search

rootsongjc / kubernetes-handbook

Kubernetes中文指南/云原生应用架构实战手册
https://jimmysong.io/book/kubernetes-handbook
Creative Commons Attribution 4.0 International
11.11k stars 2.95k forks source link

使用TLS bootstrapping,--token-auth-file预设了用户,却报错显示 User "system:anonymous" cannot create certificatesigningrequests #273

Closed jesse1993 closed 6 years ago

jesse1993 commented 6 years ago

这个问题困扰我好久了,希望大神指点一下,感激不尽 kubernetes 版本1.8.3 apiserver指定了预设用户kubelet-bootstrap,工作节点也通过--bootstrap-kubeconfig flag指定用户kubelet-bootstrap和token,但是启动工作节点后却报错提示我是匿名用户访问的?

error: failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:anonymous" cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope

以下是配置 apiserver

/usr/local/bin/kube-apiserver --etcd-servers=http://127.0.0.1:2379
      --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota
      --service-account-key-file=/srv/kubernetes/pubkey.pem
      --service-cluster-ip-range=10.96.0.0/16
      --allow-privileged=true
      --authorization-mode=RBAC
      --enable-bootstrap-token-auth=true
      --token-auth-file=/var/lib/kubernetes/bootstrap.csv
      --client-ca-file=/var/lib/kubernetes/cacert.pem
      --tls-cert-file=/var/lib/kubernetes/servercert.pem
      --tls-private-key-file=/var/lib/kubernetes/serverkey.pem
      --address=172.18.11.249
      --insecure-bind-address=127.0.0.1
      --advertise-address=172.18.11.249
      --audit-log-maxage=30
      --audit-log-maxsize=100
      --audit-log-path=/var/log/kube-apiserver.log
      --v=4
      1>>/var/log/kube-apiserver.log 2>&1

/var/lib/kubernetes/bootstrap.csv 0d681e2438667d2b5236ad7385d80ddc,kubelet-bootstrap,10001,"system:kubelet-bootstrap"

工作节点的配置

/usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubelet/bootstrap.kubeconfig.yaml 
                           --pod-manifest-path=/etc/kubernetes/manifests 
                           --node-labels=node-role.kubernetes.io/worker= 
                           --node-ip=172.18.10.16 
                           --allow-privileged 
                           --v=4

/etc/kubelet/bootstrap.kubeconfig.yaml 

apiVersion: v1
clusters:
  - cluster:
      server: https://172.18.11.249:6443/
    name: myk8s
contexts:
  - context:
      cluster: myk8s
    name: myk8s
current-context: myk8s
kind: Config
preferences: {}
users:
- name: kubelet-bootstrap
  user:
    as-user-extra: {}
    token: 0d681e2438667d2b5236ad7385d80ddc
rootsongjc commented 6 years ago

你可以参考这个配置:https://github.com/rootsongjc/kubernetes-vagrant-centos-cluster/tree/master/conf

jesse1993 commented 6 years ago

@rootsongjc 根据你的建议,我的问题解决了,之前查了好久都不知道是怎么回事,太感谢了