当前位置: 首页 > article >正文

k8s serviceaccount在集群内指定apiserver时验证错误的问题

article 2025/3/17 6:27:16

在主机上,找到TOKEN,可以直接指定apiserver使用 

root@ubuntu-server:/home# kubectl auth can-i --list --server https://192.168.85.198:6443 --token="eyJhbGciOiJSUzI1NiIsImtpZCI6IlFlMHQ3TzhpcGw1SnRqbkYtOC1NUWlWNUpWdGo5SGRXeTBvZU9ib25iZDQifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzczNjIzNDc1LCJpYXQiOjE3NDIwODc0NzUsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJob25leXBvZC01ZDZiY2RiY2RiLXM3NjRoIiwidWlkIjoiOTY1ZjY2ZDEtNmNhNC00NjBiLTg0NDQtOTRmOTUwOTZkMDk4In0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJkZWZhdWx0IiwidWlkIjoiYzYwYTk4ODctMDlhMS00NWRlLTg2OWItNzhhNjdkMGRkNWZiIn0sIndhcm5hZnRlciI6MTc0MjA5MTA4Mn0sIm5iZiI6MTc0MjA4NzQ3NSwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6ZGVmYXVsdCJ9.ct6yPMHVLnO3k51x7soOO2iV1dboXU2G2rTTAMuxboOMBkjruX_El7tXOuWEhuSGEECpSTxU9iXbPYV5KWCsUwCSrZd1yqlXle6u6h2KAlrZAqKHOe2PCGau6SUhnGwlGNz1z_98mV58cQbHCFzlHhN-2AkLbxYCgtFnD_ggIDQlNb_3uiTneFr7DBSDEp874vGdkh_E7fWSNPFKJQTxQuPZWuOIyz-LaHWGvCmLc5zJgxc_68Zluy-3jyvGIJdgcCXp9Wz51DQRp0NOeuqmZ0bhsNDwqBxZ6DM6dOtzGWaB8k8npd1QxxTmShYdwoOgube-x0-JnUiY5Z3Mf7Sd-A" -v=9
I0316 01:39:25.883868  907134 loader.go:372] Config loaded from file:  /root/.kube/config
I0316 01:39:25.884864  907134 request.go:1181] Request Body: {"kind":"SelfSubjectRulesReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"namespace":"default"},"status":{"resourceRules":null,"nonResourceRules":null,"incomplete":false}}
I0316 01:39:25.885088  907134 round_trippers.go:466] curl -v -XPOST  -H "Accept: application/json, */*" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.23.6 (linux/amd64) kubernetes/ad33385" -H "Authorization: Bearer <masked>" 'https://192.168.85.198:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews'
I0316 01:39:25.885791  907134 round_trippers.go:510] HTTP Trace: Dial to tcp:192.168.85.198:6443 succeed
I0316 01:39:25.890543  907134 round_trippers.go:570] HTTP Statistics: DNSLookup 0 ms Dial 0 ms TLSHandshake 3 ms ServerProcessing 0 ms Duration 5 ms
I0316 01:39:25.890575  907134 round_trippers.go:577] Response Headers:
I0316 01:39:25.890579  907134 round_trippers.go:580]     Content-Type: application/json
I0316 01:39:25.890590  907134 round_trippers.go:580]     X-Kubernetes-Pf-Flowschema-Uid: 30268247-c126-47b4-a157-a1758fc4219c
I0316 01:39:25.890595  907134 round_trippers.go:580]     X-Kubernetes-Pf-Prioritylevel-Uid: cfdb4739-b1dc-4192-9ab4-2ad063a0e27d
I0316 01:39:25.890600  907134 round_trippers.go:580]     Content-Length: 647
I0316 01:39:25.890604  907134 round_trippers.go:580]     Date: Sun, 16 Mar 2025 01:39:25 GMT
I0316 01:39:25.890609  907134 round_trippers.go:580]     Audit-Id: 396e9b4f-70c1-46b3-a6dd-9bceef4b6fd7
I0316 01:39:25.890613  907134 round_trippers.go:580]     Cache-Control: no-cache, private
I0316 01:39:25.890636  907134 request.go:1181] Response Body: {"kind":"SelfSubjectRulesReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{},"status":{"resourceRules":[{"verbs":["*"],"apiGroups":["*"],"resources":["*"]},{"verbs":["create"],"apiGroups":["authorization.k8s.io"],"resources":["selfsubjectaccessreviews","selfsubjectrulesreviews"]}],"nonResourceRules":[{"verbs":["get"],"nonResourceURLs":["/api","/api/*","/apis","/apis/*","/healthz","/livez","/openapi","/openapi/*","/readyz","/version","/version/"]},{"verbs":["*"],"nonResourceURLs":["*"]},{"verbs":["get"],"nonResourceURLs":["/healthz","/livez","/readyz","/version","/version/"]}],"incomplete":false}}
Resources                                       Non-Resource URLs   Resource Names   Verbs
*.*                                             []                  []               [*]
                                                [*]                 []               [*]
selfsubjectaccessreviews.authorization.k8s.io   []                  []               [create]
selfsubjectrulesreviews.authorization.k8s.io    []                  []               [create]
                                                [/api/*]            []               [get]
                                                [/api]              []               [get]
                                                [/apis/*]           []               [get]
                                                [/apis]             []               [get]
                                                [/healthz]          []               [get]
                                                [/healthz]          []               [get]
                                                [/livez]            []               [get]
                                                [/livez]            []               [get]
                                                [/openapi/*]        []               [get]
                                                [/openapi]          []               [get]
                                                [/readyz]           []               [get]
                                                [/readyz]           []               [get]
                                                [/version/]         []               [get]
                                                [/version/]         []               [get]
                                                [/version]          []               [get]
                                                [/version]          []               [get]

