Jenkins 的 Kubernetes 插件失败

Question

我正在尝试使用适当的 Kubernetes URL 和其他详细信息将 Kubernetes 作为云添加到 Jenkins 服务器。当我添加详细信息并测试连接时 我收到以下错误

连接到https://192.168.X.XX:6443 时出错：执行失败：GET at：https://192.168.X.XX:6443/api/v1/namespaces/default/pods。消息：用户“system:anonymous”无法列出命名空间“default”中的 pod ..”

我尝试使用 --insecure 选项执行 curl，但记录了相同的以下错误。

消息：用户“system:anonymous”无法列出命名空间“default”中的 pods..”

我尝试使用以下 kubectl 命令添加 jenkins 和用户凭据以作为 clusteradminrole 登录 jenkins

kubectl 创建角色绑定 jenkins-admin-binding --clusterrole=admin --user=jenkins--namespace=default

但还是同样的错误。

有什么遗漏吗？

编辑 1：已尝试按照建议执行以下操作

openssl genrsa -out jenkins.key 2048

openssl req -new -key jenkins.key -out jenkins.csr -subj "/CN=jenkins/O=admin_jenkins"

openssl x509 -req -in jenkins.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out jenkins.crt -days 500

kubectl config set-credentials jenkins --client-certificate=/root/pods/admin_jenkins/.certs/jenkins.crt --client-key=/root/pods/admin_jenkins/.certs/jenkins.key

kubectl config set-context jenkins-context --cluster=kubernetes --namespace=default --user=jenkins

kubectl create -f role.yaml（描述的角色文件）

kubectl create -f role-binding.yaml

即使在这之后

kubectl --context=jenkins-context get deployments 
gives the following error
"Error from server (Forbidden): User "jenkins" cannot list deployments.extensions in the namespace "default". (get deployments.extensions)"

更新 2：

after following above steps 
"kubectl --context=jenkins-context get deployments" was successful.

 i did the whole exercise after doing a kubeadm reset and it worked

但是当我尝试使用它的插件将它添加为云时，将 K8 与 Jenkins 集成的问题仍然存在。

Answer 1

您是否定义了角色admin？如果没有定义管理员角色。下面记录你的参考。

https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/

更新： 1.您可以像这样创建文件role.yaml并创建角色。然后运行kubectl apply -f role.yaml

 kind: Role
  apiVersion: rbac.authorization.k8s.io/v1beta1
  metadata:
    namespace: default
    name: admin
  rules:
  - apiGroups: ["", "extensions", "apps"]
    resources: ["deployments", "replicasets", "pods"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]

您需要通过具有此角色的客户端证书进行身份验证。

从您的第二个问题中，您尝试使用此帐户对 jenkin 应用程序用户进行身份验证。我不确定这种方法是否适合您。

2017 年 9 月 25 日更新

Username: admin
Group: jenkins


 openssl genrsa -out admin.key 2048
 openssl req -new -key admin.key -out admin.csr -subj "/CN=admin/O=jenkins"

 #Run this as root user in master node
 openssl x509 -req -in admin.csr -CA /etc/kubernetes/pki/ca.crt  -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out admin.crt -days 500

 mkdir .certs/
 mv admin.* .certs/
 kubectl config set-credentials admin --client-certificate=/home/jenkin/.certs/admin.crt  --client-key=/home/jenkin/.certs/admin.key
 kubectl config set-context admin-context --cluster=kubernetes --namespace=jenkins --user=admin 

将其保存在文件中并创建角色

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: jenkins
  name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: deployment-manager-binding
  namespace: jenkins
subjects:
- kind: User
  name: admin
  apiGroup: ""
roleRef:
  kind: Role
  name: deployment-manager
  apiGroup: ""

运行 get pods 命令

kubectl --context=admin-context get pods