“ kubectl exec”导致“错误:无法升级连接:未经授权”

  • Z时代
  • 2024-01-10
  • 分类:问答

kubectl exec在启用了k8s 1.6.4 RBAC的群集上进行了尝试,返回的错误是:error: unable to upgrade

connection: Unauthorizeddocker

exec在同一容器上成功。否则,kubectl正在工作。kubectl通过SSH连接建立隧道,但我认为这不是问题。

已启用kubelet身份验证,但未启用authz。该文档说的authz是AlwaysAllow默认情况下,所以我离开了这种方式。

我感觉它类似于这个问题。但是错误消息有点不同。

提前致谢!

kubectl exec命令的详细日志:

I0614 16:50:11.003677   64104 round_trippers.go:398] curl -k -v -XPOST  -H "X-Stream-Protocol-Version: v4.channel.k8s.io" -H "X-Stream-Protocol-Version: v3.channel.k8s.io" -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true
I0614 16:50:11.003705   64104 round_trippers.go:398] curl -k -v -XPOST  -H "X-Stream-Protocol-Version: v4.channel.k8s.io" -H "X-Stream-Protocol-Version: v3.channel.k8s.io" -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" -H "User-Agent: kubectl/v1.6.4 (darwin/amd64) kubernetes/d6f4332" https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true
I0614 16:50:11.169474   64104 round_trippers.go:417] POST https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true 401 Unauthorized in 165 milliseconds
I0614 16:50:11.169493   64104 round_trippers.go:423] Response Headers:
I0614 16:50:11.169497   64104 round_trippers.go:426]     Date: Wed, 14 Jun 2017 08:50:11 GMT
I0614 16:50:11.169500   64104 round_trippers.go:426]     Content-Length: 12
I0614 16:50:11.169502   64104 round_trippers.go:426]     Content-Type: text/plain; charset=utf-8
I0614 16:50:11.169506   64104 round_trippers.go:417] POST https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true 401 Unauthorized in 165 milliseconds
I0614 16:50:11.169509   64104 round_trippers.go:423] Response Headers:
I0614 16:50:11.169512   64104 round_trippers.go:426]     Date: Wed, 14 Jun 2017 08:50:11 GMT
I0614 16:50:11.169545   64104 round_trippers.go:426]     Content-Length: 12
I0614 16:50:11.169548   64104 round_trippers.go:426]     Content-Type: text/plain; charset=utf-8
F0614 16:50:11.169635   64104 helpers.go:119] error: unable to upgrade connection: Unauthorized

回答:

这是一个RTFM时刻…解决方案基本上是针对authn,authz或同时执行此页面上的所有步骤。

我省略了--kubelet-client-certificate--kubelet-client-

key这导致了错误。如果没有这些标记,kube-apiserver则在执行时将无法通过kubelet进行身份验证kubectl exec

我最初配置authn的尝试是通过阅读kubelet守护程序的文档(即,不是上面的文档)。因此,严重的遗漏。

以上是 “ kubectl exec”导致“错误:无法升级连接:未经授权” 的全部内容, 来源链接: utcz.com/qa/419468.html

回到顶部