我在啓用k8s 1.6.4 RBAC的羣集上嘗試kubectl exec
,返回的錯誤爲:error: unable to upgrade connection: Unauthorized
。 docker exec
在同一個容器上成功。否則,kubectl
正在工作。 kubectl
通過SSH連接的隧道,但我不認爲這是問題。「kubectl exec」導致出現「錯誤:無法升級連接:未經授權」
kubelet authn已啓用,但不是authz。 docs默認認爲authz是AlwaysAllow,所以我已經這樣離開了它。
我有一種感覺,它類似於this issue。但是錯誤信息有點不同。
在此先感謝!
爲kubectl exec
命令詳細日誌:
I0614 16:50:11.003677 64104 round_trippers.go:398] curl -k -v -XPOST -H "X-Stream-Protocol-Version: v4.channel.k8s.io" -H "X-Stream-Protocol-Version: v3.channel.k8s.io" -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true
I0614 16:50:11.003705 64104 round_trippers.go:398] curl -k -v -XPOST -H "X-Stream-Protocol-Version: v4.channel.k8s.io" -H "X-Stream-Protocol-Version: v3.channel.k8s.io" -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" -H "User-Agent: kubectl/v1.6.4 (darwin/amd64) kubernetes/d6f4332" https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true
I0614 16:50:11.169474 64104 round_trippers.go:417] POST https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true 401 Unauthorized in 165 milliseconds
I0614 16:50:11.169493 64104 round_trippers.go:423] Response Headers:
I0614 16:50:11.169497 64104 round_trippers.go:426] Date: Wed, 14 Jun 2017 08:50:11 GMT
I0614 16:50:11.169500 64104 round_trippers.go:426] Content-Length: 12
I0614 16:50:11.169502 64104 round_trippers.go:426] Content-Type: text/plain; charset=utf-8
I0614 16:50:11.169506 64104 round_trippers.go:417] POST https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true 401 Unauthorized in 165 milliseconds
I0614 16:50:11.169509 64104 round_trippers.go:423] Response Headers:
I0614 16:50:11.169512 64104 round_trippers.go:426] Date: Wed, 14 Jun 2017 08:50:11 GMT
I0614 16:50:11.169545 64104 round_trippers.go:426] Content-Length: 12
I0614 16:50:11.169548 64104 round_trippers.go:426] Content-Type: text/plain; charset=utf-8
F0614 16:50:11.169635 64104 helpers.go:119] error: unable to upgrade connection: Unauthorized
你可以提供一些關於這個'kubectl隧道'的更多細節,你如何使用ssh創建隧道。 – sfgroups
我將'localhost:6443'轉發給工作節點,就像'ssh -L 6443:localhost:6443 worker1.kube'。然後我配置'kubectl'連接到'localhost:6443'。 –