为什么我在kubernetes上没有默认的serviceAccount? [英] Why don't I have a default serviceAccount on kubernetes?
问题描述
我正在尝试让Kubernetes在某些运行CoreOS的本地计算机上运行.我松散地遵循本指南.一切似乎都已启动并运行,并且我能够通过kubectl连接到api.但是,当我尝试创建一个Pod时,出现此错误:
I'm trying to get Kubernetes running on some local machines running CoreOS. I'm loosely following this guide. Everything seems to be up and running, and I'm able to connect to the api via kubectl. However, when I try to create a pod, I get this error:
Pod "redis-master" is forbidden: Missing service account default/default: <nil>
执行 kubectl获取serviceAccounts 确认我没有任何ServiceAccounts:
Doing kubectl get serviceAccounts confirms that I don't have any ServiceAccounts:
NAME SECRETS
According to the documentation, each namespace should have a default ServiceAccount. Running kubectl get namespace confirms that I have the default namespace:
NAME LABELS STATUS
default <none> Active
我是Kubernetes和CoreOS的新手,所以我确定有些事情我会忽略,但是我一生都无法弄清楚发生了什么.任何指针,我将不胜感激.
I'm brand new to Kubernetes and CoreOS, so I'm sure there's something I'm overlooking, but I can't for the life of me figure out what's going on. I'd appreciate any pointers.
更新
看来kube-controller-manager没有运行.当我尝试运行它时,出现以下消息:
It appears the kube-controller-manager isn't running. When I try to run it, I get this message:
I1104 21:09:49.262780 26292 plugins.go:69] No cloud provider specified.
I1104 21:09:49.262935 26292 nodecontroller.go:114] Sending events to api server.
E1104 21:09:49.263089 26292 controllermanager.go:217] Failed to start service controller: ServiceController should not be run without a cloudprovider.
W1104 21:09:49.629084 26292 request.go:302] field selector: v1 - secrets - type - kubernetes.io/service-account-token: need to check if this is versioned correctly.
W1104 21:09:49.629322 26292 request.go:302] field selector: v1 - serviceAccounts - metadata.name - default: need to check if this is versioned correctly.
W1104 21:09:49.636082 26292 request.go:302] field selector: v1 - serviceAccounts - metadata.name - default: need to check if this is versioned correctly.
W1104 21:09:49.638712 26292 request.go:302] field selector: v1 - secrets - type - kubernetes.io/service-account-token: need to check if this is versioned correctly.
由于我是在本地运行的,因此我没有云提供商.我尝试定义-cloud-provider =" ,但它仍然抱怨相同的错误.
Since I'm running this locally, I don't have a cloud provider. I tried to define --cloud-provider="" but it still complains with the same error.
推荐答案
每个名称空间的默认服务帐户由服务帐户控制器创建,该帐户是kube-controller-manager二进制文件的一部分,是一个循环.因此,请验证二进制文件是否正在运行,并检查其日志中是否有任何提示表明它无法创建服务帐户,请确保将"--service-account-private-key-file = somefile"设置为具有以下内容的文件:有效的PEM密钥.
The default service account for each namespace is created by the service account controller, which is a loop that is part of the kube-controller-manager binary. So, verify that binary is running, and check its logs for anything that suggests it can't create a service account, make sure you set the "--service-account-private-key-file=somefile" to a file that has a valid PEM key.
或者,如果您想在没有服务帐户的情况下取得一些进展,并稍后再返回,则可以通过从api服务器的-中删除"ServiceAccount"选项来禁用阻止您的Pod的准入控制器-admission-controllers 标志.但是您可能希望稍后再解决此问题.
Alternatively, if you want to make some progress without service accounts, and come back to that later, you can disable the admission controller that is blocking your pods by removing the "ServiceAccount" option from your api-server's --admission-controllers flag. But you will probably want to come back and fix that later.
这篇关于为什么我在kubernetes上没有默认的serviceAccount?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
