时间戳

首页 > 解决方案 > 由于“无法创建 kubernetes 客户端:打开 /var/run/secrets/kubernetes.io/serviceaccount/token:权限被拒绝”,kube-dns 容器崩溃

kubernetes - 由于“无法创建 kubernetes 客户端:打开 /var/run/secrets/kubernetes.io/serviceaccount/token:权限被拒绝”,kube-dns 容器崩溃

问题描述

在来自快速通道的版本为 1.16.6-gke.12 的 GKE 集群中,服务的pod的kubedns容器由于以下原因而永久失败kube-dns-...kube-dns

kubedns     15 Mar 2020, 21:43:54   F0315 20:43:54.029575 1 server.go:61] Failed to create a kubernetes client: open /var/run/secrets/kubernetes.io/serviceaccount/token: permission denied
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029539 1 dns.go:48] version: 1.15.8
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029524 1 flags.go:52] FLAG: --vmodule=""
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029517 1 flags.go:52] FLAG: --version="false"
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029512 1 flags.go:52] FLAG: --v="2"
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029506 1 flags.go:52] FLAG: --stderrthreshold="2"
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029500 1 flags.go:52] FLAG: --profiling="false"
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029495 1 flags.go:52] FLAG: --nameservers=""
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029490 1 flags.go:52] FLAG: --logtostderr="true"
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029485 1 flags.go:52] FLAG: --log-flush-frequency="5s"
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029479 1 flags.go:52] FLAG: --log-dir=""
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029466 1 flags.go:52] FLAG: --log-backtrace-at=":0"
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029460 1 flags.go:52] FLAG: --kubecfg-file=""
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029439 1 flags.go:52] FLAG: --kube-master-url=""
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029432 1 flags.go:52] FLAG: --initial-sync-timeout="1m0s"
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029426 1 flags.go:52] FLAG: --healthz-port="8081"
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029419 1 flags.go:52] FLAG: --federations=""
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029412 1 flags.go:52] FLAG: --domain="cluster.local."
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029404 1 flags.go:52] FLAG: --dns-port="10053"
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029398 1 flags.go:52] FLAG: --dns-bind-address="0.0.0.0"
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029390 1 flags.go:52] FLAG: --config-period="10s"
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029382 1 flags.go:52] FLAG: --config-map-namespace="kube-system"
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029373 1 flags.go:52] FLAG: --config-map=""
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029363 1 flags.go:52] FLAG: --config-dir="/kube-dns-config"
kubedns     15 Mar 2020, 21:43:54   I0315 20:43:54.029288 1 flags.go:52] FLAG: --alsologtostderr="false"

有没有解决方法。我应该在哪里报告这个?

版本信息:

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.3", GitCommit:"06ad960bfd03b39c8310aaf92d1e7c12ce618213", GitTreeState:"clean", BuildDate:"2020-02-11T18:14:22Z", GoVersion:"go1.13.6", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"16+", GitVersion:"v1.16.6-gke.12", GitCommit:"74e2d6182ba7947983ec6d59776c38c53b086a37", GitTreeState:"clean", BuildDate:"2020-02-27T18:38:03Z", GoVersion:"go1.13.4b4", Compiler:"gc", Platform:"linux/amd64"}

标签: kubernetesdnsgoogle-kubernetes-enginekubernetes-1.16

解决方案

新的 GKE 集群现在默认使用 Kubernetes 版本1.14。GKE 现在提供 Kubernetes 1.17预览版,需要从 Google Cloud 请求访问才能使用。类似地,如果将发布将使用 Kubernetes 1.18的 GKE - 这解决了服务帐户的问题 (kubernetes.io/docs/setup/release/notes - “修复了不运行服务帐户令牌的集群中的服务帐户令牌准入错误controller- admission ) - 这个 GKE 版本将同时解决您的问题。

请参阅:kubernetes-1.18new-kubernetes-release

推荐阅读