[踩坑]kubelet node 節點向 master kubectl 注冊

本文轉載自查看原文 2020-03-24 09:32 693 K8S

配置好服務后，發現啟動失敗，因為 kubelet 啟動時會先向 kubectl注冊自己，注冊時用到一個 clusterrolebinding 概念下的一個角色。首先進行校驗定義在 kubelet-bootstrap.kubeconfig 文件中的urser:

# apiVersion: v1
# clusters:
# - cluster:
# certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVZFhaTlBVTGpScm5BSE4yUnIwSVphVW1LY1hjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TURJeU9URXdOREV3TUZvWERUSTFNREl5TnpFd05ERXdNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBcXRneWxUbUJ4MFFKSVIvc1dYYTMKUDhaQ1dwelNFZGt3SllLTXYvdGF2OC9VdjQ3YU91dHJzUDlrTktWdnNIYTdnWU9BN1VOS0N2N3F2N0s0eW95YwpMaUREMlQ5WlFVbFVmTitqREZVM3RQY1h4QUtNQjROU291amhpZlBHOWYvNnhYVWpyWnlRVTN4MGtJSnZ2ckVnCkVRS3ZHVjk4NUVRRGJ5R1p6TzVINFUvMURIT3c5NFhBM3pEUGgvU25CWlV5enEwdFRpQytqd0NBUEV0WDZQUUQKYUh3YUY2Y1ZIejBoWlFMckMzWmgyT2hPNHdzRzZmOUtpY25XY0FubWVjUE5DUjBkd1dybTNqUUQveUI3cUMrVwpVeFEvdEkvT2dTMFBRV3Y3Rml0eGdKVkcxYnozRXRtZE1LeFd4U1FIUHhBSjNwR3k2ZFA2YjMycUM4Yzh2MC9TClJ3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVandhMytXeUJkdFdqSmdwOXpzZVFLZHlqcjljd0h3WURWUjBqQkJnd0ZvQVVqd2EzK1d5QgpkdFdqSmdwOXpzZVFLZHlqcjljd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDWm4xUjRBUi9xYTRRb2p1Zk1ZClpPYW1LamZoSVRqak9hQkw5M2xKM1M1OElPbFdwVkswb2ZSYkFMTWxOMWF2UzNxbHNHTyt6UzJZRW9MSzdKTDAKZUFCanVmT3VZM28vYnBqMFQ5QjZiNFNvVVcvcHNldG5iazkrM1NqRkErOEhIVkJmVWtaZHQ5bVFuRGo5V2dLRQp5RkszMnJWeDI4SVZFdHJaZHVaMHJhb2NyM0o0KzBseHh6R3JFRWswYk5jMXFzSFVVUFhTTEExcEpVTlJDTjdWCm9hNi9hbUhGQ3B5RkJxalZNMkdpa3FnUnJ6Y1RtK2tBSFJ5ODJ5UkdieXIydUpRUGkrL1d4SnFxcDd5Ums2SG4KM3dzZ1BGZy80aHVzYjBUTEZlVzRwNkhxK2h3R0tER2tjTGE4M1YzenhDQXVKSnBsNEdRdGtsY0U4bVVBWVBoTgpheEk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
# server: https://192.168.0.253:8443
# name: kubernetes
# contexts:
# - context:
# cluster: kubernetes
# user: kubelet-bootstrap
# name: default
# current-context: default
# kind: Config
# preferences: {}
# users:
# - name: kubelet-bootstrap # 指定以個用戶名稱, 用來向kubectl認證身份
# user:
# token: c3645405ff7dc6dd9db8be3c13d229eb

這里user 用戶為: kubelet-bootstrap 並使用一個token: c3645405ff7dc6dd9db8be3c13d229eb 向kubectl 發送包含用戶和token 請求進行認證，kubernetes 集群 kubectl 收到請求, 進行校驗：

1) token值的校驗:由於 kube-api-server.service 服務配置項中的選項參數--token-auth-file=${k8s_work_dir}/ssl/token.csv 該文件中的token和kubelet請求的校驗(要一致)

2) 用戶校驗: kubectl當中並沒有 kubelet請求的用戶, 因此,驗證失敗: 調試信息 journal -xe -u kubelet 錯誤信息如下:

failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:bootstrap:lemy40" cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope
3) 使用命令: kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname] 手動創建注冊一個 kubelet請求的角色用戶

4) 再次啟動： kubelet

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 K8S踩坑篇-master節點作為node節點加入集群 k8s集群node節點一直NotReady, 且node節點(並非master)的kubelet報錯：Unable to update cni config: No networks found in /etc/cni/net.d node節點加入master報錯 kubernetes集群-node節點上執行kubectl k8s之node節點使用kubectl kubelet kubeadm kubectl install k8s master節點添加kubectl的使用 009.Kubernetes二進制master節點部署kubectl k8s-(node節點kubelet、kube-proxy) Gerrit push到master分支踩過的坑