KubernetesClientException:取消升级到 Spring Cloud 2022.0.3 后,配置的服务帐户无权访问

问题描述 投票:0回答:1

这个问题不是关于如何正确设置具有正确角色的服务帐户以访问 K8s 资源的一般问题。由于 Spring Boot 和 Spring Cloud 升级后访问配置映射出现问题,导致 Spring 应用程序启动失败,因此需要寻求帮助,而之前运行良好的东西。

所以问题是:升级带来了哪些我们不知道的配置或任何依赖项的变化,即破坏了 Fabric8 KubernetesClient 启动时对配置映射的访问?我仍在调查这是否与How to make configuration with discovery First Lookup work with spring cloud 2022.0.3

中报告的问题相同

起点是在 Spring Boot 2.7.14 和 Spring Cloud 2021.0.8 之上开发的微型。在 K8s 1.25 中,应用程序启动时没有任何问题,并且可以在启动时读取配置映射以获取配置以设置码头参数等。

升级到 Spring Boot 3.1.5 和 Spring Cloud 2022.0.3 后,出现了一些问题,我遇到了以下问题:

2023-11-15T15:28:20.472Z  WARN 1 --- [           main] o.s.c.k.c.c.ConfigUtils                  : Failure executing: GET at: https://kubernetes.default.svc/api/v1/namespaces/fesvc-namespace/configmaps. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. configmaps is forbidden: User "system:serviceaccount:fesvc-namespace:fesvc-sa" cannot list resource "configmaps" in API group "" in the namespace "fesvc-namespace".. Ignoring.

io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.default.svc/api/v1/namespaces/fesvc-namespace/configmaps. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. configmaps is forbidden: User "system:serviceaccount:fesvc-namespace:fesvc-sa" cannot list resource "configmaps" in API group "" in the namespace "fesvc-namespace".
        at io.fabric8.kubernetes.client.KubernetesClientException.copyAsCause(KubernetesClientException.java:238) ~[kubernetes-client-api-6.2.0.jar:?]
        at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.waitForResult(OperationSupport.java:517) ~[kubernetes-client-6.2.0.jar:?]
        at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:404) ~[kubernetes-client-6.2.0.jar:?]
        at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:378) ~[kubernetes-client-6.2.0.jar:?]
        at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:88) ~[kubernetes-client-6.2.0.jar:?]
        at org.springframework.cloud.kubernetes.fabric8.config.Fabric8ConfigMapsCache.lambda$byNamespace$0(Fabric8ConfigMapsCache.java:56) ~[spring-cloud-kubernetes-fabric8-config-3.0.3.jar:3.0.3]
        at java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1708) ~[?:?]
...

接下来是 

org.springframework.context.ApplicationContextException
,因为无法读取创建 
WebServerFactoryCustomizer
类型的 bean 所需的属性,导致 Web 服务器启动失败。因此,问题似乎出乎意料地出现在启动期间对配置映射的访问中,而以前没有失败过。我的意思是应用程序的 K8s 规范没有任何变化:我们期望一切都像以前一样工作。

pom的相关部分:

家长pom:

<dependencyManagement>
        <dependencies>
            <!-- Spring Boot dependencies -->
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-dependencies</artifactId>
                <version>${spring.boot.dependencies}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>${spring.cloud.dep.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
            ...
         </dependencies>
</dependencyManagement>

中级pom:

<dependencies>
...
    <!-- Spring Framework dependencies start -->
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-actuator</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter</artifactId>
      <exclusions>
        <exclusion>
          <groupId>org.apache.logging.log4j</groupId>
          <artifactId>log4j-to-slf4j</artifactId>
        </exclusion>
        <exclusion>
          <groupId>org.springframework.boot</groupId>
          <artifactId>spring-boot-starter-logging</artifactId>
        </exclusion>
      </exclusions>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-log4j2</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.cloud</groupId>
      <artifactId>spring-cloud-stream</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.cloud</groupId>
      <artifactId>spring-cloud-stream-binder-kafka</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.cloud</groupId>
      <artifactId>spring-cloud-starter-kubernetes-fabric8-config</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.cloud</groupId>
      <artifactId>spring-cloud-starter-bootstrap</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-web</artifactId>
      <exclusions>
        <exclusion>
          <groupId>org.springframework.boot</groupId>
          <artifactId>spring-boot-starter-tomcat</artifactId>
        </exclusion>
      </exclusions>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-jetty</artifactId>
    </dependency>
    <dependency>
      <groupId>org.eclipse.jetty.http2</groupId>
      <artifactId>http2-server</artifactId>
    </dependency>
    <dependency>
      <groupId>org.eclipse.jetty</groupId>
      <artifactId>jetty-jmx</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.ws</groupId>
      <artifactId>spring-ws-core</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-webmvc</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.integration</groupId>
      <artifactId>spring-integration-sftp</artifactId>
    </dependency>
    <!-- Spring Framework dependencies end -->
...
</dependencies>

