1. 首頁
  2. 問答
  3. 在測試kubernetes時出現'Unauthorized'api-server

在測試kubernetes時出現'Unauthorized'api-server

2017-01-14 47 views
0

我有CoreOS alpha(1284.2.0)的Container Linux,我嘗試安裝kubernetes 1.5.2。在測試kubernetes時出現'Unauthorized'api-server

我注意到kube-proxy吊艙出現故障,我搜索了一下,我發現api-server清單可能沒有正確配置。

我在https://coreos.com/kubernetes/docs/latest/configure-kubectl.html

配置使用的文檔我的Mac Pro桌面上kubectl當我執行kubectl get nodes我得到error: You must be logged in to the server (the server has asked for the client to provide credentials)

所以我嘗試用捲曲測試。服務器的主機名是coreos-2.tux-in.com

ufk-osx-music:~ ufk$ curl http://coreos-2.tux-in.com:8080 
curl: (7) Failed to connect to coreos-2.tux-in.com port 8080: Connection refused 
ufk-osx-music:~ ufk$ curl https://coreos-2.tux-in.com 
curl: (60) SSL certificate problem: Invalid certificate chain 
More details here: https://curl.haxx.se/docs/sslcerts.html 

curl performs SSL certificate verification by default, using a "bundle" 
of Certificate Authority (CA) public keys (CA certs). If the default 
bundle file isn't adequate, you can specify an alternate file 
using the --cacert option. 
If this HTTPS server uses a certificate signed by a CA represented in 
the bundle, the certificate verification probably failed due to a 
problem with the certificate (it might be expired, or the name might 
not match the domain name in the URL). 
If you'd like to turn off curl's verification of the certificate, use 
the -k (or --insecure) option. 
ufk-osx-music:~ ufk$ curl --insecure https://coreos-2.tux-in.com 
Unauthorized

這是我kube-apiserver.yaml

apiVersion: v1 
kind: Pod 
metadata: 
    name: kube-apiserver 
    namespace: kube-system 
spec: 
    hostNetwork: true 
    containers: 
    - name: kube-apiserver 
    image: quay.io/coreos/hyperkube:v1.5.2_coreos.0 
    command: 
    - /hyperkube 
    - apiserver 
    - --bind-address=0.0.0.0 
    - --etcd-servers=http://127.0.0.1:4001 
    - --allow-privileged=true 
    - --service-cluster-ip-range=10.3.0.0/24 
    - --secure-port=443 
    - --advertise-address=10.79.218.2 
    - --admission- 

    control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota 
     - --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem 
     - --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem 
     - --client-ca-file=/etc/kubernetes/ssl/ca.pem 
     - --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem 
     - --runtime-config=extensions/v1beta1/networkpolicies=true 
     - --anonymous-auth=false 
     livenessProbe: 
      httpGet: 
      host: 127.0.0.1 
      port: 8080 
      path: /healthz 
      initialDelaySeconds: 15 
      timeoutSeconds: 15 
     ports: 
     - containerPort: 443 
      hostPort: 443 
      name: https 
     - containerPort: 8080 
      hostPort: 8080 
      name: local 
     volumeMounts: 
     - mountPath: /etc/kubernetes/ssl 
      name: ssl-certs-kubernetes 
      readOnly: true 
     - mountPath: /etc/ssl/certs 
      name: ssl-certs-host 
      readOnly: true 
     volumes: 
     - hostPath: 
      path: /etc/kubernetes/ssl 
     name: ssl-certs-kubernetes 
     - hostPath: 
      path: /usr/share/ca-certificates 
     name: ssl-certs-host

,這是我kube-proxy.yaml

apiVersion: v1 
kind: Pod 
metadata: 
    name: kube-proxy 
    namespace: kube-system 
spec: 
    hostNetwork: true 
    containers: 
    - name: kube-proxy 
    image: quay.io/coreos/hyperkube:v1.5.2_coreos.0 
    command: 
    - /hyperkube 
    - proxy 
    - --master=http://127.0.0.1:8080 
    securityContext: 
     privileged: true 
    volumeMounts: 
    - mountPath: /etc/ssl/certs 
     name: ssl-certs-host 
     readOnly: true 
    volumes: 
    - hostPath: 
     path: /usr/share/ca-certificates 
    name: ssl-certs-host

,這是控制器的kubeconfig文件controler-kubeconfig.yaml

current-context: tuxin-coreos-context 
apiVersion: v1 
clusters: 
- cluster: 
    server: http://127.0.0.1:8080 
    name: tuxin-coreos-cluster 
contexts: 
- context: 
    cluster: tuxin-coreos-cluster 
    name: tuxin-coreos-context 
kind: Config 
preferences: 
    colors: true 
users: 
- name: kubelet 
    user: 
    client-certificate: /etc/kubernetes/ssl/apiserver.pem 
    client-key: /etc/kubernetes/ssl/apiserver-key.pem

關於這個問題的任何信息將不勝感激!

來源

2017-01-14 ufk

回答

0

welp總的來說我沒有在.kube/config文件中使用正確的憑據。而且我也沒有使用在控制器的kubeconfig中鍵入的同名集羣和上下文。

這是工作.kube/config文件:

apiVersion: v1 
clusters: 
- cluster: 
    certificate-authority: /Users/ufk/Projects/tuxin-coreos/kubernetes/certs/ca.pem 
    server: https://coreos-2.tux-in.com 
    name: tuxin-coreos-cluster 
contexts: 
- context: 
    cluster: tuxin-coreos-cluster 
    user: default-admin 
    name: tuxin-coreos-context 
current-context: tuxin-coreos-context 
kind: Config 
preferences: {} 
users: 
- name: default-admin 
    user: 
    username: kubelet 
    client-certificate: /Users/ufk/Projects/tuxin-coreos/kubernetes/certs/client.pem 
    client-key: /Users/ufk/Projects/tuxin-coreos/kubernetes/certs/client-key.pem

我控制器kubeconfig:

current-context: tuxin-coreos-context 
apiVersion: v1 
clusters: 
- cluster: 
    server: http://127.0.0.1:8080 
    name: tuxin-coreos-cluster 
contexts: 
- context: 
    cluster: tuxin-coreos-cluster 
    name: tuxin-coreos-context 
kind: Config 
preferences: 
    colors: true 
users: 
- name: kubelet 
    user: 
    client-certificate: /etc/kubernetes/ssl/apiserver.pem 
    client-key: /etc/kubernetes/ssl/apiserver-key.pem

來源

2017-01-14 15:53:03 ufk

相關問題

 相關問題