Kubernetes 基于印花布的吊舱不会出现

我正在使用印花布设置一个pod，但由于授权错误，它一直失败。默认情况下，以下是我的系统的节点cidr：

[root@k8master-1~]#kubeadm配置视图| grep子网
子网：10.244.0.0/16
服务子网：10.96.0.0/12

我已使用以下步骤设置IPTool：

IP池创建

-apiVersion:projectcalico.org/v3
种类：Ipool
元数据：
名称：机架ip池
规格：
区块大小：26
cidr:10.244.1.0/24
伊皮米德：永远不会
纳特：是的
节点选择器：全部（）
vxlanMode：从不

Ip池列表

[root@k8master-1~]#calicoctl获得ippool-o宽
名称CIDR NAT IPIPMODE VXLANMODE禁用选择器
机架ip池10.244.1.0/24 true Never Never Never false all（）

豆荚亚马尔 apiVersion:apps/v1 种类：StatefulSet 元数据： 姓名：testcalico 标签： cracklerack：“1” 规格： 服务名称：testcalico svc 选择器： 火柴标签： cracklerack：“1” 模板： 元数据： 标签： cracklerack：“1” 注释： cni.projectcalico.org/ipv4pools:“[\“机架ip池\]” 规格： runtimeClassName:kata容器 容器： -姓名：testcalico 图片：cracklelinux:7 端口： -集装箱港口：80 命令：[/usr/sbin/init] securityContext： 特权：真的 --- 版本：v1 种类：服务 元数据： 名称：testcalico svc 规格： 集群：无 选择器： cracklerack：“1” 创建pod时，它会抛出以下错误：

错误

警告失败CreatePodSandbox 112s kubelet，k8worker-1未能创建pod sandbox:rpc错误：code=Unknown desc=未能创建pod网络沙盒k8s_uxxxxx-0_default_45357; EAB-bf40-4fe7-a470-da42c9668116_0（579E2C258154FCDC2E85DF4A1E35264EA9550B0DD1C4384331ABC471F5526D）：连接未经授权：ipamconfigs.crd.projectcalico.org“默认”被禁止：用户“系统：服务帐户：kube系统：canal”无法获取群集范围内API组“crd.projectcalico.org”中的资源“ipamconfigs”

看起来您有RBAC问题，pod无法读取

IPAMConfig

CRD中的Kubernetes

我查看了中的清单，发现在几个RBAC ClusterRoles中缺少

ipamconfigs

。因此，您可以继续尝试添加它们

kind:ClusterRole
apiVersion:rbac.authorization.k8s.io/v1
元数据：
名称：库布印花布控制器
规则：
#监视节点以监视删除。
-apiGroups:[“”]
资源：
-节点
动词：
-监视
-名单
-得到
#查询POD以检查是否存在。
-apiGroups:[“”]
资源：
-豆荚
动词：
-得到
#删除节点时，IPAM资源将被操纵。
-apiGroups:[“crd.projectcalico.org”]
资源：
-ipools
动词：
-名单
-apiGroups:[“crd.projectcalico.org”]
资源：
-区块亲和力
-ipamblock
-ipamhandles
-ipamconfigs我使用了下面的conf文件，它工作正常：

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: calico-node
rules:
  # The CNI plugin needs to get pods, nodes, and namespaces.
  - apiGroups: [""]
    resources:
      - pods
      - nodes
      - namespaces
    verbs:
      - get
  - apiGroups: [""]
    resources:
      - endpoints
      - services
    verbs:
      # Used to discover service IPs for advertisement.
      - watch
      - list
      # Used to discover Typhas.
      - get
  # Pod CIDR auto-detection on kubeadm needs access to config maps.
  - apiGroups: [""]
    resources:
      - configmaps
    verbs:
      - get
  - apiGroups: [""]
    resources:
      - nodes/status
    verbs:
      # Needed for clearing NodeNetworkUnavailable flag.
      - patch
      # Calico stores some configuration information in node annotations.
      - update
  # Watch for changes to Kubernetes NetworkPolicies.
  - apiGroups: ["networking.k8s.io"]
    resources:
      - networkpolicies
    verbs:
      - watch
      - list
  # Used by Calico for policy information.
  - apiGroups: [""]
    resources:
      - pods
      - namespaces
      - serviceaccounts
    verbs:
      - list
      - watch
  # The CNI plugin patches pods/status.
  - apiGroups: [""]
    resources:
      - pods/status
    verbs:
      - patch
  # Calico monitors various CRDs for config.
  - apiGroups: ["crd.projectcalico.org"]
    resources:
      - globalfelixconfigs
      - felixconfigurations
      - bgppeers
      - globalbgpconfigs
      - bgpconfigurations
      - ippools
      - ipamblocks
      - ipamconfigs
      - globalnetworkpolicies
      - globalnetworksets
      - networkpolicies
      - networksets
      - clusterinformations
      - hostendpoints
      - blockaffinities
    verbs:
      - get
      - list
      - watch
  # Calico must create and update some CRDs on startup.
  - apiGroups: ["crd.projectcalico.org"]
    resources:
      - ippools
      - ipamblocks
      - ipamconfigs
      - blockaffinities
      - felixconfigurations
      - clusterinformations
    verbs:
      - create
      - update
  # Calico stores some configuration information on the node.
  - apiGroups: [""]
    resources:
      - nodes
    verbs:
      - get
      - list
      - watch
  # These permissions are only required for upgrade from v2.6, and can
  # be removed after upgrade or on fresh installations.
  - apiGroups: ["crd.projectcalico.org"]
    resources:
      - bgpconfigurations
      - bgppeers
    verbs:
      - create
      - update

同一文件中的另一个块：

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: calico-kube-controllers
rules:
  # Nodes are watched to monitor for deletions.
  - apiGroups: [""]
    resources:
      - nodes
    verbs:
      - watch
      - list
      - get
  # Pods are queried to check for existence.
  - apiGroups: [""]
    resources:
      - pods
    verbs:
      - get
  # IPAM resources are manipulated when nodes are deleted.
  - apiGroups: ["crd.projectcalico.org"]
    resources:
      - ippools
    verbs:
      - list
  - apiGroups: ["crd.projectcalico.org"]
    resources:
      - blockaffinities
      - ipamblocks
      - ipamhandles
      - ipamconfigs
    verbs:
      - get
      - list
      - create
      - update
      - delete
  # kube-controllers manages hostendpoints.
  - apiGroups: ["crd.projectcalico.org"]
    resources:
      - hostendpoints
    verbs:
      - get
      - list
      - create
      - update
      - delete
  # Needs access to update clusterinformations.
  - apiGroups: ["crd.projectcalico.org"]
    resources:
      - clusterinformations
    verbs:
      - get
      - create
      - update
  # KubeControllersConfiguration is where it gets its config
  - apiGroups: ["crd.projectcalico.org"]
    resources:
      - kubecontrollersconfigurations
    verbs:
      # read its own config
      - get
      # create a default if none exists
      - create
      # update status
      - update
      # watch for changes
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: calico-kube-controllers
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: calico-kube-controllers
subjects:
- kind: ServiceAccount
  name: calico-kube-controllers
  namespace: kube-system
---

谢谢，它成功了。然而，我不得不对它进行更多的修改，因为calico向其他资源抛出了错误：很高兴听到。如果答案有帮助，请投票。