kubernetes: Kubernetes 1.0.0 apiserver using http got errors
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"0", GitVersion:"v1.0.0", GitCommit:"cd821444dcf3e1e237b5f3579721440624c9c4fa", GitTreeState:"clean"}
Server Version: version.Info{Major:"1", Minor:"0", GitVersion:"v1.0.0", GitCommit:"cd821444dcf3e1e237b5f3579721440624c9c4fa", GitTreeState:"clean"}
$ kubectl create -f redis-master-controller.json
replicationcontrollers/redis-master
I got so many errors:
E0714 20:11:36.851781 32036 replication_controller.go:324] unable to create pod replica: Pod "redis-master-" is forbidden: no API token found for service account default/default, retry after the token is automatically created and added to the service account
E0714 20:11:36.857300 32036 replication_controller.go:324] unable to create pod replica: Pod "redis-master-" is forbidden: no API token found for service account default/default, retry after the token is automatically created and added to the service account
I deploy k8s cluster Getting Started from Scratch with Access the apiserver using HTTP.
When I start apiserver as follow:
./kube-apiserver --insecure-bind-address=0.0.0.0 \
--insecure-port=8888 \
--etcd-servers=http://127.0.0.1:4001 \
--kubelet-port=10250 \
--service-cluster-ip-range=10.0.0.0/16 \
--log-dir=/var/log/k8s \
--v=0 \
--logtostderr=false \
--allow-privileged=false \
--admission-control="NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota" &
>0714 20:10:38.041214 32175 master.go:289] Will report 10.10.30.171 as public IP address.
E0714 20:10:38.041763 32175 reflector.go:136] Failed to list *api.Namespace: Get http://0.0.0.0:8888/api/v1/namespaces: dial tcp 0.0.0.0:8888: connection refused
E0714 20:10:38.041847 32175 reflector.go:136] Failed to list *api.Secret: Get http://0.0.0.0:8888/api/v1/secrets?fieldSelector=type%3Dkubernetes.io%2Fservice-account-token: dial tcp 0.0.0.0:8888: connection refused
E0714 20:10:38.041880 32175 reflector.go:136] Failed to list *api.Namespace: Get http://0.0.0.0:8888/api/v1/namespaces: dial tcp 0.0.0.0:8888: connection refused
E0714 20:10:38.042003 32175 reflector.go:136] Failed to list *api.LimitRange: Get http://0.0.0.0:8888/api/v1/limitranges: dial tcp 0.0.0.0:8888: connection refused
E0714 20:10:38.042118 32175 reflector.go:136] Failed to list *api.ServiceAccount: Get http://0.0.0.0:8888/api/v1/serviceaccounts: dial tcp 0.0.0.0:8888: connection refused
E0714 20:10:38.042277 32175 reflector.go:136] Failed to list *api.ResourceQuota: Get http://0.0.0.0:8888/api/v1/resourcequotas: dial tcp 0.0.0.0:8888: connection refused
I0714 20:10:38.079198 32175 server.go:441] Serving securely on 0.0.0.0:6443
I0714 20:10:38.079213 32175 server.go:483] Serving insecurely on 0.0.0.0:8888
I0714 20:10:38.485759 32175 server.go:456] Using self-signed cert (/var/run/kubernetes/apiserver.crt, /var/run/kubernetes/apiserver.key)
If I start apiserver not have --admission-control.The k8s cluster run OK and I can create rc in normal.
./kube-apiserver --insecure-bind-address=0.0.0.0 \
--insecure-port=8888 \
--etcd-servers=http://127.0.0.1:4001 \
--kubelet-port=10250 \
--service-cluster-ip-range=10.0.0.0/16 \
--log-dir=/var/log/k8s \
--v=0 \
--logtostderr=false \
--allow-privileged=false &
>2015/07/14 20:24:48 log.go:30: [restful/swagger] listing is available at https://10.10.30.171:6443/swaggerapi/
[restful] 2015/07/14 20:24:48 log.go:30: [restful/swagger] https://10.10.30.171:6443/swaggerui/ is mapped to folder /swagger-ui/
About this issue
- Original URL
- State: closed
- Created 9 years ago
- Comments: 26 (11 by maintainers)
Commits related to this issue
- test: Fix check-kubernetes due to ServiceAccount churn The default configuration of kubernetes does not run pods without a whole song and dance with creating service accounts, their keys, etc. https... — committed to stefwalter/cockpit by stefwalter 9 years ago
- test: Fix check-kubernetes due to ServiceAccount churn The default configuration of kubernetes does not run pods without a whole song and dance with creating service accounts, their keys, etc. https... — committed to cockpit-project/cockpit by stefwalter 9 years ago
- couldnt create pods https://github.com/kubernetes/kubernetes/issues/11222 — committed to rsysio/ansible-kubernetes by torz 8 years ago
- Removed flag from admission control. See https://github.com/kubernetes/kubernetes/issues/11222# — committed to sbrattla/salt by deleted user 8 years ago
I ran into the same issue. Taking ServiceAccount,SecurityContextDeny out in the config of api-server and restarting api-server solved the issue. like this apiserver
KUBE_ADMISSION_CONTROL=“–admission_control=NamespaceLifecycle,NamespaceExists,LimitRanger,ResourceQuota”
@dchen1107
I ran into the same issue. Taking ServiceAccount out in the config of api-server and restarting api-server solved the issue… Thanks.
Regards, Jignesh
You can do what
hack/local-up-cluster.sh(https://github.com/GoogleCloudPlatform/kubernetes/blob/master/hack/local-up-cluster.sh) does:To generate the key:
To start the api server:
To start the controller manager:
Also note that the API server defaults to using its TLS serving key to verify service account tokens. If you are not serving over https and don’t have a TLS serving key, you can provide the API server the same key file you give the controller manager in order for the API to validate the generated service account tokens.
Service account admission control requires a service account and a token to exist before allowing pods to be created.
The service account token is created automatically by controllers in the controller manager if you provide a service account private key file argument.