虽然我在不带tls引导程序的独立k8s集群(具有apiserver,controller-manager,schedule,kubelet,kube-proxy的一个集群中)上安装coredns,但无法创建pod并捕获到X509异常如下:
reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190620085101-78d2af792bab/tools/cache/reflector.go:98:无法列出* v1。命名空间:获取{{ 3}}:x509:证书由未知授权机构签名
api-server配置如下:
# 集群中etcd地址
KUBE_ETCD_SERVERS="--etcd-servers=http://127.0.0.1:2379"
# apiserver绑定主机的非安全ip地址,0.0.0.0表示绑定所有地址
KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0"
# apiserver绑定主机的非安全端口号
KUBE_API_PORT="--insecure-port=8080"
# 集群中service的虚拟ip地址范围,该ip范围不能与物理机的真实ip有重合
KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16"
# 集群中service可以映射的物理机端口号范围,默认为30000-32767
KUBE_SERVICE_PORT="--service-node-port-range=30000-32767"
# 集群的准入控制设置,各控制模块以插件的形式生效
KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"
# false表示将日志写入文件,不写入stderr
KUBE_LOGTOSTDERR="--logtostderr=false"
# 日志目录
KUBE_LOG_DIR="--log-dir=/var/log/kubernetes"
# 日志级别
KUBE_LOG_LEVEL="--v=2"
# 启用ServiceAccount
KUBE_API_ARGS="--service-account-key-file=/run/kubernetes/apiserver.key"
kubectl获得秘密-n kube-system像这样:
coredns-token-64xwq kubernetes.io/service-account-token 2 91m
default-token-grcxg kubernetes.io/service-account-token 2 31h
coredns配置yaml是从k8s github复制的。
当我使用base64解码coredns令牌并使用它卷曲我的集群时,它可以正常工作并像这样正确响应:
卷曲-k -H '授权:承载eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjb3JlZG5zLXRva2VuLWhuODR3Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImNvcmVkbnMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJjNzlkZjQwNy0yMjYwLTExZWEtODQ3ZS1mYTE2M2VkNTQ1NzgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06Y29yZWRucyJ9.1wMhbXtb4iV9aGlqur3hGEe4Jlm0PiL-hsngKquIeVeBKPLXwMy5mRYlcBeLUhwGghq-05fIyWsBGvehaLsQxqBHNtTjG77yKk2PVnjVD9VuDcNiX_mMoe7edNhYt8rOHTNs7qSNIsuPjIr7cSOGPXsOuMCIgCi_QfuS72Ef0NIY0igEvv9FljoVqAFIzXEA1SM1SHcHvzP-AXIbYDnABuHEFUuagEVMjdUm9E94FWtTHmAE3BcHG6uY-oWeoyx9B0Z4ryRHuyoZ5sWzDoPERnTkh0wl82Ky-IKHe-zCsPjbjlY6MmevI0_f4RsMeuu_r-Y6OcZfxFmVkibl1pVjdQ'https://10.254.0.1:443/api/v1/namespaces?limit=500&resourceVersion=0