search

Praqma / LearnKubernetes

Notes and resources collected together to help learn Kubernetes. This will eventually become a tutorial and later a blog post for praqma website (hopefully!)
527 stars 223 forks source link

Error creating: pods "kube-dns-v11-" is forbidden: no API token found for service account kube-system/default, retry after the token is automatically created and added to the service account #4

Closed KamranAzeem closed 8 years ago

KamranAzeem commented 8 years ago 
[fedora@kube-master ~]$ kubectl get serviceaccounts
NAME      SECRETS   AGE
default   0         12d

[fedora@kube-master ~]$ kubectl get serviceaccounts --namespace=kube-system
NAME      SECRETS   AGE
default   0         9d
[fedora@kube-master ~]$
KamranAzeem commented 8 years ago

Accoording to http://stackoverflow.com/questions/31891734/not-able-to-create-pod-in-kubernetes , the controller-manager should auotmatically populate namespaces with a default service account and auto-create the API token for that service account.

Also look here http://stackoverflow.com/questions/34464779/pod-mysql-is-forbidden-no-api-token-found-for-service-account-default-default and herehttps://groups.google.com/forum/#!topic/google-containers/pEdBVrY3VL0 and here https://github.com/kubernetes/kubernetes/issues/11222

Removing the ServiceAccount from the apiserver file on master is what is suggested by the Fedora Atomic guide (with no explanation). Though the cluster works (creating pods, RC, deployments, svs, etc), I cannot get DNS to work. So I though may be we should enable ServiceAccount in apiserver config file on master and see if that would be helpful.

We can manually create the secret and start the kubernetes services with special parameters. 

[fedora@kube-master ~]$ sudo -i
-bash-4.3# ls /opt
-bash-4.3# openssl genrsa -out /opt/kubernetes-serviceaccont.key 2048
Generating RSA private key, 2048 bit long modulus
...............................+++
.......................................................................................+++
e is 65537 (0x10001)
-bash-4.3#
-bash-4.3# cat /etc/kubernetes/apiserver 
KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0"
# KUBE_ETCD_SERVERS="--etcd-servers=http://127.0.0.1:2379"
KUBE_ETCD_SERVERS="--etcd-servers=http://192.168.124.10:2379"
KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16"
KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,SecurityContextDeny,ResourceQuota"
# KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ResourceQuota"
KUBE_API_ARGS="KUBE_API_ARGS="--service_account_key_file=/opt/kubernetes-serviceaccont.key""
-bash-4.3# 
-bash-4.3# vi /etc/kubernetes/controller-manager
. . . 
KUBE_CONTROLLER_MANAGER_ARGS="--service_account_private_key_file=/opt/kubernetes-serviceaccont.key"
-bash-4.3# systemctl restart kube-controller-manager.service
-bash-4.3# systemctl restart kube-apiserver.service

After that I have one secret for my service account :

-bash-4.3# kubectl get serviceaccounts
NAME      SECRETS   AGE
default   1         12d
-bash-4.3# 
-bash-4.3# kubectl get serviceaccounts --namespace=kube-system
NAME      SECRETS   AGE
default   1         9d
-bash-4.3# 
-bash-4.3# kubectl get rc --namespace=kube-system
NAME           DESIRED   CURRENT   AGE
kube-dns-v11   1         1         27m
-bash-4.3#

This has not helped getting DNS to work, but that is a separate problem.