Kubernetes仪表板-登录后出现未知服务器错误

9

我已经通过Kubespray成功部署了Kubernetes,一切似乎都工作正常。我可以通过kubectl访问集群,并列出节点,pod,服务,机密等。也可以应用新资源,并且仪表板端点可以获取我的仪表板登录页面。

我已经使用不同服务帐户的令牌登录(默认,kubernetes-dashboard,kubernetes-admin等)。每次登录时,我都会看到与kubespray仪表板中所述的弹出窗口相同的弹出窗口,例如,警告禁止弹出窗口

因此,如上所述,我为默认服务帐户应用了clusterrolebinding。现在使用默认帐户令牌登录时,我只会得到一个

Unknown Server Error (404)
the server could not find the requested resource
Redirecting to previous state in 3 seconds...

框,此后我将重定向到登录页面。如果我通过连接到仪表板,则其行为相同kubectl proxy。访问是通过公共群集IP进行的HTTPS,也是通过代理进行的HTTP

我正在使用Kubernetes 1.16.2和最新的Kubespray主提交18d19d9e

编辑:我销毁并重新配置了群集,以获取新的Kubespray设置的实例,以使所有步骤都具有确定性,并添加了更多信息...

kubectl -n kube-system logs --follow kubernetes-dashboard-556b9ff8f8-jbmgg -- 在尝试登录时给我

2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/login request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 POST /api/v1/login request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/token request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 POST /api/v1/token/refresh request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/token request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 POST /api/v1/token/refresh request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/overview/default?filterBy=&itemsPerPage=10&name=&page=1&sortBy=d,creationTimestamp request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 Getting config category
2019/12/16 12:35:03 Getting discovery and load balancing category
2019/12/16 12:35:03 Getting lists of all workloads
2019/12/16 12:35:03 the server could not find the requested resource
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 404 status code
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 Getting pod metrics
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Incoming HTTP/2.0 GET /api/v1/systembanner request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Incoming HTTP/2.0 GET /api/v1/rbac/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:12 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
2019/12/16 12:35:42 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.

我发现了一种奇怪的解决方法来使仪表板正常工作,但这在生产中对我们来说不可用,也许有人可以解释一下:

  1. 我就拿了serviceaccount kube-system:default(注:这个人是不是分配cluster-admin在这一点上
  2. 我得到它的令牌并用它登录
  3. 仪表板显然向我显示了“禁止弹出窗口”
  4. 仍然登录时,我运行 kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=kube-system:default
  5. 我刷新了保存我的仪表板会话的浏览器选项卡……等等,一切都正确显示。

因此,我无法注销并再次登录,我总是必须删除clusterrolebinding,然后登录,然后再应用clusterrolebinding。

这似乎与kubespray设置的群集密切相关,所以有人能用kubespray来复制它吗?

kubernetes  kubespray 
于尔根·佐尼格(JürgenZornig)
source
您能否共享Kubernetes仪表板窗格的日志以及您用于登录的服务帐户令牌?
Umesh Kumhar,
分享部署yaml和您尝试过的步骤
P Ekambaram

Answers:

7

如果您正在使用证书进行连接,则证书应位于system:masters组中,因此请包括“主题:O = system:masters,CN =“

您还可以创建令牌,然后使用令牌代替证书:

您的群集角色可能会绑定到“服务帐户”,而不是您的组,您应该在yaml文件中检查您的组。您的服务帐户具有访问令牌,请使用该令牌进行身份验证而不是证书。

使用它来创建令牌并使用它。

kubectl describe secret $(kubectl get secret | grep cluster-admin | awk '{print $1}')

令牌:

更新kubeconfig以使用该令牌(而不是当前使用的证书)对您自己进行身份验证,并且您应该成功通过该群集管理服务帐户进行身份验证。

Kubernetes RBAC-禁止尝试授予额外特权

雷德哈维奇
source
这将返回“默认”名称空间中“默认”服务帐户的令牌,因为未定义“ cluster-admin”。即使当我添加“ --all-namespaces”时,Kubespray似乎也没有提供群集管理服务帐户。一般而言:我知道使用令牌来认证为绑定到该令牌的特定服务帐户。不幸的是我没有得到我的服务帐户的工作,即使我定义了clusterrolebinding
于尔根Zornig
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.