问题描述
我正在尝试使用“v1.18.14”在 kubernetes 集群中部署“灯塔”应用程序,并且 pod 已启动并正在运行,但日志显示端口 443 上的 kubernettes 服务 ip 10.233.0.1 出现连接被拒绝错误.
灯塔吊舱日志 -
[centos@master elk_stack_6.x]$ kubectl logs lighthouse-webhooks-7f58c9897c-tbvfz -n jx
{"fields.level":"info","level":"info","msg":"setting the log level","time":"2021-01-21T03:35:52Z"}
{"level":"info","msg":"updating the Lighthouse core configuration","time":"2021-01-21T03:35:52Z"}
{"level":"warning","msg":"unkNown plugin","plugin":"blunderbuss","plugin":"heart","msg":"updating the Lighthouse plugins configuration","msg":"not pushing metrics as there is no push_gateway defined in the config.yaml","msg":"Lighthouse is Now listening on path /hook and port 8080 for WebHooks","msg":"Lighthouse is serving prometheus metrics on port 2112","time":"2021-01-21T03:35:52Z"}
E0129 07:23:34.030912 1 reflector.go:309] pkg/mod/k8s.io/client-go@v0.17.6/tools/cache/reflector.go:105: Failed to watch *v1.ConfigMap: Get https://10.233.0.1:443/api/v1/namespaces/jx/configmaps?watch=true: dial tcp 10.233.0.1:443: connect: connection refused
E0129 07:23:35.031560 1 reflector.go:309] pkg/mod/k8s.io/client-go@v0.17.6/tools/cache/reflector.go:105: Failed to watch *v1.ConfigMap: Get https://10.233.0.1:443/api/v1/namespaces/jx/configmaps?watch=true: dial tcp 10.233.0.1:443: connect: connection refused
默认命名空间下的服务-
[centos@master elk_stack_6.x]$ kubectl get svc -n default
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.233.0.1 <none> 443/TCP 12d
[centos@master elk_stack_6.x]$ kubectl get endpoints -n default
NAME ENDPOINTS AGE
kubernetes 167.254.204.56:6443 12d
尝试使用 curl 连接 kubernetes 服务 -
[centos@master ~]$ curl -kv https://10.233.0.1:443
* About to connect() to 10.233.0.1 port 443 (#0)
* Trying 10.233.0.1...
* Connected to 10.233.0.1 (10.233.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=kube-apiserver
* start date: Jan 20 13:49:12 2021 GMT
* expire date: Jan 20 13:49:12 2022 GMT
* common name: kube-apiserver
* issuer: CN=kubernetes
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 10.233.0.1
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Cache-Control: no-cache,private
< Content-Type: application/json
< X-Content-Type-Options: nosniff
< Date: Tue,02 Feb 2021 07:57:21 GMT
< Content-Length: 233
<
{
"kind": "Status","apiVersion": "v1","Metadata": {
},"status": "Failure","message": "forbidden: User \"system:anonymous\" cannot get path \"/\"","reason": "Forbidden","details": {
},"code": 403
* Connection #0 to host 10.233.0.1 left intact
我面临 403 禁止错误可能是因为缺少某些 RBAC 策略。任何建议将不胜感激。
解决方法
请尝试错误中提到的 HTTPS 端点,而不是 HTTP。
400 错误意味着请求确实到达了服务器,但不是服务器期望的格式。
更新以反映更新的问题:-
403 表示访问集群的用户无权使用 IP 访问资源。
详细说明见protecting your kubernetes api server
,根据 pod 日志和 Curl 命令输出,这可能是由于运行 pod 的服务帐户的权限问题。检查 Pod 的 Service Account 是否有适当的权限来查看/读取默认命名空间中的 configMap。如果没有,则需要创建RBAC角色和角色绑定K8S对象。