八月拾玖

新建nginx镜像出错,提示没有权限新建?
- 共 2,361 次检阅 

[root@master01 ~]# kubectl get pods
NAME                    READY   STATUS             RESTARTS      AGE
nginx-8b4f58777-jhlpf   0/1     CrashLoopBackOff   6 (37s ago)   6m38s
[root@master01 ~]

 

 

错误日志

[root@master01 ~]# kubectl logs nginx-8b4f58777-jhlpf  -c nginx-ingress-controller
-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       1.1.2
  Build:         fb72fcd8
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.21.6

-------------------------------------------------------------------------------

W1016 08:39:12.756226       1 client_config.go:615] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I1016 08:39:12.756593       1 main.go:223] "Creating API client" host="https://10.80.0.1:443"
I1016 08:39:12.768017       1 main.go:267] "Running in Kubernetes cluster" major="1" minor="23" git="v1.23.0" state="clean" commit="ab69524f795c42094a6630298ff53f3c3ebab7f4" platform="linux/amd64"
I1016 08:39:13.146491       1 main.go:104] "SSL fake certificate created" file="/etc/ingress-controller/ssl/default-fake-certificate.pem"
W1016 08:39:13.150888       1 main.go:114] No permissions to list and get Ingress Classes: ingressclasses.networking.k8s.io is forbidden: User "system:serviceaccount:default:default" cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope, IngressClass feature will be disabled
F1016 08:39:13.150928       1 main.go:123] Unexpected error obtaining ingress-nginx pod: unable to get POD information (missing POD_NAME or POD_NAMESPACE environment variable
goroutine 1 [running]:
k8s.io/klog/v2.stacks(0x1)
        k8s.io/klog/v2@v2.9.0/klog.go:1026 +0x8a
k8s.io/klog/v2.(*loggingT).output(0x28bb100, 0x3, {0x0, 0x0}, 0xc0002aa150, 0x0, {0x1f94934, 0xc00003b800}, 0x0, 0x0)
        k8s.io/klog/v2@v2.9.0/klog.go:975 +0x63d
k8s.io/klog/v2.(*loggingT).printf(0x0, 0x0, {0x0, 0x0}, {0x0, 0x0}, {0x1995ae3, 0x30}, {0xc00003b800, 0x1, ...})
        k8s.io/klog/v2@v2.9.0/klog.go:753 +0x1e5
k8s.io/klog/v2.Fatalf(...)
        k8s.io/klog/v2@v2.9.0/klog.go:1514
main.main()
        k8s.io/ingress-nginx/cmd/nginx/main.go:123 +0xb4e

goroutine 19 [chan receive]:
k8s.io/klog/v2.(*loggingT).flushDaemon(0xc000224480)
        k8s.io/klog/v2@v2.9.0/klog.go:1169 +0x6a
created by k8s.io/klog/v2.init.0
        k8s.io/klog/v2@v2.9.0/klog.go:420 +0xfb

goroutine 25 [IO wait]:
internal/poll.runtime_pollWait(0x7f17673b5f48, 0x72)
        runtime/netpoll.go:234 +0x89
internal/poll.(*pollDesc).wait(0xc00022f380, 0xc00014e900, 0x0)
        internal/poll/fd_poll_runtime.go:84 +0x32
internal/poll.(*pollDesc).waitRead(...)
        internal/poll/fd_poll_runtime.go:89
internal/poll.(*FD).Read(0xc00022f380, {0xc00014e900, 0x8e3, 0x8e3})
        internal/poll/fd_unix.go:167 +0x25a
net.(*netFD).Read(0xc00022f380, {0xc00014e900, 0xc00014e968, 0x189})
        net/fd_posix.go:56 +0x29
net.(*conn).Read(0xc0000a2008, {0xc00014e900, 0x4172e6, 0xc0005ad7f0})
        net/net.go:183 +0x45
crypto/tls.(*atLeastReader).Read(0xc0004020d8, {0xc00014e900, 0x0, 0x409f2d})
        crypto/tls/conn.go:777 +0x3d
bytes.(*Buffer).ReadFrom(0xc0004bc278, {0x1b7d500, 0xc0004020d8})
        bytes/buffer.go:204 +0x98
crypto/tls.(*Conn).readFromUntil(0xc0004bc000, {0x1b7fb20, 0xc0000a2008}, 0x880)
        crypto/tls/conn.go:799 +0xe5
crypto/tls.(*Conn).readRecordOrCCS(0xc0004bc000, 0x0)
        crypto/tls/conn.go:606 +0x112
crypto/tls.(*Conn).readRecord(...)
        crypto/tls/conn.go:574
crypto/tls.(*Conn).Read(0xc0004bc000, {0xc0004ee000, 0x1000, 0x9aaa20})
        crypto/tls/conn.go:1277 +0x16f
bufio.(*Reader).Read(0xc00040e1e0, {0xc0004e4200, 0x9, 0x9b89e2})
        bufio/bufio.go:227 +0x1b4
io.ReadAtLeast({0x1b7d360, 0xc00040e1e0}, {0xc0004e4200, 0x9, 0x9}, 0x9)
        io/io.go:328 +0x9a
io.ReadFull(...)
        io/io.go:347
golang.org/x/net/http2.readFrameHeader({0xc0004e4200, 0x9, 0xc0015a2120}, {0x1b7d360, 0xc00040e1e0})
        golang.org/x/net@v0.0.0-20211209124913-491a49abca63/http2/frame.go:237 +0x6e
golang.org/x/net/http2.(*Framer).ReadFrame(0xc0004e41c0)
        golang.org/x/net@v0.0.0-20211209124913-491a49abca63/http2/frame.go:498 +0x95
golang.org/x/net/http2.(*clientConnReadLoop).run(0xc0005adf98)
        golang.org/x/net@v0.0.0-20211209124913-491a49abca63/http2/transport.go:2101 +0x130
golang.org/x/net/http2.(*ClientConn).readLoop(0xc0004ba180)
        golang.org/x/net@v0.0.0-20211209124913-491a49abca63/http2/transport.go:1997 +0x6f
created by golang.org/x/net/http2.(*Transport).newClientConn
        golang.org/x/net@v0.0.0-20211209124913-491a49abca63/http2/transport.go:725 +0xac5

