注册节点时,kubelet似乎没有使用正确的用户
[英]kubelet doesn't seem to be using correct user when registering node
问题描述
When kubelet tries to start on my Kubernetes worker nodes, I'm getting messages like this in the system log: 
当kubelet尝试在Kubernetes工作者节点上启动时,我在系统日志中收到这样的消息:
May 25 19:43:57 ip-10-240-0-223 kubelet[4882]: I0525 19:43:57.627389 4882 kubelet_node_status.go:82] Attempting to register node worker-1
May 25 19:43:57 ip-10-240-0-223 kubelet[4882]: E0525 19:43:57.628967 4882 kubelet_node_status.go:106] Unable to register node "worker-1" with API server: nodes is forbidden: User "system:node:" cannot create nodes at the cluster scope: unknown node for user "system:node:"
May 25 19:43:58 ip-10-240-0-223 kubelet[4882]: E0525 19:43:58.256557 4882 reflector.go:205] k8s.io/kubernetes/pkg/kubelet/kubelet.go:451: Failed to list *v1.Service: services is forbidden: User "system:node:" cannot list services at the cluster scope: unknown node for user "system:node:"
May 25 19:43:58 ip-10-240-0-223 kubelet[4882]: E0525 19:43:58.257381 4882 reflector.go:205] k8s.io/kubernetes/pkg/kubelet/config/apiserver.go:47: Failed to list *v1.Pod: pods is forbidden: User "system:node:" cannot list pods at the cluster scope: unknown node for user "system:node:"
If I'm reading these correctly, the problem is that the node is using the username system:node: when connecting to the API server rather than system:node:worker-1 . 如果我正确地阅读了这些内容,那么问题在于该节点在连接到API服务器时使用的是用户名system:node:而不是system:node:worker-1 。 But as far as I can tell, it should be using a worker-specific one. 但据我所知,它应该使用特定于工人的工具。 Here's my kubeconfig (with private stuff elided): 这是我的kubeconfig (删除了私有内容):
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: [elided]
server: https://[elided]:6443
name: kubernetes-the-hard-way
contexts:
- context:
cluster: kubernetes-the-hard-way
user: system:node:worker-1
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: system:node:worker-1
user:
client-certificate-data: [elided]
client-key-data: [elided]
I was under the impression that the user s specified there were the ones used when contacting the API, but clearly I'm wrong. 我给人的印象是user指定的是联系API时使用的那些,但显然我错了。 Is there somewhere else I've missed out a reference to worker-1 ? 我还有其他地方错过了对worker-1的引用吗?
I'm following the Kubernetes the Hard Way tutorial, but adjusting it for AWS as I go, so this problem is almost certainly a mistake I made when adjusting the config files. 我正在按照Kubernetes的Hard Way教程进行操作,但是在进行过程中针对AWS进行了调整,因此这个问题几乎可以肯定是我在调整配置文件时犯的一个错误。 If there are any other config files that I should provide to make this easier/possible to debug, please do let me know. 如果我需要提供其他任何配置文件以使其更易于调试,请告诉我。
2 个解决方案
解决方案1
1 2018-05-25 23:04:32
The server determines the user from the CN of the certificate. 服务器从证书的CN确定用户。 Check the script that generated the certificate, it likely had an unset var when it created the CN in the form CN=system:node:$NODE 检查生成证书的脚本,当它以CN=system:node:$NODE的形式创建CN时,它可能具有未设置的var。
解决方案2
1 已采纳 2018-05-25 23:14:37
The current "Kubernetes-The-Hard-Way" is using Node Authorization so ensure your kubelet x509 certificates contains 当前的“ Kubernetes-The-Hard-Way”正在使用节点授权,因此请确保您的kubelet x509证书包含
Subject: CN=system:node:worker-1, O=system:nodes
Also double check your API server have these options 还要仔细检查您的API服务器是否具有以下选项
--authorization-mode=Node,RBAC
--enable-admission-plugins=...,NodeRestriction,...
otherwise the node won't be able to auto-register in the API. 否则,该节点将无法在API中自动注册。
You can check your x509 certificate with 您可以使用以下命令检查x509证书
openssl x509 -in /var/lib/kubelet/${HOSTNAME}.pem -text
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.