【发布时间】:2020-05-06 13:00:36
【问题描述】:
此配置适用于其他集群,但不适用于我部署的最后一个集群。 我的 RBAC 配置存在某种问题。
kubectl get pods -n ingress-controller
NAME READY STATUS RESTARTS AGE
haproxy-ingress-b4d969b8b-dw65k 0/1 CrashLoopBackOff 15 52m
ingress-default-backend-f5dfbf97-6t72p 1/1 Running 0 52m
kubectl logs -n ingress-controller -l run=haproxy-ingress
I0120 11:55:17.347244 6 launch.go:151]
Name: HAProxy
Release: v0.8
Build: git-1351a73
Repository: https://github.com/jcmoraisjr/haproxy-ingress
I0120 11:55:17.347337 6 launch.go:154] Watching for ingress class: haproxy
I0120 11:55:17.347664 6 launch.go:364] Creating API client for https://10.3.0.1:443
I0120 11:55:17.391439 6 launch.go:376] Running in Kubernetes Cluster version v1.16 (v1.16.4) - git (clean) commit 224be7bdce5a9dd0c2fd0d46b83865648e2fe0ba - platform linux/amd64
F0120 11:55:17.401773 6 launch.go:177] no service with name ingress-controller/ingress-default-backend found: services "ingress-default-backend" is forbidden: User "system:serviceaccount:ingress-controller:ingress-controller" cannot get resource "services" in API group "" in the namespace "ingress-controller": RBAC: clusterrole.rbac.authorization.k8s.io "ingress-controller" not found
kubectl get svc -n ingress-controller
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-default-backend ClusterIP 10.3.118.160 <none> 8080/TCP 55m
kubectl describe clusterrole ingress-controller
Name: ingress-controller
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRole","metadata":{"annotations":{},"name":"ingress-controller"},"rules":[...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
events [] [] [create patch]
services [] [] [get list watch]
ingresses.extensions [] [] [get list watch]
nodes [] [] [list watch get]
configmaps [] [] [list watch]
endpoints [] [] [list watch]
pods [] [] [list watch]
secrets [] [] [list watch]
ingresses.extensions/status [] [] [update]
kubectl describe clusterrolebinding -n ingress-controller ingress-controller
Name: ingress-controller
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"ingress-controller"},"r...
Role:
Kind: ClusterRole
Name: ingress-controller
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount ingress-controller ingress-controller
User ingress-controller
kubectl auth can-i get services --as=ingress-controller
no - RBAC: clusterrole.rbac.authorization.k8s.io "ingress-controller" not found
任何帮助将不胜感激。
更新:
为 ingress-controller 添加部署和 rbac:
https://github.com/jcmoraisjr/haproxy-ingress/blob/master/examples/deployment/haproxy-ingress.yaml
https://github.com/jcmoraisjr/haproxy-ingress/blob/master/examples/rbac/ingress-controller-rbac.yml
【问题讨论】:
-
您的集群是 On-Prem 还是本地的?你是如何部署这个入口控制器、任何教程或掌舵的?我试图重现它,但我没有这个问题。
-
在 ovh kubernetes 集群中。我之前创建的另外两个集群没有问题。我无法在我的开发环境中重现它。我按照这里的示例创建了它github.com/jcmoraisjr/haproxy-ingress/tree/master/examples
-
你能分享入口控制器部署yaml并描述入口控制器pod
-
你能发布
kubectl auth can-i get services --as=system:serviceaccount:ingress-controller:ingress-controller的输出吗 -
我从未使用过OVH,但是:1.您使用的是K8s 1.16,您使用的apiVersion是
rbac.authorization.k8s.io/v1beta1。从 1.16 开始,它应该是apiVersion: rbac.authorization.k8s.io/v1。 2. 在你的ClusteRoleBinding, ingress-controller subjest 下你使用了-在apiGroup 旁边,它应该在kind旁边。 3. 根据文档kubernetes.io/docs/reference/access-authn-authz/rbac/…,当您收到来自系统服务帐户的问题时,您不应该使用类似系统服务帐户:名称:系统:服务帐户:入口控制器吗?
标签: kubernetes rbac haproxy-ingress