- kubectl get pods -A -o wide
- 查看日志发现
-
pods "kube-flannel-ds-amd64-xxxxx" is forbidden: User "system:serviceaccount:kube-system:flannel" cannot get resource "pods" in API group "" in the namespace "kube-system"
-
也就是说flannel用户不能访问kube-system空间下的pods资源
-
但kube-flannel空间下的pod都正常,说明这个集群角色绑定需要再把kube-system空间再绑一下即可
-
kubectl describe clusterrolebinding -A
kubectl get clusterrole -A |grep flannel
flannel
kubectl describe clusterrole flannel
Name: flannel
Labels: k8s-app=flannel
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
nodes [] [] [get list watch]
pods [] [] [get]
clustercidrs.networking.k8s.io [] [] [list watch]
nodes/status [] [] [patch] -
查到有一个clusterrole=flannel 集群角色,直接给他们绑定即可
- kubectl create clusterrolebinding add-on-flannel
- --clusterrole=flannel
- --serviceaccount=kube-system:flannel
kubectl describe clusterrolebinding -A
-
#新添加的clusterrolebinding将flannel用户绑定到了kube-system空间,解决上面的异常
-
Name: add-on-flannel
-
Labels: <none>
-
Annotations: <none>
-
Role:
-
Kind: ClusterRole
-
Name: flannel
-
Subjects:
-
Kind Name Namespace
-
ServiceAccount flannel kube-system
-
#之前有一个clusterrolebinding将flannel用户绑定到了kube-flannel空间
-
Name: flannel
-
Labels: k8s-app=flannel
-
Annotations: <none>
-
Role:
-
Kind: ClusterRole
-
Name: flannel
-
Subjects:
-
Kind Name Namespace
-
ServiceAccount flannel kube-flannel
-
三个节点上的kube-flannel-ds-amd64-xxxxx容器过会都自动启动了