堆栈内存溢出
  简体   繁体   English

kubectl exec “错误:无法升级连接:未经授权”

[英]kubectl exec "error: unable to upgrade connection: Unauthorized"

 原文  2019-05-14 09:08:30       api/ docker/ kubernetes

问题描述

I was using our Kubernetes cluster, I don't think so i have changed recently after deployment but am encountering this error我正在使用我们的 Kubernetes 集群,我不认为我最近在部署后发生了变化,但遇到了这个错误

Error kubectl log with verbose :带有详细信息的错误 kubectl 日志:

01:49:42.691510   30028 round_trippers.go:444] Response Headers:
I0514 01:49:42.691526   30028 round_trippers.go:447]     Content-Length: 12
10514 01:49:42.691537   30028 round_trippers.go:447]     Content-Type: text/plain; charset=utf-8
                                                            I0514 01:49:42.691545   30028 round_trippers.go:447]     Date: Tue, 14 May 2019 08:49:42 GMT
                                                                                                                                                        F0514 01:49:42.691976   30028 helpers.go:119] error: unable to upgrade connection: 
 Unauthorized

Kubelet running with below options : Kubelet 使用以下选项运行:

/usr/local/bin/kubelet --logtostderr=true --v=2 --address=0.0.0.0 --node-ip=1******
--hostname-override=***** --allow-privileged=true --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --authentication-token-webhook --enforce-node-allocatable= --client-ca-file=/etc/kubernetes/ssl/ca.crt --pod-manifest-path=/etc/kubernetes/manifests --pod-infra-container-image=gcr.io/google_containers/pause-amd64:3.1 --node-status-update-frequency=10s --cgroup-driver=cgroupfs --max-pods=110 --anonymous-auth=false --read-only-port=0 --fail-swap-on=True --runtime-cgroups=/systemd/system.slice --kubelet-cgroups=/systemd/system.slice --cluster-dns=10.233.0.3 --cluster-domain=cluster.local --resolv-conf=/etc/resolv.conf --kube-reserved cpu=200m,memory=512M --node-labels=node-role.kubernetes.io/master=,node-role.kubernetes.io/node= --network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin

API running with below options :使用以下选项运行的 API:

kube-apiserver --allow-privileged=true --apiserver-count=2 --authorization-mode=Node,RBAC --bind-address=0.0.0.0 --endpoint-reconciler-type=lease --insecure-port=0 --kubelet-preferred-address-types=InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP --runtime-config=admissionregistration.k8s.io/v1alpha1 --service-node-port-range=30000-32767 --storage-backend=etcd3 --advertise-address=******* --client-ca-file=/etc/kubernetes/ssl/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/ssl/etcd/ca.pem --etcd-certfile=/etc/kubernetes/ssl/etcd/node-bg-kub-dev-1.pem --etcd-keyfile=/etc/kubernetes/ssl/etcd/node-bg-kub-dev-1-key.pem --etcd-servers=https://*******:2379,https://********:2379,https://*****:2379 --kubelet-client-certificate=/etc/kubernetes/ssl/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/ssl/apiserver-kubelet-client.key --proxy-client-cert-file=/etc/kubernetes/ssl/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/ssl/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/ssl/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6443 --service-account-key-file=/etc/kubernetes/ssl/sa.pub --service-cluster-ip-range=10.233.0.0/18 --tls-cert-file=/etc/kubernetes/ssl/apiserver.crt --tls-private-key-file=/etc/kubernetes/ssl/apiserver.key

2 个解决方案

解决方案1
 1  2019-05-14 12:49:57

I think you messed your cert files or you played with RBAC profiles.我认为您弄乱了您的证书文件,或者您使用了 RBAC 配置文件。

You can have a look at great guide by Kelsey Hightower called kubernetes-the-hard-way .你可以看看 Kelsey Hightower 的伟大指南kubernetes-the-hard-way

It's showing how to setup a whole cluster from beggining without any automation tools like kubeadm.它展示了如何在没有任何自动化工具(如 kubeadm)的情况下从开始设置整个集群。

