Kube.netes 儀表板服務器上的錯誤（“未知”）阻止了請求成功

Question

在啟動並運行我的 k8s 集群后，我忠實地使用以下命令部署了以下 WebUI 儀表板：

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.4/aio/deploy/recommended.yaml

當我嘗試訪問它時，出現以下錯誤：

Metric client health check failed: an error on the server ("unknown") has prevented the request from succeeding (get services dashboard-metrics-scraper)

如果我得到我得到的所有服務：

k get services --all-namespaces
NAMESPACE              NAME                        TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)         AGE
default                kubernetes                  ClusterIP   10.96.0.1     <none>        443/TCP         8d
kube-system            kube-dns                    ClusterIP   10.96.0.10    <none>        53/UDP,53/TCP   8d
kubernetes-dashboard   dashboard-metrics-scraper   ClusterIP   10.96.0.65    <none>        8000/TCP        6m10s
kubernetes-dashboard   kubernetes-dashboard        ClusterIP   10.96.0.173   <none>        443/TCP         6m10s

有人可以闡明一下嗎？ 我錯過了什么？

更多信息：在儀表板 yaml 中，我找到了這些角色：

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
    verbs: ["get", "update", "delete"]
   
 map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster", "dashboard-metrics-scraper"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
    verbs: ["get"]

    ---
    
    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
      name: kubernetes-dashboard
    rules:
      
      - apiGroups: ["metrics.k8s.io"]
        resources: ["pods", "nodes"]
        verbs: ["get", "list", "watch"]
    
    ---
    
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
      name: kubernetes-dashboard
      namespace: kubernetes-dashboard
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: kubernetes-dashboard
    subjects:
      - kind: ServiceAccount
        name: kubernetes-dashboard
        namespace: kubernetes-dashboard
    
    ---
    
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: kubernetes-dashboard
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: kubernetes-dashboard
    subjects:
      - kind: ServiceAccount
        name: kubernetes-dashboard
        namespace: kubernetes-dashboard

看起來 kube.netes-dashboard 用戶可以訪問指標服務我可能錯了

Answer 1

看起來 kube.netes-dashboard 的 serviceaccount 沒有訪問所有 kube.netes 資源的權限（特別是，它無法訪問度量服務器服務）。

要解決此問題，您應該為儀表板創建一個新的 ServiceAccount 並為其授予更多權限。

這是我在另一篇類似的帖子中找到的（請小心，因為它會授予儀表板管理員權限，並且使用它的任何人都能夠在您的 kube.netes 集群上銷毀/創建新的或現有的資源）：

   apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
   name: kubernetes-dashboard
   labels:
       k8s-app: kubernetes-dashboard
roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cluster-admin
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

如果您沒有 cluster-admin ServiceAccount，請按照此模板創建一個：

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile

管理員集群角色：

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admin
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
    nonResourceURLs: ["*"]