我已经为 helm 创建了一个服务帐户;该帐户可以使用kubectl
,但服务帐户令牌未安装在 tiller 的 pod 中。以下是 Deployment 的定义:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
creationTimestamp: 2019-04-29T08:56:59Z
generation: 1
labels:
app: helm
name: tiller
name: tiller-deploy
namespace: kube-system
resourceVersion: "560527"
selfLink: /apis/extensions/v1beta1/namespaces/kube-system/deployments/tiller-deploy
uid: bf5f4010-6a5c-11e9-b714-52540012345d
spec:
replicas: 1
selector:
matchLabels:
app: helm
name: tiller
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: helm
name: tiller
spec:
automountServiceAccountToken: true
containers:
- env:
- name: TILLER_NAMESPACE
value: kube-system
- name: TILLER_HISTORY_MAX
value: "0"
image: kubernetes-helm/tiller:v2.13.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /liveness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: tiller
ports:
- containerPort: 44134
hostPort: 44134
name: tiller
protocol: TCP
- containerPort: 44135
hostPort: 44135
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readiness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
hostNetwork: true
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: tiller
serviceAccountName: tiller
terminationGracePeriodSeconds: 30
这是服务帐户的定义:
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
automountServiceAccountToken: true
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
Kubernetes 版本为 1.8.2,安装在裸机上。安装方式为手动。
控制平面命令:
kube-apiserver --token-auth-file /etc/kubernetes/useraccount --authorization-mode RBAC,ABAC,AlwaysDeny --authorization-policy-file /etc/kubernetes/abac.json --secure-port 5587 --bind-address 1.1.1.1 --insecure-port 0 --service-cluster-ip-range 172.16.0.0/12 --etcd-servers http://1.1.1.1:2379,http://1.1.1.2:2379,http://1.1.1.3:2379 --tls-cert-file apisrv.crt --tls-private-key-file apisrv.key --cert-dir=kubernetes --advertise-address 1.1.1.1 --service-node-port-range 1024-65535 --service-account-key-file sa.crt
kube-controller-manager --kubeconfig kubeconf_admin.yaml --cluster-cidr 192.168.0.0/16 --service-account-private-key-file sa.key --root-ca-file sa.crt --leader-elect true