这个问题不是关于如何正确设置具有正确角色的服务帐户以访问 K8s 资源的一般问题。由于 Spring Boot 和 Spring Cloud 升级后访问配置映射出现问题,导致 Spring 应用程序启动失败,因此需要寻求帮助,而之前运行良好的东西。
所以问题是:升级带来了哪些我们不知道的配置或任何依赖项的变化,即破坏了 Fabric8 KubernetesClient 启动时对配置映射的访问?我仍在调查这是否与How to make configuration with discovery First Lookup work with spring cloud 2022.0.3
中报告的问题相同起点是在 Spring Boot 2.7.14 和 Spring Cloud 2021.0.8 之上开发的微型。在 K8s 1.25 中,应用程序启动时没有任何问题,并且可以在启动时读取配置映射以获取配置以设置码头参数等。
升级到 Spring Boot 3.1.5 和 Spring Cloud 2022.0.3 后,出现了一些问题,我遇到了以下问题:
2023-11-15T15:28:20.472Z WARN 1 --- [ main] o.s.c.k.c.c.ConfigUtils : Failure executing: GET at: https://kubernetes.default.svc/api/v1/namespaces/fesvc-namespace/configmaps. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. configmaps is forbidden: User "system:serviceaccount:fesvc-namespace:fesvc-sa" cannot list resource "configmaps" in API group "" in the namespace "fesvc-namespace".. Ignoring.
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.default.svc/api/v1/namespaces/fesvc-namespace/configmaps. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. configmaps is forbidden: User "system:serviceaccount:fesvc-namespace:fesvc-sa" cannot list resource "configmaps" in API group "" in the namespace "fesvc-namespace".
at io.fabric8.kubernetes.client.KubernetesClientException.copyAsCause(KubernetesClientException.java:238) ~[kubernetes-client-api-6.2.0.jar:?]
at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.waitForResult(OperationSupport.java:517) ~[kubernetes-client-6.2.0.jar:?]
at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:404) ~[kubernetes-client-6.2.0.jar:?]
at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:378) ~[kubernetes-client-6.2.0.jar:?]
at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:88) ~[kubernetes-client-6.2.0.jar:?]
at org.springframework.cloud.kubernetes.fabric8.config.Fabric8ConfigMapsCache.lambda$byNamespace$0(Fabric8ConfigMapsCache.java:56) ~[spring-cloud-kubernetes-fabric8-config-3.0.3.jar:3.0.3]
at java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1708) ~[?:?]
...
接下来是
org.springframework.context.ApplicationContextException
,因为无法读取创建 WebServerFactoryCustomizer
类型的 bean 所需的属性,导致 Web 服务器启动失败。因此,问题似乎出乎意料地出现在启动期间对配置映射的访问中,而以前没有失败过。我的意思是应用程序的 K8s 规范没有任何变化:我们期望一切都像以前一样工作。
pom的相关部分:
家长pom:
<dependencyManagement>
<dependencies>
<!-- Spring Boot dependencies -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>${spring.boot.dependencies}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring.cloud.dep.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
...
</dependencies>
</dependencyManagement>
中级pom:
<dependencies>
...
<!-- Spring Framework dependencies start -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<exclusions>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-to-slf4j</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-stream</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-stream-binder-kafka</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-kubernetes-fabric8-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-bootstrap</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jetty</artifactId>
</dependency>
<dependency>
<groupId>org.eclipse.jetty.http2</groupId>
<artifactId>http2-server</artifactId>
</dependency>
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-jmx</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.ws</groupId>
<artifactId>spring-ws-core</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.integration</groupId>
<artifactId>spring-integration-sftp</artifactId>
</dependency>
<!-- Spring Framework dependencies end -->
...
</dependencies>
K8s版本:
Client Version: v1.26.1
Kustomize Version: v4.5.7
Server Version: v1.25.2
尽管如此,我已经检查了 k8s 端的所有设置是否正确,我认为是:有一个角色来定义权限集,一个服务帐户用于从 API 访问资源,还有一个 rb 附加两者,以及应该存储令牌的 Pod 中的预计体积:
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
annotations:
ericsson.com/product-name: fesvc
ericsson.com/product-number:
ericsson.com/product-revision:
meta.helm.sh/release-name: fesvc-tests
meta.helm.sh/release-namespace: fesvc-namespace
creationTimestamp: "2023-11-14T14:42:50Z"
labels:
app.kubernetes.io/instance: fesvc-tests
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: fesvc
app.kubernetes.io/version:
chart: fesvc-1.17.0-3
name: fesvc-sa
namespace: fesvc-namespace
resourceVersion: "690"
uid: 010b3cb2-0ff2-4059-ba14-3b6b04fa3d70
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
ericsson.com/product-name: fesvc
ericsson.com/product-number:
ericsson.com/product-revision:
meta.helm.sh/release-name: fesvc-tests
meta.helm.sh/release-namespace: fesvc-namespace
creationTimestamp: "2023-11-14T14:42:50Z"
labels:
app.kubernetes.io/instance: fesvc-tests
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: fesvc
app.kubernetes.io/version:
chart: fesvc-1.17.0-3
name: fesvc-api-role
namespace: fesvc-namespace
resourceVersion: "714"
uid: f0b76567-b854-4bcf-a423-042059cd51c3
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- get
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
ericsson.com/product-name: fesvc
ericsson.com/product-number:
ericsson.com/product-revision:
meta.helm.sh/release-name: fesvc-tests
meta.helm.sh/release-namespace: fesvc-namespace
creationTimestamp: "2023-11-14T14:42:50Z"
labels:
app.kubernetes.io/instance: fesvc-tests
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: fesvc
app.kubernetes.io/version:
chart: fesvc-1.17.0-3
name: fesvc-api-rolebinding
namespace: fesvc-namespace
resourceVersion: "721"
uid: 0cacd75b-7d30-4e4e-a4d5-f32a312dacba
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: fesvc-api-role
subjects:
- kind: ServiceAccount
name: fesvc-sa
namespace: fesvc-namespace
我回答自己只是为了以防万一对某人有帮助。
io.fabric8 / Spring Cloud 组合中发生了一些变化,我在任何文档中都没有找到,但事实是,从 Spring Cloud 2021.0.8 升级到 2022.0.3 后,Service 的 RBAC 处理似乎发生了变化帐户,具有相同版本的 Kubernetes。
我报告的错误通过将“列表”动词添加到我们用来通过服务帐户获取 cm 的角色来修复,如下所示:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
ericsson.com/product-name: fesvc
ericsson.com/product-number:
ericsson.com/product-revision:
meta.helm.sh/release-name: fesvc-tests
meta.helm.sh/release-namespace: fesvc-namespace
creationTimestamp: "2023-11-14T14:42:50Z"
labels:
app.kubernetes.io/instance: fesvc-tests
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: fesvc
app.kubernetes.io/version:
chart: fesvc-1.17.0-3
name: fesvc-api-role
namespace: fesvc-namespace
resourceVersion: "714"
uid: f0b76567-b854-4bcf-a423-042059cd51c3
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- pods
verbs:
- get
更改后(我坚持认为,以前不需要)一切都像升级前一样工作。