error: You must be logged in to the server (Unauthorized)
查看/var/log/kubernetes/kube-apiserver.ERROR
E1202 14:35:29.123615 4945 authentication.go:64] Unable to authenticate the request due to an error: [invalid bearer token, [invalid bearer token, crypto/rsa: verification error]]
问题原因:
这个问题是在三个master节点生成了不同的 server.key 引起,由于 server.key 需要在 apiserver 启动时指定,在生成 service account 时会采用公钥认证。
解决方法:
在三个master节点统一的server.key即可
将任意master节点 /var/run/kubernetes目录下的apiserver.crt和apiserver.key scp到其它所有master节点
然后重新创建sa及sa rolebinding
最后使用新生成的ca.crt和token重新配置 kubeconfig
其它的sa均重新生成
node notready
问题参考
kubelet在node上访问master时
- 去掉
--api-servers=http://127.0.0.1:8080 - 增加
--kubeconfig=/root/.kube/config --require-kubeconfig=true - 确保 kubeconfig中的用户有权限
kube-proxy在node上访问master时 - 去掉
--api-servers=http://127.0.0.1:8080 - 增加
--kubeconfig=/root/.kube/config - 确保 kubeconfig中的用户有权限
nginx 配置
upstream k8s-masters{
server k8s-master1:6443; server k8s-master2:6443;server k8s-master3:6443;
}
server {
listen 443;
ssl on; # 验证https证书
ssl_certificate /var/run/kubernetes/apiserver.crt; # k8s生成的crt证书
ssl_certificate_key /var/run/kubernetes/apiserver.key; # k8s生成的key
location / {
proxy_pass https://k8s-masters;
index index.html index.htm;
}
}
config配置
apiVersion: v1
clusters:
- cluster:
#certificate-authority: ca.crt # 可配置 sa 证书
server: https://k8s-master1:443 # nginx配置
insecure-skip-tls-verify: true
name: test-cluster
contexts:
- context:
cluster: test-cluster
user: default
name: default-system
current-context: default-system
kind: Config
preferences: {}
users:
- name: default
user:
token: tokenvalue······
kubelet权限
kubelet需要具有 system:node权限
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: default-node
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: system:node
apiGroup: rbac.authorization.k8s.io
