K8S二进制部署exec unable to upgrade connection: Unauthorized异常解决方案
1. 异常分析
当执行kubectl exec、logs、port-forward 等需要"升级连接"(WebSocket/SPDY)的命令时,流程如下
- kubectl → kube-apiserver,使用 ~/.kube/config中的认证,通常是 cluster-admin 权限
- kube-apiserver 代表自己连接目标 Pod 所在节点的 kubelet(通过节点的 10250 端口),执行 exec 等操作
- 这个连接本质是:apiservers使用kube-apiserver 的证书 CN对 nodes/proxy 子资源执行 create 操作
不仅需要在apiserver的启动参数中添加--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,还需要RBAC 中对 apiserver 自身证书对应的用户授予 nodes/proxy 的权限
bash
# 笔者的apiserver的启动参数如下:
/usr/local/bin/kube-apiserver --v=2 --etcd-servers=https://192.168.101.40:2379 --bind-address=192.168.101.40 --secure-port=6443 --advertise-address=192.168.101.40 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --enable-bootstrap-token-auth=true --service-node-port-range=30000-32767 --kubelet-client-certificate=/etc/kubernetes/pki/kubernetes.pem --kubelet-client-key=/etc/kubernetes/pki/kubernetes-key.pem --tls-cert-file=/etc/kubernetes/pki/kubernetes.pem --tls-private-key-file=/etc/kubernetes/pki/kubernetes-key.pem --client-ca-file=/etc/kubernetes/pki/ca.pem --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-issuer=https://192.168.101.40:6443 --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --etcd-cafile=/etc/etcd/ssl/ca.pem --etcd-certfile=/etc/etcd/ssl/etcd-server.pem --etcd-keyfile=/etc/etcd/ssl/etcd-server-key.pem --requestheader-client-ca-file=/etc/kubernetes/pki/ca.pem --proxy-client-cert-file=/etc/kubernetes/pki/kubernetes.pem --proxy-client-key-file=/etc/kubernetes/pki/kubernetes-key.pem --requestheader-allowed-names=kubernetes --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --enable-aggregator-routing=true --audit-log-maxage=30 --audit-log-maxbackup=3 --audit-log-maxsize=100 --audit-log-path=/var/log/kubernetes/k8s-audit.log2. 解决方案
bash
cat > apiserver-to-kubelet.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:kubernetes-to-kubelet
rules:
- apiGroups:
- ""
resources:
- nodes/proxy
- nodes/stats
- nodes/log
- nodes/spec
- nodes/metrics
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:kubernetes
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kubernetes-to-kubelet
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kubernetes
EOF
# 注意需要修改name,根据自己集群中的name
kubectl apply -f apiserver-to-kubelet.yaml