Fatal编程技术网
  • kubernetes/
  • Kubernetes kubespray仪表板警告禁止弹出窗口

Kubernetes kubespray仪表板警告禁止弹出窗口

kubernetes

Kubernetes kubespray仪表板警告禁止弹出窗口,kubernetes,kubespray,Kubernetes,Kubespray,我正在尝试使用kubespray(提交7e84de2ae116f624b570eadc28022e924bd273bc)在一台机器上建立一个新的kubernetes群集 运行playbook(在新的ubuntu 16.04上)后,我打开仪表板,看到那些警告弹出窗口: - configmaps is forbidden: User "system:serviceaccount:default:default" cannot list configmaps in the namespace "def

我正在尝试使用kubespray(提交7e84de2ae116f624b570eadc28022e924bd273bc)在一台机器上建立一个新的kubernetes群集

运行playbook(在新的ubuntu 16.04上)后,我打开仪表板,看到那些警告弹出窗口:

- configmaps is forbidden: User "system:serviceaccount:default:default" cannot list configmaps in the namespace "default"
- persistentvolumeclaims is forbidden: User "system:serviceaccount:default:default" cannot list persistentvolumeclaims in the namespace "default"
- secrets is forbidden: User "system:serviceaccount:default:default" cannot list secrets in the namespace "default"
- services is forbidden: User "system:serviceaccount:default:default" cannot list services in the namespace "default"
- ingresses.extensions is forbidden: User "system:serviceaccount:default:default" cannot list ingresses.extensions in the namespace "default"
- daemonsets.apps is forbidden: User "system:serviceaccount:default:default" cannot list daemonsets.apps in the namespace "default"
- pods is forbidden: User "system:serviceaccount:default:default" cannot list pods in the namespace "default"
- events is forbidden: User "system:serviceaccount:default:default" cannot list events in the namespace "default"
- deployments.apps is forbidden: User "system:serviceaccount:default:default" cannot list deployments.apps in the namespace "default"
- replicasets.apps is forbidden: User "system:serviceaccount:default:default" cannot list replicasets.apps in the namespace "default"
- jobs.batch is forbidden: User "system:serviceaccount:default:default" cannot list jobs.batch in the namespace "default"
- cronjobs.batch is forbidden: User "system:serviceaccount:default:default" cannot list cronjobs.batch in the namespace "default"
- replicationcontrollers is forbidden: User "system:serviceaccount:default:default" cannot list replicationcontrollers in the namespace "default"
- statefulsets.apps is forbidden: User "system:serviceaccount:default:default" cannot list statefulsets.apps in the namespace "default"
kubectl命令似乎很好(代理工作、列出POD等。没有返回错误,
/api
是可访问的),但是,仪表板似乎无法获取任何有用的信息。我应该如何调试它

kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default
这似乎很管用——不过我还是欢迎你的解释。
(这是kubespray中的一个疏忽吗?我需要在那里设置一个变量?它与RBAC相关吗?

仪表板pod使用默认服务帐户运行,并且默认情况下该帐户没有权限,您可以在仪表板pod中看到默认服务帐户的令牌:

kubectl exec -it <dashboard-pod> bash
ls -al /var/run/secrets/kubernetes.io/serviceaccount

kubectl exec-it bash
ls-al/var/run/secrets/kubernetes.io/servicecomport
您在应答中运行的命令为仪表板pod使用的默认服务帐户设置所需的权限