码上快乐

相关内容   简体   繁体

[踩坑]kubelet node 节点向 master kubectl 注册

本文转载自  查看原文  2020-03-24 09:32  693    K8S

配置好服务后,发现启动失败,因为 kubelet 启动时会先向 kubectl注册自己,注册时用到一个 clusterrolebinding 概念下的一个角色。首先进行校验定义在 kubelet-bootstrap.kubeconfig 文件中的urser:

# apiVersion: v1
# clusters:
# - cluster:
# certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVZFhaTlBVTGpScm5BSE4yUnIwSVphVW1LY1hjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TURJeU9URXdOREV3TUZvWERUSTFNREl5TnpFd05ERXdNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBcXRneWxUbUJ4MFFKSVIvc1dYYTMKUDhaQ1dwelNFZGt3SllLTXYvdGF2OC9VdjQ3YU91dHJzUDlrTktWdnNIYTdnWU9BN1VOS0N2N3F2N0s0eW95YwpMaUREMlQ5WlFVbFVmTitqREZVM3RQY1h4QUtNQjROU291amhpZlBHOWYvNnhYVWpyWnlRVTN4MGtJSnZ2ckVnCkVRS3ZHVjk4NUVRRGJ5R1p6TzVINFUvMURIT3c5NFhBM3pEUGgvU25CWlV5enEwdFRpQytqd0NBUEV0WDZQUUQKYUh3YUY2Y1ZIejBoWlFMckMzWmgyT2hPNHdzRzZmOUtpY25XY0FubWVjUE5DUjBkd1dybTNqUUQveUI3cUMrVwpVeFEvdEkvT2dTMFBRV3Y3Rml0eGdKVkcxYnozRXRtZE1LeFd4U1FIUHhBSjNwR3k2ZFA2YjMycUM4Yzh2MC9TClJ3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVandhMytXeUJkdFdqSmdwOXpzZVFLZHlqcjljd0h3WURWUjBqQkJnd0ZvQVVqd2EzK1d5QgpkdFdqSmdwOXpzZVFLZHlqcjljd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDWm4xUjRBUi9xYTRRb2p1Zk1ZClpPYW1LamZoSVRqak9hQkw5M2xKM1M1OElPbFdwVkswb2ZSYkFMTWxOMWF2UzNxbHNHTyt6UzJZRW9MSzdKTDAKZUFCanVmT3VZM28vYnBqMFQ5QjZiNFNvVVcvcHNldG5iazkrM1NqRkErOEhIVkJmVWtaZHQ5bVFuRGo5V2dLRQp5RkszMnJWeDI4SVZFdHJaZHVaMHJhb2NyM0o0KzBseHh6R3JFRWswYk5jMXFzSFVVUFhTTEExcEpVTlJDTjdWCm9hNi9hbUhGQ3B5RkJxalZNMkdpa3FnUnJ6Y1RtK2tBSFJ5ODJ5UkdieXIydUpRUGkrL1d4SnFxcDd5Ums2SG4KM3dzZ1BGZy80aHVzYjBUTEZlVzRwNkhxK2h3R0tER2tjTGE4M1YzenhDQXVKSnBsNEdRdGtsY0U4bVVBWVBoTgpheEk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
# server: https://192.168.0.253:8443
# name: kubernetes
# contexts:
# - context:
# cluster: kubernetes
# user: kubelet-bootstrap
# name: default
# current-context: default
# kind: Config
# preferences: {}
# users:
# - name: kubelet-bootstrap  # 指定以个用户名称, 用来向kubectl认证身份
# user:
# token: c3645405ff7dc6dd9db8be3c13d229eb

这里user 用户为: kubelet-bootstrap 并使用 一个token: c3645405ff7dc6dd9db8be3c13d229eb 向kubectl 发送包含 用户和token 请求 进行认证,kubernetes 集群 kubectl 收到请求, 进行校验:

1) token值的校验:由于 kube-api-server.service 服务 配置项中的选项参数--token-auth-file=${k8s_work_dir}/ssl/token.csv  该文件中的token和kubelet请求的校验(要一致)

2) 用户校验: kubectl当中并没有 kubelet请求的用户, 因此,验证失败: 调试信息 journal -xe -u kubelet  错误信息如下:

failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:bootstrap:lemy40" cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope
3) 使用命令: kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname] 手动创建 注册一个 kubelet请求的角色用户

4) 再次启动: kubelet


免责声明!

本站转载的文章为个人学习借鉴使用,本站对版权不负任何法律责任。如果侵犯了您的隐私权益,请联系本站邮箱yoyou2525@163.com删除。



猜您在找 K8S踩坑篇-master节点作为node节点加入集群 k8s集群node节点一直NotReady, 且node节点(并非master)的kubelet报错:Unable to update cni config: No networks found in /etc/cni/net.d node节点加入master报错 kubernetes集群-node节点上执行kubectl k8s之node节点使用kubectl kubelet kubeadm kubectl install k8s master节点添加kubectl的使用 009.Kubernetes二进制master节点部署kubectl k8s-(node节点kubelet、kube-proxy) Gerrit push到master分支踩过的坑
 
粤ICP备18138465号  © 2018-2025 CODEPRJ.COM