服务帐户令牌未安装在 Pod 中

服务帐户令牌未安装在 Pod 中

我已经为 helm 创建了一个服务帐户;该帐户可以使用kubectl,但服务帐户令牌未安装在 tiller 的 pod 中。以下是 Deployment 的定义:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "1"
  creationTimestamp: 2019-04-29T08:56:59Z
  generation: 1
  labels:
    app: helm
    name: tiller
  name: tiller-deploy
  namespace: kube-system
  resourceVersion: "560527"
  selfLink: /apis/extensions/v1beta1/namespaces/kube-system/deployments/tiller-deploy
  uid: bf5f4010-6a5c-11e9-b714-52540012345d
spec:
  replicas: 1
  selector:
    matchLabels:
      app: helm
      name: tiller
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: helm
        name: tiller
    spec:
      automountServiceAccountToken: true
      containers:
      - env:
        - name: TILLER_NAMESPACE
          value: kube-system
        - name: TILLER_HISTORY_MAX
          value: "0"
        image: kubernetes-helm/tiller:v2.13.1
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /liveness
            port: 44135
            scheme: HTTP
          initialDelaySeconds: 1
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: tiller
        ports:
        - containerPort: 44134
          hostPort: 44134
          name: tiller
          protocol: TCP
        - containerPort: 44135
          hostPort: 44135
          name: http
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /readiness
            port: 44135
            scheme: HTTP
          initialDelaySeconds: 1
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      hostNetwork: true
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: tiller
      serviceAccountName: tiller
      terminationGracePeriodSeconds: 30

这是服务帐户的定义:

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: tiller
      namespace: kube-system
    automountServiceAccountToken: true
    ---
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: tiller
    subjects:
     - kind: ServiceAccount
       name: tiller
       namespace: kube-system
    roleRef:
      kind: ClusterRole
      name: cluster-admin
      apiGroup: rbac.authorization.k8s.io

Kubernetes 版本为 1.8.2,安装在裸机上。安装方式为手动。

控制平面命令:

kube-apiserver --token-auth-file /etc/kubernetes/useraccount --authorization-mode RBAC,ABAC,AlwaysDeny --authorization-policy-file /etc/kubernetes/abac.json --secure-port 5587 --bind-address 1.1.1.1 --insecure-port 0 --service-cluster-ip-range 172.16.0.0/12 --etcd-servers http://1.1.1.1:2379,http://1.1.1.2:2379,http://1.1.1.3:2379 --tls-cert-file apisrv.crt --tls-private-key-file apisrv.key --cert-dir=kubernetes --advertise-address 1.1.1.1 --service-node-port-range 1024-65535 --service-account-key-file sa.crt


kube-controller-manager --kubeconfig kubeconf_admin.yaml --cluster-cidr 192.168.0.0/16 --service-account-private-key-file sa.key --root-ca-file sa.crt --leader-elect true

相关内容