为什么我在api-server上设置--token-auth-file并在worker节点上设置--bootstrap-kubeconfig,我在apiserver和worker节点上指定用户名是“kubelet-bootstrap”,我得到了错误说用户“系统:匿名”?
错误:无法运行Kubelet:无法创建证书签名请求:禁止使用certificateigningrequests.certificates.k8s.io:用户“system:anonymous”无法在群集范围内创建certificateigningrequests.certificates.k8s.io
kubernetes版本v1.8.3
下面是我的配置
API服务器:
/usr/local/bin/kube-apiserver --etcd-servers=http://127.0.0.1:2379
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota
--service-account-key-file=/srv/kubernetes/pubkey.pem
--service-cluster-ip-range=10.96.0.0/16
--allow-privileged=true
--authorization-mode=RBAC
--enable-bootstrap-token-auth=true
--token-auth-file=/var/lib/kubernetes/bootstrap.csv
--client-ca-file=/var/lib/kubernetes/cacert.pem
--tls-cert-file=/var/lib/kubernetes/servercert.pem
--tls-private-key-file=/var/lib/kubernetes/serverkey.pem
--address=172.18.11.249
--insecure-bind-address=127.0.0.1
--advertise-address=172.18.11.249
--audit-log-maxage=30
--audit-log-maxsize=100
--audit-log-path=/var/log/kube-apiserver.log
--v=4
1>>/var/log/kube-apiserver.log 2>&1
/var/lib/kubernetes/bootstrap.csv
0d681e2438667d2b5236ad7385d80ddc,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
工作节点:
/usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubelet/bootstrap.kubeconfig.yaml
--pod-manifest-path=/etc/kubernetes/manifests
--node-labels=node-role.kubernetes.io/worker=
--node-ip=172.18.10.16
--allow-privileged
--v=4
/etc/kubelet/bootstrap.kubeconfig.yaml
apiVersion: v1
clusters:
- cluster:
server: https://172.18.11.249:6443/
name: myk8s
contexts:
- context:
cluster: myk8s
name: myk8s
current-context: myk8s
kind: Config
preferences: {}
users:
- name: kubelet-bootstrap
user:
as-user-extra: {}
token: 0d681e2438667d2b5236ad7385d80ddc
从工作节点记录
I0821 08:49:50.916993 6232 bootstrap.go:57]使用bootstrap kubeconfig生成TLS客户端证书,密钥和kubeconfig文件错误:无法运行Kubelet:无法创建证书签名请求:certificateigningrequests.certificates.k8s.io被禁止:用户“system:anonymous”无法在集群范围内创建certificateigningrequests.certificates.k8s.io
从apiserver登录
I0821 08:05:05.726968 5 rbac.go:116] RBAC DENY:用户“system:anonymous”groups [“system:unauthenticated”]无法“创建”资源“certificateigningrequests.certificates.k8s.io”群集范围内I0821 08 :05:05.727015 5 authorization.go:59]禁止:“/apis/certificates.k8s.io/v1beta1/certificatesigningrequests”,原因:“”
谢谢您的帮助
1 回答
bootstrap.kubeconfig.yaml
中的令牌格式与kubeadm
生成的常用令牌不同 .根据文章Authenticating with Bootstrap Tokens:
请阅读previous和this文章,了解如何实现Bootstrap Token构思 .