我已经通过 Kubespray 成功部署了 Kubernetes,一切似乎都工作正常。我可以通过 kubectl 访问集群并列出节点、pod、服务、秘密等。还可以应用新资源,仪表板端点可以让我进入仪表板登录页面。
我已经使用不同服务帐户的令牌(默认,kubernetes-dashboard,kubernetes-admin,...)登录...每次登录时我都会收到相同的弹出窗口,如中所述kubespray 仪表板警告禁止弹出窗口 https://stackoverflow.com/questions/52954810/kubespray-dashboard-warning-forbidden-popups例如。
因此,我按照所述对默认服务帐户应用了 clusterrolebinding。当我现在使用默认帐户令牌登录时,我只得到一个
Unknown Server Error (404)
the server could not find the requested resource
Redirecting to previous state in 3 seconds...
之后将我重定向到登录页面的框。如果我通过连接到仪表板,其行为相同kubectl proxy
。访问是通过公共集群 IP 的 HTTPS 以及通过代理的 HTTP
我正在使用 Kubernetes 1.16.2 和最新的 Kubespray master commit 18d19d9e
EDIT:我销毁并重新配置了集群,以获得一个新的 Kubespray 配置实例,使所有步骤具有确定性,并添加更多信息...
kubectl -n kube-system logs --follow kubernetes-dashboard-556b9ff8f8-jbmgg --
在登录尝试期间给了我
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/login request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 POST /api/v1/login request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/token request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 POST /api/v1/token/refresh request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/token request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 POST /api/v1/token/refresh request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/overview/default?filterBy=&itemsPerPage=10&name=&page=1&sortBy=d,creationTimestamp request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 Getting config category
2019/12/16 12:35:03 Getting discovery and load balancing category
2019/12/16 12:35:03 Getting lists of all workloads
2019/12/16 12:35:03 the server could not find the requested resource
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 404 status code
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 Getting pod metrics
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Incoming HTTP/2.0 GET /api/v1/systembanner request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Incoming HTTP/2.0 GET /api/v1/rbac/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:12 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
2019/12/16 12:35:42 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
我发现了一个奇怪的解决方法来让仪表板正常工作,但这对我们在生产中不可用,也许有人可以解释一下:
- 我以服务帐户为例
kube-system:default
(注:此一项未分配cluster-admin
在此刻
- 我得到它的令牌并用它登录
- 仪表板明显向我显示了“禁止的弹出窗口”
- 仍然登录时,我运行
kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=kube-system:default
- 我刷新了保存仪表板会话的浏览器选项卡...瞧,一切都正确显示。
因此,我无法注销并再次登录,我总是必须删除集群角色绑定,然后登录,然后再次应用集群角色绑定。
这似乎与 kubespray 配置的集群密切相关,所以有人能够用 kubespray 重现这个问题吗?