时间戳

首页 > 解决方案 > 未能将 Autopilot GKE 集群注册到 Anthos

kubernetes - 未能将 Autopilot GKE 集群注册到 Anthos

问题描述

我正在尝试将现有的 GKE 集群(自动驾驶集群)添加到同一项目中的 Anthos。它更新了集线器成员资格,但是,gke-connect 代理 pod 失败并出现与 RBAC 相关的错误。

$ for ns in $(kubectl get ns -o jsonpath={.items..metadata.name} -l hub.gke.io/project); do
>   echo "======= Logs $ns ======="
>   kubectl logs -n $ns -l app=gke-connect-agent
> done
======= Logs gke-connect =======
2021/03/26 15:57:50.604149 gkeconnect_agent.go:39: GKE Connect Agent. Log timestamps in UTC.
2021/03/26 15:57:50.604380 gkeconnect_agent.go:40:
Built on: 2021-03-19 09:40:57 +0000 UTC
Built at: 363842994
Build Status: mint
Build Label: 20210319-01-00
2021/03/26 15:57:50.715289 gkeconnect_agent.go:50: error creating kubernetes
 connect agent: unable to retrieve namespace "kube-system" to be used as
 connectionID: namespaces "kube-system" is forbidden: User
 "system:serviceaccount:gke-connect:connect-agent-sa" cannot get resource 
"namespaces" in API group "" in the namespace "kube-system"

我检查了connect-agent-sa服务帐户的角色绑定,该角色似乎具有必要get namespaces的权限,但它失败了。

$ k get role gke-connect-agent-20210319-01-00 -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2021-03-26T16:35:12Z"
  labels:
    hub.gke.io/project: xxxxxxxxxxxxxxxxxxx
    version: 20210319-01-00
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:labels:
          .: {}
          f:hub.gke.io/project: {}
          f:version: {}
      f:rules: {}
    manager: GoogleCloudConsole
    operation: Update
    time: "2021-03-26T16:35:12Z"
  name: gke-connect-agent-20210319-01-00
  namespace: gke-connect
  resourceVersion: "10595136"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/gke-connect/roles/gke-connect-agent-20210319-01-00
  uid: xxxxxxxx
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  - namespaces   <-- namespaces!!!
  - configmaps
  verbs:
  - get          <-- get!!!  
  - watch
  - list
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create

还有其他我不知道的限制和政策吗?auto-pilot cluster是不是因为

标签: kubernetesgoogle-kubernetes-enginegoogle-anthos

解决方案

推荐阅读