根据错误日志分析得出(给GPT3.5分析的,学习阶段还不会)

根据提供的日志,错误消息如下:

```
No permissions to list and get Ingress Classes: ingressclasses.networking.k8s.io is forbidden: User "system:serviceaccount:default:default" cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope, IngressClass feature will be disabled
Unexpected error obtaining ingress-nginx pod: unable to get POD information (missing POD_NAME or POD_NAMESPACE environment variable
```

根据这些错误消息,可以得出以下结论:

1. 错误消息 `No permissions to list and get Ingress Classes` 指出当前用户(`system:serviceaccount:default:default`)没有权限获取 Ingress Classes。这可能会导致 IngressClass 功能被禁用。请确保给予该用户适当的权限以便获取 Ingress Classes。
2. 错误消息 `Unexpected error obtaining ingress-nginx pod` 表明无法获取到 ingress-nginx Pod 的信息。错误提示缺少 `POD_NAME` 或 `POD_NAMESPACE` 环境变量。这可能是由于环境变量配置错误或 Pod 没有正确运行导致的。

针对这些问题,您可以采取以下步骤来解决问题:

1. 确保为用户 `system:serviceaccount:default:default` 分配了适当的权限,以便能够获取 Ingress Classes。您可以使用 RBAC(Role-Based Access Control)分配适当的权限。
2. 检查 `POD_NAME` 和 `POD_NAMESPACE` 环境变量的配置。您可以运行以下命令来检查 Pod 配置:

```
kubectl describe pod nginx-8b4f58777-jhlpf
```

确保 `POD_NAME` 和 `POD_NAMESPACE` 在环境变量中正确地设置和传递给容器。

如果问题仍然存在,请提供更多详细信息,特别是关于如何配置和部署 Ingress Controller 的上下文信息,以便我们能够更好地帮助您解决问题。

尝试更新权限

 

为用户 `system:serviceaccount:default:default` 分配权限可以通过使用 Kubernetes 的 RBAC(Role-Based Access Control)机制来实现。您可以按照以下步骤进行操作:

1. 创建一个名为 `ingress-controller-rbac.yaml` 的 RBAC 配置文件,并将以下内容添加到文件中:

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ingress-controller-rolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: ingress-controller-role
apiGroup: rbac.authorization.k8s.io
```

此配置文件将为名为 `default` 的 `ServiceAccount` 在 `default` 命名空间下分配名为 `ingress-controller-role` 的 `ClusterRole`。

2. 执行以下命令来创建 RBAC 角色绑定:

```
kubectl apply -f ingress-controller-rbac.yaml
```

这将使用 RBAC 配置文件中定义的角色绑定来分配权限给 `system:serviceaccount:default:default` 用户。

3. 确保 `ingress-nginx` Pod 在 `default` 命名空间中正在运行。如果 Pod 在其他命名空间中运行,请将 RBAC 配置文件中的 `metadata.namespace` 与 Pod 所在的命名空间匹配。

完成以上步骤后,用户 `system:serviceaccount:default:default` 将具有获取 Ingress Classes 的权限,并且错误消息中提到的问题应该得到解决。请记住,确保您为用户分配的角色具有适当的权限,以便满足您的需求。

 

分享到:

这篇文章还没有评论

发表评论

2015-2024 学习是劳动,是充满思想的劳动。 · 说句你好。 备案号:鄂ICP备15008346号-28