Pod CrashLoopBackOff 错误,automountServiceAccountToken 设置为 false

发布于 2025-01-16 21:52:05 字数 3033 浏览 0 评论 0原文

嗨,Kubernetes 专家,

我使用了以下 ServiceAccount 创建配置:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-scheduler
  namespace: kube-system

和以下 Deployment 配置:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    component: scheduler
    tier: control-plane
  name: my-scheduler
  namespace: kube-system
spec:
  ...
  template:
    metadata:
      labels:
        component: scheduler
        tier: control-plane
        version: second
        k8s-custom-scheduler: my-scheduler
    spec:
      serviceAccountName: my-scheduler

一切工作正常,现在我想让我的 pod 更安全设置<将代码>automountServiceAccountToken 更改为false

我更改了 ServiceAccount 创建和部署配置:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-scheduler
  namespace: kube-system
automountServiceAccountToken: false

部署配置:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    component: scheduler
    tier: control-plane
  name: my-scheduler
  namespace: kube-system
spec:
  ...
  template:
    metadata:
      labels:
        component: scheduler
        tier: control-plane
        version: second
        k8s-custom-scheduler: my-scheduler
    spec:
      serviceAccountName: my-scheduler
      automountServiceAccountToken: false

设置此后,我的调度程序 Pod 未启动,并显示 CrashLoopBackOff

错误:

I0325 17:37:50.304810       1 flags.go:33] FLAG: --write-config-to=""
I0325 17:37:50.891504       1 serving.go:319] Generated self-signed cert in-memory
W0325 17:37:51.168023       1 authentication.go:387] failed to read in-cluster kubeconfig for delegated authentication: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
W0325 17:37:51.168064       1 authentication.go:249] No authentication-kubeconfig provided in order to lookup client-ca-file in configmap/extension-apiserver-authentication in kube-system, so client certificate authentication won't work.
W0325 17:37:51.168072       1 authentication.go:252] No authentication-kubeconfig provided in order to lookup requestheader-client-ca-file in configmap/extension-apiserver-authentication in kube-system, so request-header client certificate authentication won't work.
W0325 17:37:51.168089       1 authorization.go:177] failed to read in-cluster kubeconfig for delegated authorization: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
W0325 17:37:51.168102       1 authorization.go:146] No authorization-kubeconfig provided, so SubjectAccessReview of authorization tokens won't work.
W0325 17:37:51.168111       1 options.go:298] Neither --kubeconfig nor --master was specified. Using default API client. This might not work.
invalid configuration: no configuration has been provided

我相信我们需要配置更多内容以及 automountServiceAccountToken: false。 有人可以指出使用 automountServiceAccountToken: false 所需的其他配置吗?

Hi Kubernetes Experts,

I was using the following ServiceAccount creation config:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-scheduler
  namespace: kube-system

and the following Deployment config:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    component: scheduler
    tier: control-plane
  name: my-scheduler
  namespace: kube-system
spec:
  ...
  template:
    metadata:
      labels:
        component: scheduler
        tier: control-plane
        version: second
        k8s-custom-scheduler: my-scheduler
    spec:
      serviceAccountName: my-scheduler

Things were working fine, And now I want to make my pod more secure setting automountServiceAccountToken to false.

I changed my ServiceAccount creation and deployment config:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-scheduler
  namespace: kube-system
automountServiceAccountToken: false

Deployment config:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    component: scheduler
    tier: control-plane
  name: my-scheduler
  namespace: kube-system
spec:
  ...
  template:
    metadata:
      labels:
        component: scheduler
        tier: control-plane
        version: second
        k8s-custom-scheduler: my-scheduler
    spec:
      serviceAccountName: my-scheduler
      automountServiceAccountToken: false

After setting this my scheduler pod is not coming up and it says CrashLoopBackOff

Error:

