“kubectl exec”导致“错误:无法升级连接:未经授权”
我在k8s 1.6.4启用了RBAC的群集上尝试了kubectl exec
,返回的错误是: error: unable to upgrade connection: Unauthorized
。 docker exec
在同一容器成功。 否则, kubectl
正在工作。 kubectl
隧道通过SSH连接,但我不认为这是问题。
kubelet authn已启用,但不是authz。 文档默认说authz是AlwaysAllow,所以我已经这样离开了。
我有一个感觉, 这个问题是类似的。 但是,错误信息是有点不同。
提前致谢!
详细loggingkubectl exec
命令:
I0614 16:50:11.003677 64104 round_trippers.go:398] curl -k -v -XPOST -H "X-Stream-Protocol-Version: v4.channel.k8s.io" -H "X-Stream-Protocol-Version: v3.channel.k8s.io" -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true I0614 16:50:11.003705 64104 round_trippers.go:398] curl -k -v -XPOST -H "X-Stream-Protocol-Version: v4.channel.k8s.io" -H "X-Stream-Protocol-Version: v3.channel.k8s.io" -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" -H "User-Agent: kubectl/v1.6.4 (darwin/amd64) kubernetes/d6f4332" https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true I0614 16:50:11.169474 64104 round_trippers.go:417] POST https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true 401 Unauthorized in 165 milliseconds I0614 16:50:11.169493 64104 round_trippers.go:423] Response Headers: I0614 16:50:11.169497 64104 round_trippers.go:426] Date: Wed, 14 Jun 2017 08:50:11 GMT I0614 16:50:11.169500 64104 round_trippers.go:426] Content-Length: 12 I0614 16:50:11.169502 64104 round_trippers.go:426] Content-Type: text/plain; charset=utf-8 I0614 16:50:11.169506 64104 round_trippers.go:417] POST https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true 401 Unauthorized in 165 milliseconds I0614 16:50:11.169509 64104 round_trippers.go:423] Response Headers: I0614 16:50:11.169512 64104 round_trippers.go:426] Date: Wed, 14 Jun 2017 08:50:11 GMT I0614 16:50:11.169545 64104 round_trippers.go:426] Content-Length: 12 I0614 16:50:11.169548 64104 round_trippers.go:426] Content-Type: text/plain; charset=utf-8 F0614 16:50:11.169635 64104 helpers.go:119] error: unable to upgrade connection: Unauthorized
这是一个RTFM的时刻…解决scheme基本上是按照authn,authz或这两个页面上的所有步骤。
我省略了--kubelet-client-certificate
和--kubelet-client-key
导致了错误。 如果没有这些标志,当你执行kubectl exec
时, kube-apiserver
将无法validationkubectl exec
。
我最初尝试configurationauthn是通过阅读kubelet守护进程的文档(即不是上面的文档)。 因此,严重的遗漏。