Kubernetes 基于印花布的吊舱不会出现
我正在使用印花布设置一个pod,但由于授权错误,它一直失败。默认情况下,以下是我的系统的节点cidr:Kubernetes 基于印花布的吊舱不会出现,kubernetes,project-calico,Kubernetes,Project Calico,我正在使用印花布设置一个pod,但由于授权错误,它一直失败。默认情况下,以下是我的系统的节点cidr: [root@k8master-1~]#kubeadm配置视图| grep子网 子网:10.244.0.0/16 服务子网:10.96.0.0/12 我已使用以下步骤设置IPTool: IP池创建 -apiVersion:projectcalico.org/v3 种类:Ipool 元数据: 名称:机架ip池 规格: 区块大小:26 cidr:10.244.1.0/24 伊皮米德:永远不会 纳
[root@k8master-1~]#kubeadm配置视图| grep子网
子网:10.244.0.0/16
服务子网:10.96.0.0/12
我已使用以下步骤设置IPTool:
IP池创建
-apiVersion:projectcalico.org/v3
种类:Ipool
元数据:
名称:机架ip池
规格:
区块大小:26
cidr:10.244.1.0/24
伊皮米德:永远不会
纳特:是的
节点选择器:全部()
vxlanMode:从不
Ip池列表
[root@k8master-1~]#calicoctl获得ippool-o宽
名称CIDR NAT IPIPMODE VXLANMODE禁用选择器
机架ip池10.244.1.0/24 true Never Never Never false all()
豆荚亚马尔
apiVersion:apps/v1
种类:StatefulSet
元数据:
姓名:testcalico
标签:
cracklerack:“1”
规格:
服务名称:testcalico svc
选择器:
火柴标签:
cracklerack:“1”
模板:
元数据:
标签:
cracklerack:“1”
注释:
cni.projectcalico.org/ipv4pools:“[\“机架ip池\]”
规格:
runtimeClassName:kata容器
容器:
-姓名:testcalico
图片:cracklelinux:7
端口:
-集装箱港口:80
命令:[/usr/sbin/init]
securityContext:
特权:真的
---
版本:v1
种类:服务
元数据:
名称:testcalico svc
规格:
集群:无
选择器:
cracklerack:“1”
创建pod时,它会抛出以下错误:
错误
警告失败CreatePodSandbox 112s kubelet,k8worker-1未能创建pod sandbox:rpc错误:code=Unknown desc=未能创建pod网络沙盒k8s_uxxxxx-0_default_45357; EAB-bf40-4fe7-a470-da42c9668116_0(579E2C258154FCDC2E85DF4A1E35264EA9550B0DD1C4384331ABC471F5526D):连接未经授权:ipamconfigs.crd.projectcalico.org“默认”被禁止:用户“系统:服务帐户:kube系统:canal”无法获取群集范围内API组“crd.projectcalico.org”中的资源“ipamconfigs”
看起来您有RBAC问题,pod无法读取IPAMConfig
CRD中的Kubernetes
我查看了中的清单,发现在几个RBAC ClusterRoles中缺少ipamconfigs
。因此,您可以继续尝试添加它们
kind:ClusterRole
apiVersion:rbac.authorization.k8s.io/v1
元数据:
名称:库布印花布控制器
规则:
#监视节点以监视删除。
-apiGroups:[“”]
资源:
-节点
动词:
-监视
-名单
-得到
#查询POD以检查是否存在。
-apiGroups:[“”]
资源:
-豆荚
动词:
-得到
#删除节点时,IPAM资源将被操纵。
-apiGroups:[“crd.projectcalico.org”]
资源:
-ipools
动词:
-名单
-apiGroups:[“crd.projectcalico.org”]
资源:
-区块亲和力
-ipamblock
-ipamhandles
-ipamconfigs我使用了下面的conf文件,它工作正常:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: calico-node
rules:
# The CNI plugin needs to get pods, nodes, and namespaces.
- apiGroups: [""]
resources:
- pods
- nodes
- namespaces
verbs:
- get
- apiGroups: [""]
resources:
- endpoints
- services
verbs:
# Used to discover service IPs for advertisement.
- watch
- list
# Used to discover Typhas.
- get
# Pod CIDR auto-detection on kubeadm needs access to config maps.
- apiGroups: [""]
resources:
- configmaps
verbs:
- get
- apiGroups: [""]
resources:
- nodes/status
verbs:
# Needed for clearing NodeNetworkUnavailable flag.
- patch
# Calico stores some configuration information in node annotations.
- update
# Watch for changes to Kubernetes NetworkPolicies.
- apiGroups: ["networking.k8s.io"]
resources:
- networkpolicies
verbs:
- watch
- list
# Used by Calico for policy information.
- apiGroups: [""]
resources:
- pods
- namespaces
- serviceaccounts
verbs:
- list
- watch
# The CNI plugin patches pods/status.
- apiGroups: [""]
resources:
- pods/status
verbs:
- patch
# Calico monitors various CRDs for config.
- apiGroups: ["crd.projectcalico.org"]
resources:
- globalfelixconfigs
- felixconfigurations
- bgppeers
- globalbgpconfigs
- bgpconfigurations
- ippools
- ipamblocks
- ipamconfigs
- globalnetworkpolicies
- globalnetworksets
- networkpolicies
- networksets
- clusterinformations
- hostendpoints
- blockaffinities
verbs:
- get
- list
- watch
# Calico must create and update some CRDs on startup.
- apiGroups: ["crd.projectcalico.org"]
resources:
- ippools
- ipamblocks
- ipamconfigs
- blockaffinities
- felixconfigurations
- clusterinformations
verbs:
- create
- update
# Calico stores some configuration information on the node.
- apiGroups: [""]
resources:
- nodes
verbs:
- get
- list
- watch
# These permissions are only required for upgrade from v2.6, and can
# be removed after upgrade or on fresh installations.
- apiGroups: ["crd.projectcalico.org"]
resources:
- bgpconfigurations
- bgppeers
verbs:
- create
- update
同一文件中的另一个块:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: calico-kube-controllers
rules:
# Nodes are watched to monitor for deletions.
- apiGroups: [""]
resources:
- nodes
verbs:
- watch
- list
- get
# Pods are queried to check for existence.
- apiGroups: [""]
resources:
- pods
verbs:
- get
# IPAM resources are manipulated when nodes are deleted.
- apiGroups: ["crd.projectcalico.org"]
resources:
- ippools
verbs:
- list
- apiGroups: ["crd.projectcalico.org"]
resources:
- blockaffinities
- ipamblocks
- ipamhandles
- ipamconfigs
verbs:
- get
- list
- create
- update
- delete
# kube-controllers manages hostendpoints.
- apiGroups: ["crd.projectcalico.org"]
resources:
- hostendpoints
verbs:
- get
- list
- create
- update
- delete
# Needs access to update clusterinformations.
- apiGroups: ["crd.projectcalico.org"]
resources:
- clusterinformations
verbs:
- get
- create
- update
# KubeControllersConfiguration is where it gets its config
- apiGroups: ["crd.projectcalico.org"]
resources:
- kubecontrollersconfigurations
verbs:
# read its own config
- get
# create a default if none exists
- create
# update status
- update
# watch for changes
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: calico-kube-controllers
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-kube-controllers
subjects:
- kind: ServiceAccount
name: calico-kube-controllers
namespace: kube-system
---
谢谢,它成功了。然而,我不得不对它进行更多的修改,因为calico向其他资源抛出了错误:很高兴听到。如果答案有帮助,请投票。