I0325 17:37:50.304810       1 flags.go:33] FLAG: --write-config-to=""
I0325 17:37:50.891504       1 serving.go:319] Generated self-signed cert in-memory
W0325 17:37:51.168023       1 authentication.go:387] failed to read in-cluster kubeconfig for delegated authentication: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
W0325 17:37:51.168064       1 authentication.go:249] No authentication-kubeconfig provided in order to lookup client-ca-file in configmap/extension-apiserver-authentication in kube-system, so client certificate authentication won't work.
W0325 17:37:51.168072       1 authentication.go:252] No authentication-kubeconfig provided in order to lookup requestheader-client-ca-file in configmap/extension-apiserver-authentication in kube-system, so request-header client certificate authentication won't work.
W0325 17:37:51.168089       1 authorization.go:177] failed to read in-cluster kubeconfig for delegated authorization: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
W0325 17:37:51.168102       1 authorization.go:146] No authorization-kubeconfig provided, so SubjectAccessReview of authorization tokens won't work.
W0325 17:37:51.168111       1 options.go:298] Neither --kubeconfig nor --master was specified. Using default API client. This might not work.
invalid configuration: no configuration has been provided

I believe we need to configure something more along with automountServiceAccountToken: false.
Can someone point me to the additional configurations needed to use automountServiceAccountToken: false?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

因为看清所以看轻 2025-01-23 21:52:05

为 Pod 配置服务帐户

您可以使用自动安装的服务帐户凭据从 Pod 内部访问 API。
在 1.6+ 版本中,您可以通过在服务帐户或特定 pod 上设置 automountServiceAccountToken: false 来选择不自动挂载服务帐户的 API 凭据。

因此,当您创建 ServiceAccount 和 Deployment(如示例 yaml 文件中所示)时,用于访问 Kubernetes API 的凭据不会自动安装到 Pod。 但是您的 k8s 部署“my-scheduler”需要它们访问 API

例如,您可以使用 nginx 的一些虚拟部署来测试您的 ServiceAccount。而且无需安装凭据即可工作。

另外,如果您像示例中那样创建 ServiceAccount:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-scheduler
  namespace: kube-system
automountServiceAccountToken: false

您可以像这样手动挂载 API 凭据:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-scheduler
  namespace: kube-system
...
spec:
  ...
  template:
    metadata:
      labels:
        app: my-scheduler
    spec:
      containers:
      - image: <YOUR_IMAGE>
        imagePullPolicy: Always
        name: my-scheduler
        volumeMounts:
        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
          name: kube-api-access
          readOnly: true
      serviceAccountName: my-scheduler
      volumes:
      - name: kube-api-access
        projected:
          defaultMode: 420
          sources:
          - serviceAccountToken:
              expirationSeconds: 3607
              path: token
          - configMap:
              items:
              - key: ca.crt
                path: ca.crt
              name: kube-root-ca.crt
          - downwardAPI:
              items:
              - fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
                path: namespace

请参阅 管理服务帐户链接了解更多信息。

Configure Service Accounts for Pods

You can access the API from inside a pod using automatically mounted service account credentials.
In version 1.6+, you can opt out of automounting API credentials for a service account by setting automountServiceAccountToken: false on the service account or for a particular pod.

So, when you are creating a ServiceAccount and a Deployment like in your example yaml files, credentials for accessing the Kubernetes API are not automatically mounted to the Pod. But your k8s Deployment 'my-scheduler' requires them to access the API.

You can test your ServiceAccount with some dummy Deployment of nginx, for example. And it will work without mounting credentials.

Also, if you create a ServiceAccount like in your example:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-scheduler
  namespace: kube-system
automountServiceAccountToken: false

You can manually mount the API credentials like this:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-scheduler
  namespace: kube-system
...
spec:
  ...
  template:
    metadata:
      labels:
        app: my-scheduler
    spec:
      containers:
      - image: <YOUR_IMAGE>
        imagePullPolicy: Always
        name: my-scheduler
        volumeMounts:
        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
          name: kube-api-access
          readOnly: true
      serviceAccountName: my-scheduler
      volumes:
      - name: kube-api-access
        projected:
          defaultMode: 420
          sources:
          - serviceAccountToken:
              expirationSeconds: 3607
              path: token
          - configMap:
              items:
              - key: ca.crt
                path: ca.crt
              name: kube-root-ca.crt
          - downwardAPI:
              items:
              - fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
                path: namespace

See the Managing Service Accounts link for more information.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文