kubectl代理无法与API服务器通信

时间:2019-03-27 20:05:05

标签: networking kubernetes marathon dcos

我在全新安装时遇到kubectl proxy的问题。

当我浏览到http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/时,我收到503响应。即使其他命令可以,代理似乎也无法访问kubernetes API。

Kubernetes在DC / OS中运行,软件包为1.3.1-1.10.8。 kubectl和Kubernetes均为1.10.8版本。在dc / os中配置了一个负载均衡器来公开API。

LB定义来自kubernetes on dcos help page。我在标签上添加了"HAPROXY_0_VHOST": "k8s-proxy.dcos.<domain>.com"

$ kubectl cluster-info
Kubernetes master is running at https://k8s-proxy.dcos.<domain>.com
KubeDNS is running at https://k8s-proxy.dcos.<domain>.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

我在详细的输出模式下运行kubectl proxy来查看它试图发出的呼叫。得到了503响应。

$ kubectl proxy --insecure-skip-tls-verify=true --alsologtostderr=true -v=99
I0327 12:26:45.461259   19980 loader.go:357] Config loaded from file U:\/.kube/config
Starting to serve on 127.0.0.1:8001
I0327 12:26:56.200819   19980 proxy_server.go:98] /api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ matched ^.*
I0327 12:26:56.200819   19980 proxy_server.go:98] localhost matched ^localhost$
I0327 12:26:56.200819   19980 proxy_server.go:138] Filter accepting GET /api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ localhost
I0327 12:26:56.200819   19980 upgradeaware.go:237] Request was not an upgrade
I0327 12:26:56.200819   19980 round_trippers.go:387] curl -k -v -XGET  -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" -H "Cache-Control: max-age=0" -H "User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" -H "Authorization: Bearer <my_token>" -H "X-Forwarded-For: 127.0.0.1" -H "Accept-Language: en-US,en;q=0.9" -H "Dnt: 1" -H "Accept-Encoding: gzip, deflate, br" -H "Upgrade-Insecure-Requests: 1" https://k8s-proxy.dcos.<domain>.com/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
I0327 12:26:56.313141   19980 round_trippers.go:406] GET https://k8s-proxy.dcos.<domain>.com/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ 503 Service Unavailable in 112 milliseconds
I0327 12:26:56.313141   19980 round_trippers.go:412] Response Headers:
I0327 12:26:56.313141   19980 round_trippers.go:415]     Cache-Control: no-cache
I0327 12:26:56.313141   19980 round_trippers.go:415]     Content-Type: text/html

在同一外壳中,我尝试运行代理运行的curl。它得到了200,而不是503。

$ curl -k -v -XGET  -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" -H "Cache-Control: max-age=0" -H "User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" -H "Authorization: Bearer <my_token>" -H "X-Forwarded-For: 127.0.0.1" -H "Accept-Language: en-US,en;q=0.9" -H "Dnt: 1" -H "Accept-Encoding: gzip, deflate, br" -H "Upgrade-Insecure-Requests: 1" https://k8s-proxy.dcos.<domain>.com/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

[...]
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: no-store
< Content-Encoding: gzip
< Content-Type: text/html; charset=utf-8
< Date: Wed, 27 Mar 2019 19:30:24 GMT
< Last-Modified: Fri, 24 Aug 2018 05:39:29 GMT
< Content-Length: 529
[...]

我希望能够访问我的集群,但是有效的请求返回503。其他kubectl命令也可以正常工作。这不是特定于仪表板的问题。

1 个答案:

答案 0 :(得分:0)

缺少最常见的问题,即在部署仪表板时,无法向服务帐户授予特权来管理kube系统名称空间中的机密。更多详细信息here

这导致仪表板容器落入 if ($res === TRUE) { $zip->addFromString('FILENAME_WITH_EXTENSION', 'file content goes here'); //Add your file name $zip->setEncryptionName('FILENAME_WITH_EXTENSION', ZipArchive::EM_AES_256, 'PASSWORD'); //Add file name and password dynamically $zip->close(); echo 'ok'; } else { echo 'failed'; } 中,因此缺少仪表板服务的端点。

因此要对其进行故障排除的第一步是检查端点

crashloopbackoff