在容器内如果不跟server参数指定也可以使用

但是指定后就报错了

oot@honeypod-5d6bcdbcdb-s764h:/run/secrets/kubernetes.io/serviceaccount# /home/kubectl auth can-i --list --server https://10.96.0.1:443 --token="eyJhbGciOiJSUzI1NiIsImtpZCI6IlFlMHQ3TzhpcGw1SnRqbkYtOC1NUWlWNUpWdGo5SGRXeTBvZU9ib25iZDQifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzczNjIzNDc1LCJpYXQiOjE3NDIwODc0NzUsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJob25leXBvZC01ZDZiY2RiY2RiLXM3NjRoIiwidWlkIjoiOTY1ZjY2ZDEtNmNhNC00NjBiLTg0NDQtOTRmOTUwOTZkMDk4In0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJkZWZhdWx0IiwidWlkIjoiYzYwYTk4ODctMDlhMS00NWRlLTg2OWItNzhhNjdkMGRkNWZiIn0sIndhcm5hZnRlciI6MTc0MjA5MTA4Mn0sIm5iZiI6MTc0MjA4NzQ3NSwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6ZGVmYXVsdCJ9.ct6yPMHVLnO3k51x7soOO2iV1dboXU2G2rTTAMuxboOMBkjruX_El7tXOuWEhuSGEECpSTxU9iXbPYV5KWCsUwCSrZd1yqlXle6u6h2KAlrZAqKHOe2PCGau6SUhnGwlGNz1z_98mV58cQbHCFzlHhN-2AkLbxYCgtFnD_ggIDQlNb_3uiTneFr7DBSDEp874vGdkh_E7fWSNPFKJQTxQuPZWuOIyz-LaHWGvCmLc5zJgxc_68Zluy-3jyvGIJdgcCXp9Wz51DQRp0NOeuqmZ0bhsNDwqBxZ6DM6dOtzGWaB8k8npd1QxxTmShYdwoOgube-x0-JnUiY5Z3Mf7Sd-A" -v=9
I0316 01:38:45.999930     257 merged_client_builder.go:163] Using in-cluster namespace
I0316 01:38:46.000634     257 request.go:1181] Request Body: {"kind":"SelfSubjectRulesReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"namespace":"default"},"status":{"resourceRules":null,"nonResourceRules":null,"incomplete":false}}
I0316 01:38:46.000985     257 round_trippers.go:466] curl -v -XPOST  -H "Authorization: Bearer <masked>" -H "Accept: application/json, */*" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.23.6 (linux/amd64) kubernetes/ad33385" 'https://10.96.0.1:443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews'
I0316 01:38:46.001798     257 round_trippers.go:510] HTTP Trace: Dial to tcp:10.96.0.1:443 succeed
I0316 01:38:46.004178     257 round_trippers.go:570] HTTP Statistics: DNSLookup 0 ms Dial 0 ms TLSHandshake 2 ms Duration 3 ms
I0316 01:38:46.004211     257 round_trippers.go:577] Response Headers:
I0316 01:38:46.004273     257 helpers.go:237] Connection error: Post https://10.96.0.1:443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews: x509: certificate signed by unknown authority
F0316 01:38:46.004301     257 helpers.go:118] Unable to connect to the server: x509: certificate signed by unknown authority
goroutine 1 [running]:
k8s.io/kubernetes/vendor/k8s.io/klog/v2.stacks(0x1)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:1038 +0x8a
k8s.io/kubernetes/vendor/k8s.io/klog/v2.(*loggingT).output(0x3080040, 0x3, 0x0, 0xc00013e070, 0x2, {0x25f2ec7, 0x10}, 0xc00005c800, 0x0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:987 +0x5fd
k8s.io/kubernetes/vendor/k8s.io/klog/v2.(*loggingT).printDepth(0xc00051f400, 0x4e, 0x0, {0x0, 0x0}, 0x55, {0xc000049450, 0x1, 0x1})
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:735 +0x1ae
