我的所有权限之前都工作正常。升级到 EKS 1.25 后,我在执行
kubectl logs pod -n namespace
时开始出现以下错误
我尝试调试它。我查看了 configMap、clusterRole 和 RoleBinding。我没有看到任何明显的问题(自从我创建这些对象以来实际上已经两年了,也许我现在使用最新版本的 Kubernetes 缺少一些东西?)
发生内部错误:授权错误 (用户=kube-apiserver-kubelet-client,动词=get,资源=节点, 子资源=代理)
aws-auth configMap
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::<some-number>:role/eksctl-<xyz-abs>-nodegrou-NodeInstanceRole-DMQXBTLLXHNU
username: system:node:{{EC2PrivateDNSName}}
mapUsers: |
- userarn: arn:aws:iam::043519645107:user/kube-developer
username: kube-developer
groups:
- kube-developer
kind: ConfigMap
metadata:
creationTimestamp: "2020-07-03T16:55:08Z"
name: aws-auth
namespace: kube-system
resourceVersion: "104191269"
uid: 844f189d-b3d6-4204-bf85-7b789c0ee91a
集群角色和角色绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kube-developer-cr
rules:
- apiGroups: ["*"]
resources:
- configmaps
- endpoints
- events
- ingresses
- ingresses/status
- services
verbs:
- create
- get
- list
- update
- watch
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kube-developer-crb
subjects:
- kind: Group
name: kube-developer
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: kube-developer-cr
apiGroup: rbac.authorization.k8s.io
---编辑----
我尝试使用与错误消息中抛出的用户相同的用户创建 ClusterRoleBinding
kube-apiserver-kubelet-client
,并将其分配给 roleRef kubelet-api-admin,但仍然遇到相同的问题。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kube-apiserver
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kubelet-api-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kube-apiserver-kubelet-client
---编辑---
调试第二天,我启动了 EKS 的另一个实例。我发现它有 CSR(证书签名请求),而我的 EKS 缺少 CSR。
我在升级 EKS 时遇到了同样的症状。我升级了 EKS,添加了运行较新 kubelet 版本的节点,但没有将正在运行的工作负载移至新节点,因此出现了错误消息。 当我:
时我就开始工作了kubectl drain <node>