kubernetes apiserver的node鉴权
起因 近日使用团队内部一直在维护的ansible role playbook初始化一个新的k8s集群(v1.19)时遇到了问题,kubectl get node命令显示各个节点一直是NotReady状态,同时各节点上的kubelet日志一直报下面的错误:
... kubelet.go:2209] node "node1" not found ... reflector.go:127] k8s.io/client-go/informers/factory.go:134: Failed to watch *v1.Node: failed to list *v1.Node: nodes "node1" is forbidden: User "system:node:node1" cannot list resource "nodes" in API group "" at the cluster scope ... failed to ensure node lease exists, will retry in 7s, error: leases.coordination.k8s.io "node1" is forbidden: User "system:node:node1" cannot get resource "leases" in API group "coordination.k8s.io" in...mespace "kube-node-lease" ... kubelet_node_status.go:470] Error updating node status, will retry: error getting node "node1": nodes "node1" is forbidden: User "system:node:node1" cannot get resource "nodes" in API group "" at the cluster scope 从日志中初步分析是kubelet对apiserver的访问权限问题引起,由于使用这个ansible role是团队内部一直在维护的,目前管理着线上线下共4套k8s集群,一直没有这个问题出现。于是初步怀疑已有的4套集群是经历了各个历史版本逐步升级到1.19的,这个过程中可能k8s给自动做了相关的配置兼容性, 现在初始化的这个新集群因为是全新安装,可能我们的ansible playbook生成的配置已经不正确了。