k8s.io/kubernetes/vendor/k8s.io/klog/v2.FatalDepth(...)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:1518
k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util.fatal({0xc00051f400, 0x4e}, 0xc0004f7ce0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util/helpers.go:96 +0xc5
k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util.checkErr({0x1fed760, 0xc0004f7ce0}, 0x1e797d0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util/helpers.go:191 +0x7d7
k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util.CheckErr(...)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util/helpers.go:118
k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/auth.NewCmdCanI.func1(0xc0003e8000, {0xc000104460, 0x0, 0x5})
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/auth/cani.go:133 +0xc5
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).execute(0xc0003e8000, {0xc000104410, 0x5, 0x5})
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/github.com/spf13/cobra/command.go:860 +0x5f8
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc00057a000)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/github.com/spf13/cobra/command.go:974 +0x3bc
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).Execute(...)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/github.com/spf13/cobra/command.go:902
k8s.io/kubernetes/vendor/k8s.io/component-base/cli.run(0xc00057a000)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/component-base/cli/run.go:146 +0x325
k8s.io/kubernetes/vendor/k8s.io/component-base/cli.RunNoErrOutput(...)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/component-base/cli/run.go:84
main.main()
        _output/dockerized/go/src/k8s.io/kubernetes/cmd/kubectl/kubectl.go:30 +0x1e

goroutine 6 [chan receive]:
k8s.io/kubernetes/vendor/k8s.io/klog/v2.(*loggingT).flushDaemon(0x0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:1181 +0x6a
created by k8s.io/kubernetes/vendor/k8s.io/klog/v2.init.0
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:420 +0xfb

goroutine 18 [select]:
k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0x0, {0x1febb40, 0xc000204000}, 0x1, 0xc00007e360)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:167 +0x13b
k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil(0x0, 0x12a05f200, 0x0, 0x0, 0x0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133 +0x89
k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait.Until(...)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:90
k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait.Forever(0x0, 0x0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:81 +0x28
created by k8s.io/kubernetes/vendor/k8s.io/component-base/logs.InitLogs
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/component-base/logs/logs.go:179 +0x85
root@honeypod-5d6bcdbcdb-s764h:/run/secrets/kubernetes.io/serviceaccount# exit