In part 04-certificate-authority - Provisioning a CA and Generating TLS Certificates .在部分04-certificate-authority - Provisioning a CA and Generating TLS Certificates 中 You have exampled of certs being used in Kubernetes.您已经举例说明了在 Kubernetes 中使用的证书。

The Kubelet Client Certificates Kubelet 客户端证书

Kubernetes uses a special-purpose authorization mode called Node Authorizer, that specifically authorizes API requests made by Kubelets . Kubernetes 使用了一种称为 Node Authorizer的专用授权模式,它专门授权Kubelets 发出的API 请求。 In order to be authorized by the Node Authorizer, Kubelets must use a credential that identifies them as being in the system:nodes group, with a username of system:node:<nodeName> .为了获得节点授权器的授权,Kubelets 必须使用一个凭证来标识它们在system:nodes组中,用户名是system:node:<nodeName> In this section you will create a certificate for each Kubernetes worker node that meets the Node Authorizer requirements.在本节中,您将为每个满足节点授权者要求的 Kubernetes 工作节点创建一个证书。

Once certs are generated for workers and uploaded you need to generate kubeconfig for each worker.为工作人员生成证书并上传后,您需要为每个工作人员生成 kubeconfig。

The kubelet Kubernetes Configuration File kubelet Kubernetes 配置文件

When generating kubeconfig files for Kubelets the client certificate matching the Kubelet's node name must be used.为 Kubelet 生成 kubeconfig 文件时,必须使用与 Kubelet 节点名称匹配的客户端证书。 This will ensure Kubelets are properly authorized by the Kubernetes Node Authorizer .这将确保 Kubernetes Node Authorizer正确授权 Kubelets。

Also this case might be helpful "kubectl exec" results in "error: unable to upgrade connection: Unauthorized"此外,这种情况可能会有所帮助“kubectl exec”导致“错误:无法升级连接:未经授权”

解决方案2
 0  2019-05-14 10:05:39

I got fixed this issue.我解决了这个问题。

Actually "/etc/kubernetes/ssl/ca.crt" in my both masters are same but in worker nodes "/etc/kubernetes/ssl/ca.crt" is totally different.实际上,我的两个主节点中的“/etc/kubernetes/ssl/ca.crt”是相同的,但工作节点中的“/etc/kubernetes/ssl/ca.crt”完全不同。 So i just copied "/etc/kubernetes/ssl/ca.crt" from master to my worker nodes and restarted kubelet in workers nodes which fixed my issue.所以我只是将“/etc/kubernetes/ssl/ca.crt”从主节点复制到我的工作节点,并在修复了我的问题的工作节点中重新启动了 kubelet。 But am not sure I did right changes for fix但我不确定我做了正确的修改来修复

I hope --client-ca-file=/etc/kubernetes/ssl/ca.crt should be same for all kubelet which is running master and workers我希望 --client-ca-file=/etc/kubernetes/ssl/ca.crt 对于所有运行 master 和 worker 的 kubelet 应该是相同的

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 无法使用 xero API 创建联系人。 给出 401 未经授权的错误? - Unable to create Contact with xero API . Giving 401 Unauthorized Error? jQuery Ajax未经授权的401错误 - jQuery Ajax Unauthorized 401 Error HttpWebResponse 401-error未经授权 - HttpWebResponse 401-error Unauthorized Discord API 401:未经授权的错误 - Discord API 401: Unauthorized error 未经授权的错误:2Checkout API - Unauthorized Error : 2Checkout API 尝试拦截改造请求时出现未经授权的错误 - Unauthorized error while trying to intercept Retrofit request 远程服务器返回错误:(401)未经授权 - The remote server returned an error: (401) Unauthorized SnapHack库问题,“错误:未经授权” API调用 - SnapHack Library issues, “Error: UNAUTHORIZED” api call Magento 2 rest api抛出401 Unauthorized错误 - Magento 2 rest api throws 401 Unauthorized error 如何解决 angular 中的未授权错误? - How can I solve unauthorized error in angular?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM