程序员经验分享-hwhale

Kubernetes 仪表板 - 登录后出现未知服务器错误

2024-03-19

我已经通过 Kubespray 成功部署了 Kubernetes,一切似乎都工作正常。我可以通过 kubectl 访问集群并列出节点、pod、服务、秘密等。还可以应用新资源,仪表板端点可以让我进入仪表板登录页面。

我已经使用不同服务帐户的令牌(默认,kubernetes-dashboard,kubernetes-admin,...)登录...每次登录时我都会收到相同的弹出窗口,如中所述kubespray 仪表板警告禁止弹出窗口 https://stackoverflow.com/questions/52954810/kubespray-dashboard-warning-forbidden-popups例如。

因此,我按照所述对默认服务帐户应用了 clusterrolebinding。当我现在使用默认帐户令牌登录时,我只得到一个

Unknown Server Error (404)
the server could not find the requested resource
Redirecting to previous state in 3 seconds...

之后将我重定向到登录页面的框。如果我通过连接到仪表板,其行为相同kubectl proxy。访问是通过公共集群 IP 的 HTTPS 以及通过代理的 HTTP

我正在使用 Kubernetes 1.16.2 和最新的 Kubespray master commit 18d19d9e

EDIT:我销毁并重新配置了集群,以获得一个新的 Kubespray 配置实例,使所有步骤具有确定性,并添加更多信息...

kubectl -n kube-system logs --follow kubernetes-dashboard-556b9ff8f8-jbmgg --在登录尝试期间给了我

2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/login request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 POST /api/v1/login request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/token request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 POST /api/v1/token/refresh request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/token request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 POST /api/v1/token/refresh request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/overview/default?filterBy=&itemsPerPage=10&name=&page=1&sortBy=d,creationTimestamp request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 Getting config category
2019/12/16 12:35:03 Getting discovery and load balancing category
2019/12/16 12:35:03 Getting lists of all workloads
2019/12/16 12:35:03 the server could not find the requested resource
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 404 status code
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 Getting pod metrics
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Incoming HTTP/2.0 GET /api/v1/systembanner request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Incoming HTTP/2.0 GET /api/v1/rbac/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:12 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
2019/12/16 12:35:42 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.

我发现了一个奇怪的解决方法来让仪表板正常工作,但这对我们在生产中不可用,也许有人可以解释一下:

  1. 我以服务帐户为例kube-system:default(注:此一项未分配cluster-admin在此刻
  2. 我得到它的令牌并用它登录
  3. 仪表板明显向我显示了“禁止的弹出窗口”
  4. 仍然登录时,我运行kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=kube-system:default
  5. 我刷新了保存仪表板会话的浏览器选项卡...瞧,一切都正确显示。

因此,我无法注销并再次登录,我总是必须删除集群角色绑定,然后登录,然后再次应用集群角色绑定。

这似乎与 kubespray 配置的集群密切相关,所以有人能够用 kubespray 重现这个问题吗?


如果您使用证书进行连接,则证书应位于 system:masters 组中,因此请包含“主题:O=system:masters, CN=”

您还可以创建一个 Token,然后使用该令牌代替证书:

您的集群角色可能绑定到“服务帐户”而不是您的组,您应该在 yaml 文件中检查您的组。您的服务帐户有一个访问令牌,请使用它而不是您的证书进行身份验证。

用它来创建一个令牌并使用它。

kubectl describe secret $(kubectl get secret | grep cluster-admin | awk '{print $1}')

token:

更新 kubeconfig 以使用该令牌(而不是您当前使用的证书)对您自己进行身份验证,并且您应该成功通过该集群管理服务帐户的身份验证。

Kubernetes RBAC - 禁止尝试授予额外权限 https://stackoverflow.com/questions/51598467/kubernetes-rbac-forbidden-attempt-to-grant-extra-privileges

本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)

Kubernetes

kubespray

Kubernetes 仪表板 - 登录后出现未知服务器错误 的相关文章

随机推荐

热门标签