“pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125:无法列出*v1.Service:未经授权”

编程问答 2022-05-24

问题描述

我已经在 GKE 上使用 k8s 版本 1.18.12-gke.1206 设置了一个私有集群,并且对集群端点的访问设置为公共端点访问已启用,授权网络已禁用。我正在运行一个入口此 https://kubernetes.github.io/ingress-nginx 类型集群上的控制器。它使用 configMap 来存储配置。但不知何故,来到这个控制器的任何请求,都会给出一个未经授权的错误,日志如下:

2021-02-23 11:24:59.435 IST     "pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.Endpoints: Unauthorized"
2021-02-23 11:24:45.072 IST     "error retrieving resource lock sb-system/ingress-controller-leader-Nginx: Unauthorized"
2021-02-23 11:24:40.727 IST     "pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.ConfigMap: Unauthorized"
2021-02-23 11:24:40.132 IST     "pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1beta1.Ingress: Unauthorized"
2021-02-23 11:24:37.318 IST     "pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.Pod: Unauthorized"
2021-02-23 11:24:37.038 IST     "pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.Service: Unauthorized"
2021-02-23 11:24:29.891 IST     "error retrieving resource lock sb-system/ingress-controller-leader-Nginx: Unauthorized"
2021-02-23 11:24:26.263 IST     "pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.Secret: Unauthorized"
2021-02-23 11:24:18.259 IST     "error retrieving resource lock sb-system/ingress-controller-leader-Nginx: Unauthorized"
2021-02-23 11:24:09.907 IST     "error retrieving resource lock sb-system/ingress-controller-leader-Nginx: Unauthorized"
2021-02-23 11:24:06.612 IST     "pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.Endpoints: Unauthorized"
2021-02-23 11:24:02.078 IST     "error retrieving resource lock sb-system/ingress-controller-leader-Nginx: Unauthorized"

我们尝试按照 here 中提到的步骤进行操作。我们正在获得

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   233  100   233    0     0  17282      0 {-:--:-- --:--:-- --:--:--     0
  "kind": "Status","apiVersion": "v1","Metadata": {

  },"status": "Failure","message": "forbidden: User \"system:anonymous\" cannot get path \"/\"","reason": "Forbidden","details": {

  },"code": 403
}--:--:-- --:--:-- --:--:-- 17923

在最后一步是:kubectl exec test -- curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $TOKEN_VALUE" https://10.0.0.1

我是 GCP 和 K8s 的新手,不知道我做错了什么。

解决方法

您是否检查过您的 ServiceAccount 上的 automountServiceAccountToken 是否已设置为 false?如果是这样,将其设置为 true 可能会有所帮助。

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
automountServiceAccountToken: false # set to true

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server