kubectl从服务器获取cs提示错误(禁止)
当在centos7上运行kubectl get cs时,我得到了以下错误消息。
No resources found.
Error from server (Forbidden): componentstatuses is forbidden:
User "system:node:<server-name>" cannot list componentstatuses at the cluster scope我可以确认api服务器正在运行kubectl cluster-info。
Kubernetes master is running at https://<server-IP>:6443
KubeDNS is running at https://<server-IP>:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy另外,我在~/.bash_profile中有以下内容
export http_proxy=http://<proxy-server-IP>:3128
export https_proxy=http://<proxy-server-IP>:3128
export no_proxy=$no_proxy,127.0.0.1,localhost,<server-IP>,<server-name>
export KUBECONFIG=/etc/kubernetes/kubelet.conf不仅kubectl get cs会产生错误消息,kubectl apply -f kubernetes-dashboard.yaml也会产生类似的错误消息
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=secrets", GroupVersionKind: "/v1, Kind=Secret"
Name: "kubernetes-dashboard-certs", Namespace: "kube-system"
Object: &{map["kind":"Secret" "metadata":map["labels":map["k8s-app":"kubernetes-dashboard"] "name":"kubernetes-dashboard-certs" "namespace":"kube-system" "annotations":map["kubectl.kubernetes.io/last-applied-configuration":""]] "type":"Opaque" "apiVersion":"v1"]}
from server for: "https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml":
secrets "kubernetes-dashboard-certs" is forbidden:
User "system:node:<server-name>" cannot get secrets in the namespace "kube-system":
no path found to object回答 3
Stack Overflow用户
发布于 2018-07-06 12:20:31
export KUBECONFIG=/etc/kubernetes/kubelet.conf
完全不正确;错误消息很高兴地通知您,您正在尝试以Node而不是用户或ServiceAccount的身份执行集群操作。RBAC几乎明确地设计为阻止您执行当前正在执行的操作。您永远不会希望Node能够读取敏感凭据,也不希望在群集范围内创建任意Pod。
如果您希望谨慎对待它,那么ssh进入主节点并使用通常在/etc/kubernetes/admin.conf (或类似文件--取决于您的集群是如何配置的)中找到的cluster-admin凭证。如果您还没有cluster-admin凭据,那么创建一个X.509证书,该证书由应用程序使用cluster-admin的组织( X.509中的O=)信任的CA签名,然后创建一个ClusterRoleBinding为cluster-admin的ServiceAccount (或其他任何东西),然后从那里开始。
Stack Overflow用户
发布于 2018-12-11 14:17:07
试试下面的代码片段
1) sudo su
2) kubectl get cs
Stack Overflow用户
发布于 2018-07-06 07:26:05
在重新安装centos 7并遵循以下步骤后,我能够正确地启动master
- install kubeadm,kubectl,kubelet
- disable中安装docker-ce并添加
- 并关闭交换
- 导出no_proxy
export no_proxy=$no_proxy,127.0.0.1,localhost,<master-server-name>,<master-server-ip>,10.96.0.0/12,10.244.0.0/16
- kubeadm初始化
使用kubectl get cs的kubeadm init --apiserver-advertise-address=<master-server-ip> --pod-network-cidr=10.244.0.0/16 mkdir -p $HOME/.kube \cp -f /etc/kubernetes/admin.conf $HOME/.kube/config chown $(id -u):$(id -g) $HOME/.kube/config
- test
NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-0 Healthy {"health": "true"}
无需手动安装etcd,也无需导出KUBECONFIG。
https://stackoverflow.com/questions/51200149
复制相似问题
腾讯云开发者
