kubernetes - 大使吊舱因错误“消息”而崩溃：“命名空间\“默认\”被禁止

问题描述

之前工作的大使链接停止工作。Ambassador 安装在命名空间 platform-ns 中。

kubectl logs ambassador-6fb4f95889-pjr6b -n platform-ns

2020-06-19 09:14:25 kubewatch [10 TMainThread] 0.75.0 DEBUG: looking up ID for namespace default
2020-06-19 09:14:25 kubewatch [10 TMainThread] 0.75.0 ERROR: couldn't read namespace default? (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': '6a4514c1-e475-4445-9994-ccb29f0e9bc1', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Fri, 19 Jun 2020 09:14:25 GMT', 'Content-Length': '335'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"namespaces \"default\" is forbidden: User \"system:serviceaccount:platform-ns:ambassador\" cannot get resource \"namespaces\" in API group \"\" in the namespace \"default\"","reason":"Forbidden","details":{"name":"default","kind":"namespaces"},"code":403}
2020/06/19 09:14:30 ERROR(s): kubebootstrap: WORKER PANICKED: mappings.getambassador.io is forbidden: User "system:serviceaccount:platform-ns:ambassador" cannot list resource "mappings" in API group "getambassador.io" at the cluster scope
goroutine 102 [running]:
![Text]Already tried running:
kubectl create serviceaccount --namespace platform-ns tiller
kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=platform-ns:tiller
kubectl patch deploy --namespace platform-ns tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'

标签： kuberneteskubernetes-helmkubernetes-podazure-aksambassador