Kubernetes 不能';找不到目标区域:找不到MYWEBSITEURLHERE.com的区域:拒绝访问:
我正试图在我的kubernetes集群上部署logstash。我使用的是K8SV1.6.1,印花布作为网络 我遇到的问题是pod正在旋转,但似乎无法注册DNS,为了安全起见,我已剥离了我的域名:Kubernetes 不能';找不到目标区域:找不到MYWEBSITEURLHERE.com的区域:拒绝访问:,kubernetes,kubectl,Kubernetes,Kubectl,我正试图在我的kubernetes集群上部署logstash。我使用的是K8SV1.6.1,印花布作为网络 我遇到的问题是pod正在旋转,但似乎无法注册DNS,为了安全起见,我已剥离了我的域名: route53-kubernetes-551223410-wf89w route53-kubernetes W0516 19:47:32.715753 1 service_listener.go:151] Couldn't find destination zone: No zone fou
route53-kubernetes-551223410-wf89w route53-kubernetes W0516 19:47:32.715753 1 service_listener.go:151] Couldn't find destination zone: No zone found for MYWEBSITEURLHERE.com: AccessDenied: User: arn:aws:sts::056146032236:assumed-role/nodes.k8s-uw2.MYWEBSITEURLHERE.com/i-01cac4656e7ee0c4e is not authorized to perform: route53:ListHostedZonesByName
route53-kubernetes-551223410-wf89w route53-kubernetes status code: 403, request id: 809c62fa-3a70-11e7-bccf-9daca39d7850
现在奇怪的是,我已经确认IAM creds已经为该角色正确设置:
{
"RoleName": "nodes.k8s-uw2.MYWEBSITEURLHERE.com",
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"ec2:Describe*"
]
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"elasticloadbalancing:DescribeLoadBalancers"
]
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:BatchGetImage"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:route53:::hostedzone/Z1ILWH3JAW6GTW"
],
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:GetHostedZone",
"route53:ListHostedZonesByName"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:route53:::change/*"
],
"Action": [
"route53:GetChange"
]
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"route53:ListHostedZones"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::k8s-uw2-sightmachine-com-state-store/k8s-uw2.MYWEBSITEURLHERE.com",
"arn:aws:s3:::k8s-uw2-sightmachine-com-state-store/k8s-uw2.MYWEBSITEURLHERE.com/*"
],
"Action": [
"s3:*"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::k8s-uw2-sightmachine-com-state-store"
],
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "nodes.k8s-uw2.MYWEBSITEURLHERE.com"
}
更奇怪的是,我能够创建我的elasticsearch服务以及kibana,这两个服务都很好。只是我的logstash服务不太好
以下是我的日志存储服务定义:
apiVersion: v1
kind: Service
metadata:
name: logstash
namespace: inf
labels:
app: logstash
component: server
role: monitoring
dns: route53
annotations:
domainName: logstash.k8s-uw2.MYWEBSITEURLHERE.com
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
spec:
type: LoadBalancer
selector:
app: logstash
component: server
role: monitoring
ports:
- name: lumberjack
port: 5043
protocol: TCP
- name: beats
port: 5044
protocol: TCP
- name: http
port: 31311
protocol: TCP
apiVersion: v1
kind: Service
metadata:
name: elasticsearch
namespace: inf
labels:
app: elasticsearch
component: client
role: monitoring
dns: route53
annotations:
domainName: elasticsearch.k8s-uw2.sightmachine.com
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
spec:
type: LoadBalancer
selector:
app: elasticsearch
component: client
role: monitoring
ports:
- name: http
port: 9200
protocol: TCP
以下是我的elasticsearch服务定义:
apiVersion: v1
kind: Service
metadata:
name: logstash
namespace: inf
labels:
app: logstash
component: server
role: monitoring
dns: route53
annotations:
domainName: logstash.k8s-uw2.MYWEBSITEURLHERE.com
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
spec:
type: LoadBalancer
selector:
app: logstash
component: server
role: monitoring
ports:
- name: lumberjack
port: 5043
protocol: TCP
- name: beats
port: 5044
protocol: TCP
- name: http
port: 31311
protocol: TCP
apiVersion: v1
kind: Service
metadata:
name: elasticsearch
namespace: inf
labels:
app: elasticsearch
component: client
role: monitoring
dns: route53
annotations:
domainName: elasticsearch.k8s-uw2.sightmachine.com
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
spec:
type: LoadBalancer
selector:
app: elasticsearch
component: client
role: monitoring
ports:
- name: http
port: 9200
protocol: TCP
我还确认了区域ID确实是正确的
任何帮助都将不胜感激,因为这些都是从传统设置中抽象出来的,对我来说调试起来比较困难。解决方案只是增加允许的访问控制量,而不是像以下那样使角色细化:
"arn:aws:route53:::hostedzone/Z1ILWH3JAW6GTW"
"arn:aws:route53:::change/*"
成为:
*