kubernetes - 找不到名称为 ingress-controller/ingress-default-backend 的服务
问题描述
此配置适用于其他集群,但不适用于我部署的最后一个集群。我的 RBAC 配置存在某种问题。
kubectl get pods -n ingress-controller
NAME READY STATUS RESTARTS AGE
haproxy-ingress-b4d969b8b-dw65k 0/1 CrashLoopBackOff 15 52m
ingress-default-backend-f5dfbf97-6t72p 1/1 Running 0 52m
kubectl logs -n ingress-controller -l run=haproxy-ingress
I0120 11:55:17.347244 6 launch.go:151]
Name: HAProxy
Release: v0.8
Build: git-1351a73
Repository: https://github.com/jcmoraisjr/haproxy-ingress
I0120 11:55:17.347337 6 launch.go:154] Watching for ingress class: haproxy
I0120 11:55:17.347664 6 launch.go:364] Creating API client for https://10.3.0.1:443
I0120 11:55:17.391439 6 launch.go:376] Running in Kubernetes Cluster version v1.16 (v1.16.4) - git (clean) commit 224be7bdce5a9dd0c2fd0d46b83865648e2fe0ba - platform linux/amd64
F0120 11:55:17.401773 6 launch.go:177] no service with name ingress-controller/ingress-default-backend found: services "ingress-default-backend" is forbidden: User "system:serviceaccount:ingress-controller:ingress-controller" cannot get resource "services" in API group "" in the namespace "ingress-controller": RBAC: clusterrole.rbac.authorization.k8s.io "ingress-controller" not found
kubectl get svc -n ingress-controller
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-default-backend ClusterIP 10.3.118.160 <none> 8080/TCP 55m
kubectl describe clusterrole ingress-controller
Name: ingress-controller
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRole","metadata":{"annotations":{},"name":"ingress-controller"},"rules":[...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
events [] [] [create patch]
services [] [] [get list watch]
ingresses.extensions [] [] [get list watch]
nodes [] [] [list watch get]
configmaps [] [] [list watch]
endpoints [] [] [list watch]
pods [] [] [list watch]
secrets [] [] [list watch]
ingresses.extensions/status [] [] [update]
kubectl describe clusterrolebinding -n ingress-controller ingress-controller
Name: ingress-controller
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"ingress-controller"},"r...
Role:
Kind: ClusterRole
Name: ingress-controller
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount ingress-controller ingress-controller
User ingress-controller
kubectl auth can-i get services --as=ingress-controller
no - RBAC: clusterrole.rbac.authorization.k8s.io "ingress-controller" not found
任何帮助将不胜感激。
更新:
为 ingress-controller 添加部署和 rbac:
https://github.com/jcmoraisjr/haproxy-ingress/blob/master/examples/deployment/haproxy-ingress.yaml
https://github.com/jcmoraisjr/haproxy-ingress/blob/master/examples/rbac/ingress-controller-rbac.yml
解决方案
ClusterRoleBinding 绑定到服务帐户ingress-controller,它与 daemonset 示例一起使用,因为它使用serviceAccountName: ingress-controller
部署没有定义serviceAccountName,所以它使用defaultserviceaccount (而不是ingress-controller.
所以你可以通过绑定来修复集群角色绑定default:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-controller
subjects:
- kind: ServiceAccount
name: default
namespace: ingress-controller
- apiGroup: rbac.authorization.k8s.io
kind: User
name: ingress-controller
推荐阅读
- javascript - 这个 async\await 代码在我的 Angular 应用程序中究竟是如何工作的?为什么 colled 方法没有显式返回 Promise?
- google-cloud-platform - 限制与 Cloud SQL MySQL 实例的连接
- prometheus - 如何使用prometheus和grafana查询百分比http请求
- spring-boot - Spring Boot 和 thymeleaf:无法评估 ArrayList 的 size()
- javascript - 打开页面,隐藏所有内容,除了 URL 说要打开的内容
- r - 如何在 R Shiny 中更改 DT Datable 标题的背景和文本颜色
- java - Android:如何在不使用 JavaX 的 ImageIO 的情况下获取图像的宽度和高度?
- javascript - 如何在 Flutter Android 应用程序的 HttpRequest 中访问上传的图像?
- rust - 从 Rc 中获取字符串向量
- docker - Terraform - 将 docker-compose 命令转换为 terraform?