如何解决未能将 Autopilot GKE 集群注册到 Anthos
我正在尝试将现有 GKE 集群(自动驾驶集群)添加到同一个项目中的 Anthos。它更新了集线器成员资格,但是,gke-connect 代理 pod 因 RBAC 相关错误而失败。
$ for ns in $(kubectl get ns -o jsonpath={.items..Metadata.name} -l hub.gke.io/project); do
> echo "======= Logs $ns ======="
> kubectl logs -n $ns -l app=gke-connect-agent
> done
======= Logs gke-connect =======
2021/03/26 15:57:50.604149 gkeconnect_agent.go:39: GKE Connect Agent. Log timestamps in UTC.
2021/03/26 15:57:50.604380 gkeconnect_agent.go:40:
Built on: 2021-03-19 09:40:57 +0000 UTC
Built at: 363842994
Build Status: mint
Build Label: 20210319-01-00
2021/03/26 15:57:50.715289 gkeconnect_agent.go:50: error creating kubernetes
connect agent: unable to retrieve namespace "kube-system" to be used as
connectionID: namespaces "kube-system" is forbidden: User
"system:serviceaccount:gke-connect:connect-agent-sa" cannot get resource
"namespaces" in API group "" in the namespace "kube-system"
我检查了 connect-agent-sa 服务帐户的角色绑定,该角色似乎对 get namespaces 具有必要的权限,但它失败了。
$ k get role gke-connect-agent-20210319-01-00 -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
Metadata:
creationTimestamp: "2021-03-26T16:35:12Z"
labels:
hub.gke.io/project: xxxxxxxxxxxxxxxxxxx
version: 20210319-01-00
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:Metadata:
f:labels:
.: {}
f:hub.gke.io/project: {}
f:version: {}
f:rules: {}
manager: GoogleCloudConsole
operation: Update
time: "2021-03-26T16:35:12Z"
name: gke-connect-agent-20210319-01-00
namespace: gke-connect
resourceVersion: "10595136"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/gke-connect/roles/gke-connect-agent-20210319-01-00
uid: xxxxxxxx
rules:
- apiGroups:
- ""
resources:
- secrets
- namespaces <-- namespaces!!!
- configmaps
verbs:
- get <-- get!!!
- watch
- list
- apiGroups:
- ""
resources:
- events
verbs:
- create
还有其他我不知道的限制和政策吗?是因为auto-pilot cluster吗?
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
