我已经在 GKE 上使用 k8s 版本 1.18.12-gke.1206 设置了私有(private)集群,并且对集群端点的访问设置为启用公共(public)端点访问,禁用授权网络。 我在这个 https://kubernetes.github.io/ingress-nginx 类型的集群上运行入口 Controller .它使用 configMap 来存储配置。但是不知何故,任何到达这个 Controller 的请求都会给出一个未经授权的错误,日志如下:
2021-02-23 11:24:59.435 IST "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Endpoints: Unauthorized"
2021-02-23 11:24:45.072 IST "error retrieving resource lock sb-system/ingress-controller-leader-nginx: Unauthorized"
2021-02-23 11:24:40.727 IST "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.ConfigMap: Unauthorized"
2021-02-23 11:24:40.132 IST "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1beta1.Ingress: Unauthorized"
2021-02-23 11:24:37.318 IST "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Pod: Unauthorized"
2021-02-23 11:24:37.038 IST "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Service: Unauthorized"
2021-02-23 11:24:29.891 IST "error retrieving resource lock sb-system/ingress-controller-leader-nginx: Unauthorized"
2021-02-23 11:24:26.263 IST "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Secret: Unauthorized"
2021-02-23 11:24:18.259 IST "error retrieving resource lock sb-system/ingress-controller-leader-nginx: Unauthorized"
2021-02-23 11:24:09.907 IST "error retrieving resource lock sb-system/ingress-controller-leader-nginx: Unauthorized"
2021-02-23 11:24:06.612 IST "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Endpoints: Unauthorized"
2021-02-23 11:24:02.078 IST "error retrieving resource lock sb-system/ingress-controller-leader-nginx: Unauthorized"
我们尝试按照提到的步骤进行操作 here .我们得到
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 233 100 233 0 0 17282 0 {-:--:-- --:--:-- --:--:-- 0
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
"reason": "Forbidden",
"details": {
},
"code": 403
}--:--:-- --:--:-- --:--:-- 17923
最后一步是:kubectl exec test -- curl --cacert/var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $TOKEN_VALUE"https://10.0.0.1
我是 GCP 和 K8s 的新手,不知道我做错了什么。
最佳答案
您是否检查过您的 ServiceAccount 上的 automountServiceAccountToken 是否已设置为 false?如果是这样,将其设置为 true 可能会有所帮助。
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-service-account
automountServiceAccountToken: false # set to true
关于kubernetes - "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Service: Unauthorized",我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/66329284/