list" resource "replicasets.extensions" cluster-wide
I0524 14:27:43.887569 1 rbac.go:116] RBAC DENY: user "system:kube-scheduler" groups ["system:authenticated"] cannot "list" resource "persistentvolumeclaims" cluster-wide
I0524 14:27:43.949818 1 rbac.go:116] RBAC DENY: user "kubelet" groups ["system:nodes" "system:authenticated"] cannot "list" resource "pods" cluster-wide
I0524 14:27:43.956233 1 rbac.go:116] RBAC DENY: user "system:kube-scheduler" groups ["system:authenticated"] cannot "list" resource "statefulsets.apps" cluster-wide
I0524 14:27:43.958076 1 rbac.go:116] RBAC DENY: user "system:kube-scheduler" groups ["system:authenticated"] cannot "list" resource "services" cluster-wide
I0524 14:27:43.958564 1 rbac.go:116] RBAC DENY: user "system:kube-scheduler" groups ["system:authenticated"] cannot "list" resource "nodes" cluster-wide
I0524 14:27:43.972226 1 rbac.go:116] RBAC DENY: user "kubelet" groups ["system:nodes" "system:authenticated"] cannot "create" resource "nodes" cluster-wide
请帮忙
答案 0 :(得分:0)
最后解决了这个问题。由于没有与某些pod相关联的适当权限的服务帐户,api日志中的错误会产生误导并持续存在。
根本问题在于滚动升级会让一个主人“准备就绪”,但是没有ServiceAccount admissionControl的apiserver正在运行。所以新的豆荚正在那里路由而不会出现。通过纠正所有主人的admissionControl解决了这个问题。