Kubernetes仪表板-登录后出现未知服务器错误
我通过Kubespray成功部署了Kubernetes,一切似乎都很好。我可以通过kubectl访问集群,列出节点、POD、服务、秘密等。还可以应用新的资源,仪表板endpoint可以让我进入仪表板登录页面。
我使用不同服务帐户的令牌登录(默认、kubernetes仪表板、kubernetes admin等)。。。每次登录时,我都会看到与kubespray dashboard中描述的相同的弹出窗口,例如警告禁止弹出窗口。
因此,我对默认服务帐户应用了clusterrolebinding,如前所述。当我现在使用默认帐户令牌登录时,我只得到一个
Unknown Server Error (404)
the server could not find the requested resource
Redirecting to previous state in 3 seconds...
框,之后将我重定向到登录页面。如果我通过kubectl proxy连接到Dashboard,也会有同样的行为。访问是通过公共集群IP的HTTPS,也是通过代理的HTTP
我正在使用库伯内特斯1.16.2和最新的库伯祈祷主提交18d19d9e
编辑:我销毁并重新配置了集群,以获得一个新的Kubespray配置实例,使所有步骤都具有确定性,并添加了更多信息。。。
kubectl-n kube系统日志--在尝试登录时,请遵循kubernetes-dashboard-556b9ff8f8-jbmgg--
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/login request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 POST /api/v1/login request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/token request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 POST /api/v1/token/refresh request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/token request from 10.233.74.0:57458: {}
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 POST /api/v1/token/refresh request from 10.233.74.0:57458: { contents hidden }
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:02 [2019-12-16T12:35:02Z] Incoming HTTP/2.0 GET /api/v1/overview/default?filterBy=&itemsPerPage=10&name=&page=1&sortBy=d,creationTimestamp request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 Getting config category
2019/12/16 12:35:03 Getting discovery and load balancing category
2019/12/16 12:35:03 Getting lists of all workloads
2019/12/16 12:35:03 the server could not find the requested resource
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 404 status code
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 Getting pod metrics
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 No metric client provided. Skipping metrics.
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Incoming HTTP/2.0 GET /api/v1/systembanner request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Incoming HTTP/2.0 GET /api/v1/rbac/status request from 10.233.74.0:57458: {}
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:03 [2019-12-16T12:35:03Z] Outcoming response to 10.233.74.0:57458 with 200 status code
2019/12/16 12:35:12 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
2019/12/16 12:35:42 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
我找到了一个奇怪的解决方法来让仪表板工作,但这对我们在生产中是不可用的,也许有人可以解释一下:
- 我以serviceaccount
kube系统为例:默认值(注意:此时未分配这一个集群管理) - 我得到了它的令牌并用它登录
- 仪表板上明显显示了“禁止弹出窗口”
- 在仍然登录时,我运行
kubectl create clusterrolebinding default admin--clusterrole cluster admin--servicecount=kube system:default - 我刷新了浏览器选项卡,其中包含我的仪表板会话。。。瞧,一切都正常
因此,我不能登出和再次登录,我总是不得不删除集群绑定,然后登录,然后再次应用集群绑定。
这似乎与kubespray供应的集群密切相关,所以有人能用kubespray复制这一点吗?
共有2个答案
好吧,这似乎是Kubespray Github回购发行版#5347中发布的一个错误
如果您正在使用证书连接,您的证书应该在system:masters组中,因此包括“Subject:O=system:masters,CN=”
您还可以创建一个令牌,然后使用该令牌而不是证书:
您的群集角色可能绑定到“服务帐户”而不是您的组,您应该在yaml文件中检查您的组。您的服务帐户有一个访问令牌,请使用该令牌而不是证书进行身份验证。
使用此选项创建一个令牌并使用它。
kubectl describe secret $(kubectl get secret | grep cluster-admin | awk '{print $1}')
代币:
更新kubeconfig以使用该令牌(而不是您当前使用的证书)对自己进行身份验证,并且您应该作为该群集管理服务帐户成功进行身份验证。
Kubernetes RBAC-禁止授予额外特权的尝试
-
我有一个Kubernetes集群,各种资源运行良好。我试图让仪表板工作,但在启动仪表板并输入服务帐户令牌时出现以下错误。 persistentvolumeclaims被禁止:用户“system:serviceaccount:kube system:kubernetes dashboard”无法在命名空间“default”中的API组“”中列出资源“persistentvolumeclaims” 它
-
我想为管理员仪表板创建一个登录表单。我已经创建了相关的控制器和刀片,但当我尝试登录到管理仪表板时,EloquentUserProvider出现错误。我只想要一个管理员的登录表单,而不是用户。 错误: 雄辩的提供程序中的致命错误。php第114行:类型错误:传递给Illumb\Auth\EloquentUserProvider::validateCredentials()的参数1必须是Illumb\
-
正在尝试在kubernetes上运行Spring云数据流服务器。当我尝试打开仪表板url时(https://scdfserverurl/dashboard/#/apps)在浏览器中部分加载,并在日志中显示以下错误。其他组件skipper运行正常,可以访问url。 错误堆栈跟踪 库伯内特斯酒店 波姆。数据流服务器的XML
-
但是在我的群集上没有服务/部署: 谢谢你的帮助
-
> Kubectl apply-f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta4/aio/deploy/recomended.yaml kubectl代理--address=“192.168.56.12”-p 8001-accept-hosts='^*$' [root@k8s-master~]#kubectl
-
try1:直接使用以下命令尝试: 试图使用url http://172.20.22.101:8001/api/v1访问仪表板,但它表示未经授权。 try2:创建了包含以下内容的dashboard-admin.yaml文件: