更新 #1:

tag-icon tag-icon kubernetes
更新 #1:

我正在使用tension-kube设置一个带有1个上层节点并链接到2个提供商的实验室集群

我可以创建 pod、secret、pvc……但是在调用日志时,它就会失败

root@tensible-kube-master:~# kubectl logs nginx-deployment-66b6c48dd5-dxc2n 
Error from server (NotFound): the server could not find the requested resource ( pods/log nginx-deployment-66b6c48dd5-dxc2n)

在上层节点

root@tensible-kube-master:~# kubectl get pod -o wide
NAME                                READY   STATUS             RESTARTS   AGE   IP             NODE              NOMINATED NODE   READINESS GATES
nginx-deployment-66b6c48dd5-dxc2n   1/1     Running            0          18m   10.244.71.14   192.168.122.212   <none>           <none>
nginx-deployment-66b6c48dd5-fwwzb   1/1     Running            0          50m   10.244.71.11   192.168.122.212   <none>           <none>

在提供商上:

root@tensile-kube-master-lower1:~# kubectl get pod -o wide
NAME                                READY   STATUS             RESTARTS   AGE   IP             NODE                         NOMINATED NODE   READINESS GATES
nginx-deployment-66b6c48dd5-dxc2n   1/1     Running            0          19m   10.244.71.14   tensile-kube-worker-lower1   <none>           <none>
nginx-deployment-66b6c48dd5-fwwzb   1/1     Running            0          51m   10.244.71.11   tensile-kube-worker-lower1   <none>           <none>

那么有人曾经使用过tension-kube并从提供商pod获取日志吗?

更新 #1:

ClusterRole我已经创建了另一个有权访问 pod 的用户,但没有它的日志:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: "2020-10-10T03:13:16Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:rules: {}
    manager: kubectl-edit
    operation: Update
    time: "2020-10-10T03:18:18Z"
  name: readonlyuser
  resourceVersion: "54949"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/readonlyuser
  uid: 237b02e7-cf30-4fe2-8234-241d49ae12c0
rules:
- apiGroups:
  - ""
  resources:
  - pods/log
  - pods
  verbs:
  - get
  - list
  - watch

我使用该用户上下文,问题仍然相同

root@tensible-kube-master:~# kubectl config use-context podreader
Switched to context "podreader".

root@tensible-kube-master:~# kubectl get pod
NAME                                READY   STATUS             RESTARTS   AGE
nginx-deployment-66b6c48dd5-dxc2n   1/1     Running            1          18h
nginx-deployment-764c5ccb79-xms6q   1/2     ImagePullBackOff   1          19h

root@tensible-kube-master:~# kubectl logs nginx-deployment-66b6c48dd5-dxc2n
Error from server (NotFound): the server could not find the requested resource ( pods/log nginx-deployment-66b6c48dd5-dxc2n)
root@tensible-kube-master:~# kubectl exec -it nginx-deployment-66b6c48dd5-dxc2n /bin/bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
Error from server (Forbidden): pods "nginx-deployment-66b6c48dd5-dxc2n" is forbidden: User "system:serviceaccount:default:readonlyuser" cannot create resource "pods/exec" in API group "" in the namespace "default"

相关内容