问题描述

我在启用了k8s 1.6.4的RBAC的群集上尝试了kubectl exec，返回的错误是:error: unable to upgrade connection: Unauthorized.在同一容器上的docker exec成功.否则，kubectl正常工作. kubectl通过SSH连接建立隧道，但我不认为这是问题所在.

I tried kubectl exec on a k8s 1.6.4 RBAC-enabled cluster and the error returned was: error: unable to upgrade connection: Unauthorized. docker exec on the same container succeeds. Otherwise, kubectl is working. kubectl tunnels through an SSH connection but I don't think this is the issue.

已启用kubelet身份验证，但未启用authz. 文档表示authz默认为AlwaysAllow，因此我已经这样离开了.

kubelet authn is enabled but not authz. The docs say that authz is AlwaysAllow by default, so I have left it this way.

我觉得它类似于此问题.但是错误消息有点不同.

I have a feeling that it is similar to this issue. But the error message is a tad different.

提前谢谢！

kubectl exec命令的详细日志:

I0614 16:50:11.003677   64104 round_trippers.go:398] curl -k -v -XPOST  -H "X-Stream-Protocol-Version: v4.channel.k8s.io" -H "X-Stream-Protocol-Version: v3.channel.k8s.io" -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true
I0614 16:50:11.003705   64104 round_trippers.go:398] curl -k -v -XPOST  -H "X-Stream-Protocol-Version: v4.channel.k8s.io" -H "X-Stream-Protocol-Version: v3.channel.k8s.io" -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" -H "User-Agent: kubectl/v1.6.4 (darwin/amd64) kubernetes/d6f4332" https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true
I0614 16:50:11.169474   64104 round_trippers.go:417] POST https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true 401 Unauthorized in 165 milliseconds
I0614 16:50:11.169493   64104 round_trippers.go:423] Response Headers:
I0614 16:50:11.169497   64104 round_trippers.go:426]     Date: Wed, 14 Jun 2017 08:50:11 GMT
I0614 16:50:11.169500   64104 round_trippers.go:426]     Content-Length: 12
I0614 16:50:11.169502   64104 round_trippers.go:426]     Content-Type: text/plain; charset=utf-8
I0614 16:50:11.169506   64104 round_trippers.go:417] POST https://localhost:6443/api/v1/namespaces/monitoring/pods/alertmanager-main-0/exec?command=%2Fbin%2Fls&container=alertmanager&container=alertmanager&stderr=true&stdout=true 401 Unauthorized in 165 milliseconds
I0614 16:50:11.169509   64104 round_trippers.go:423] Response Headers:
I0614 16:50:11.169512   64104 round_trippers.go:426]     Date: Wed, 14 Jun 2017 08:50:11 GMT
I0614 16:50:11.169545   64104 round_trippers.go:426]     Content-Length: 12
I0614 16:50:11.169548   64104 round_trippers.go:426]     Content-Type: text/plain; charset=utf-8
F0614 16:50:11.169635   64104 helpers.go:119] error: unable to upgrade connection: Unauthorized

推荐答案

这是RTFM时刻...解决方案基本上是按照此页面用于authn，authz或同时使用这两种方法.

This is an RTFM moment... The solution was basically to follow all the steps on this page for authn, authz, or both.

我省略了--kubelet-client-certificate和--kubelet-client-key导致错误.如果没有这些标志，则执行kubectl exec时kube-apiserver将无法通过kubelet进行身份验证.

I had omitted --kubelet-client-certificate and --kubelet-client-key which resulted in the error. Without these flags, kube-apiserver will fail to authenticate with kubelet when you do a kubectl exec.

我最初配置authn的尝试是通过阅读kubelet守护程序的文档(即，不是上面的文档).因此是严重的遗漏.

My original attempt to configure authn was by reading the docs for the kubelet daemon (ie. not the one above). Hence the grave omission.

这篇关于"kubectl执行程序"导致“错误:无法升级连接:未经授权"；的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！