K8s版本:

Client Version: v1.26.1
Kustomize Version: v4.5.7
Server Version: v1.25.2

尽管如此,我已经检查了 k8s 端的所有设置是否正确,我认为是:有一个角色来定义权限集,一个服务帐户用于从 API 访问资源,还有一个 rb 附加两者,以及应该存储令牌的 Pod 中的预计体积:

apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
  annotations:
    ericsson.com/product-name: fesvc
    ericsson.com/product-number:
    ericsson.com/product-revision:
    meta.helm.sh/release-name: fesvc-tests
    meta.helm.sh/release-namespace: fesvc-namespace
  creationTimestamp: "2023-11-14T14:42:50Z"
  labels:
    app.kubernetes.io/instance: fesvc-tests
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: fesvc
    app.kubernetes.io/version: 
    chart: fesvc-1.17.0-3
  name: fesvc-sa
  namespace: fesvc-namespace
  resourceVersion: "690"
  uid: 010b3cb2-0ff2-4059-ba14-3b6b04fa3d70

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    ericsson.com/product-name: fesvc
    ericsson.com/product-number: 
    ericsson.com/product-revision: 
    meta.helm.sh/release-name: fesvc-tests
    meta.helm.sh/release-namespace: fesvc-namespace
  creationTimestamp: "2023-11-14T14:42:50Z"
  labels:
    app.kubernetes.io/instance: fesvc-tests
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: fesvc
    app.kubernetes.io/version: 
    chart: fesvc-1.17.0-3
  name: fesvc-api-role
  namespace: fesvc-namespace
  resourceVersion: "714"
  uid: f0b76567-b854-4bcf-a423-042059cd51c3
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    ericsson.com/product-name: fesvc
    ericsson.com/product-number: 
    ericsson.com/product-revision: 
    meta.helm.sh/release-name: fesvc-tests
    meta.helm.sh/release-namespace: fesvc-namespace
  creationTimestamp: "2023-11-14T14:42:50Z"
  labels:
    app.kubernetes.io/instance: fesvc-tests
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: fesvc
    app.kubernetes.io/version:
    chart: fesvc-1.17.0-3
  name: fesvc-api-rolebinding
  namespace: fesvc-namespace
  resourceVersion: "721"
  uid: 0cacd75b-7d30-4e4e-a4d5-f32a312dacba
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: fesvc-api-role
subjects:
- kind: ServiceAccount
  name: fesvc-sa
  namespace: fesvc-namespace
spring-boot spring-cloud spring-cloud-config fabric8 fabric8-kubernetes-client
1个回答
0
投票

我回答自己只是为了以防万一对某人有帮助。

io.fabric8 / Spring Cloud 组合中发生了一些变化,我在任何文档中都没有找到,但事实是,从 Spring Cloud 2021.0.8 升级到 2022.0.3 后,Service 的 RBAC 处理似乎发生了变化帐户,具有相同版本的 Kubernetes。

我报告的错误通过将“列表”动词添加到我们用来通过服务帐户获取 cm 的角色来修复,如下所示:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    ericsson.com/product-name: fesvc
    ericsson.com/product-number: 
    ericsson.com/product-revision: 
    meta.helm.sh/release-name: fesvc-tests
    meta.helm.sh/release-namespace: fesvc-namespace
  creationTimestamp: "2023-11-14T14:42:50Z"
  labels:
    app.kubernetes.io/instance: fesvc-tests
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: fesvc
    app.kubernetes.io/version: 
    chart: fesvc-1.17.0-3
  name: fesvc-api-role
  namespace: fesvc-namespace
  resourceVersion: "714"
  uid: f0b76567-b854-4bcf-a423-042059cd51c3
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - watch
  - list
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get

更改后(我坚持认为,以前不需要)一切都像升级前一样工作。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.