在google计算引擎上运行的kubernetes pod无法访问元数据服务。
在google计算引擎上运行的kubernetes pod无法访问元数据服务。
提问于 2021-09-03 04:49:40
我正在尝试运行,运行在引擎上的k8荚中。有一个附加到VM的服务帐户,它允许它访问机密管理器。我可以从主机访问机密管理器,但是在k8 pod中运行python会抱怨无法访问元数据服务。
>>> secret_id = 'unskript_test'
>>> name = client.secret_path(project_id, secret_id)
>>> response = client.get_secret(request={"name": name})
Traceback (most recent call last):
File "/opt/conda/lib/python3.7/site-packages/google/api_core/grpc_helpers.py", line 67, in error_remapped_callable
return callable_(*args, **kwargs)
File "/opt/conda/lib/python3.7/site-packages/grpc/_channel.py", line 946, in __call__
return _end_unary_response_blocking(state, call, False, None)
File "/opt/conda/lib/python3.7/site-packages/grpc/_channel.py", line 849, in _end_unary_response_blocking
raise _InactiveRpcError(state)
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNAVAILABLE
details = "Getting metadata from plugin failed with error: Failed to retrieve http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true from the Google Compute Enginemetadata service. Compute Engine Metadata server unavailable"
debug_error_string = "{"created":"@1630634901.103779641","description":"Getting metadata from plugin failed with error: Failed to retrieve http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true from the Google Compute Enginemetadata service. Compute Engine Metadata server unavailable","file":"src/core/lib/security/credentials/plugin/plugin_credentials.cc","file_line":90,"grpc_status":14}"
>metadata.google.internal不能从k8吊舱中得到解析
jovyan@jovyan-25ca6c8c-157d-49e5-9366-f9d57fcb7a9f:~$ wget http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true
--2021-09-03 02:11:19-- http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true
Resolving metadata.google.internal (metadata.google.internal)... failed: Name or service not known.
wget: unable to resolve host address ‘metadata.google.internal’但是,主机能够解决这个问题。
ubuntu@gcp-test-proxy:~$ wget http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true
--2021-09-03 02:11:27-- http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true
Resolving metadata.google.internal (metadata.google.internal)... 169.254.169.254
Connecting to metadata.google.internal (metadata.google.internal)|169.254.169.254|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2021-09-03 02:11:27 ERROR 403: Forbidden.如何使吊舱解析metadata.google.internal?
回答 2
Server Fault用户
回答已采纳
发布于 2022-10-05 19:31:01
问题是microk8s没有将主机等主机条目复制到荚。一旦我们搬到k3,它就解决了
Server Fault用户
发布于 2021-09-22 12:37:26
这是由Kubernetes pod无法将metadata.google.internal DNS名称解析为正确的IP造成的。您的主机可能在/etc/hosts中有一个条目,将该域硬编码到IP: 169.254.169.254。
您应该能够通过修改Pod的/etc/hosts文件在Pod中复制它。
请记住,这将只适用于运行在GCP上的VM。在外部,IP地址169.254.169.254只是另一个没有特殊意义的IP地址。
编辑:刚刚在我的一个GCP VM上检查了/etc/host,下面是我发现的:
$ cat /etc/hosts
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
169.254.169.254 metadata.google.internal metadata所以,只需将最后一行复制到您的荚/etc/hosts中即可。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/1076492
复制相关文章
相似问题
腾讯云开发者