指定TOKEN也报错

root@honeypod-5d6bcdbcdb-s764h:/# /home/kubectl auth can-i --list --server https://192.168.85.198:443 --token="eyJhbGciOiJSUzI1NiIsImtpZCI6IlFlMHQ3TzhpcGw1SnRqbkYtOC1NUWlWNUpWdGo5SGRXeTBvZU9ib25iZDQifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzczNjIzNDc1LCJpYXQiOjE3NDIwODc0NzUsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJob25leXBvZC01ZDZiY2RiY2RiLXM3NjRoIiwidWlkIjoiOTY1ZjY2ZDEtNmNhNC00NjBiLTg0NDQtOTRmOTUwOTZkMDk4In0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJkZWZhdWx0IiwidWlkIjoiYzYwYTk4ODctMDlhMS00NWRlLTg2OWItNzhhNjdkMGRkNWZiIn0sIndhcm5hZnRlciI6MTc0MjA5MTA4Mn0sIm5iZiI6MTc0MjA4NzQ3NSwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6ZGVmYXVsdCJ9.ct6yPMHVLnO3k51x7soOO2iV1dboXU2G2rTTAMuxboOMBkjruX_El7tXOuWEhuSGEECpSTxU9iXbPYV5KWCsUwCSrZd1yqlXle6u6h2KAlrZAqKHOe2PCGau6SUhnGwlGNz1z_98mV58cQbHCFzlHhN-2AkLbxYCgtFnD_ggIDQlNb_3uiTneFr7DBSDEp874vGdkh_E7fWSNPFKJQTxQuPZWuOIyz-LaHWGvCmLc5zJgxc_68Zluy-3jyvGIJdgcCXp9Wz51DQRp0NOeuqmZ0bhsNDwqBxZ6DM6dOtzGWaB8k8npd1QxxTmShYdwoOgube-x0-JnUiY5Z3Mf7Sd-A" -v=9
I0316 01:44:43.689347     299 merged_client_builder.go:163] Using in-cluster namespace
I0316 01:44:43.689883     299 request.go:1181] Request Body: {"kind":"SelfSubjectRulesReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"namespace":"default"},"status":{"resourceRules":null,"nonResourceRules":null,"incomplete":false}}
I0316 01:44:43.690104     299 round_trippers.go:466] curl -v -XPOST  -H "Accept: application/json, */*" -H "Authorization: Bearer <masked>" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.23.6 (linux/amd64) kubernetes/ad33385" 'https://192.168.85.198:443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews'
I0316 01:44:43.690883     299 round_trippers.go:510] HTTP Trace: Dial to tcp:192.168.85.198:443 succeed
I0316 01:44:43.693382     299 round_trippers.go:570] HTTP Statistics: DNSLookup 0 ms Dial 0 ms TLSHandshake 2 ms Duration 3 ms
I0316 01:44:43.693520     299 round_trippers.go:577] Response Headers:
I0316 01:44:43.693576     299 helpers.go:237] Connection error: Post https://192.168.85.198:443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews: x509: certificate signed by unknown authority
F0316 01:44:43.693620     299 helpers.go:118] Unable to connect to the server: x509: certificate signed by unknown authority
goroutine 1 [running]:
k8s.io/kubernetes/vendor/k8s.io/klog/v2.stacks(0x1)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:1038 +0x8a
k8s.io/kubernetes/vendor/k8s.io/klog/v2.(*loggingT).output(0x3080040, 0x3, 0x0, 0xc0003e6000, 0x2, {0x25f2ec7, 0x10}, 0xc00005c800, 0x0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:987 +0x5fd
k8s.io/kubernetes/vendor/k8s.io/klog/v2.(*loggingT).printDepth(0xc00039e0a0, 0x4e, 0x0, {0x0, 0x0}, 0x5a, {0xc0003efc10, 0x1, 0x1})
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:735 +0x1ae
k8s.io/kubernetes/vendor/k8s.io/klog/v2.FatalDepth(...)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:1518
k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util.fatal({0xc00039e0a0, 0x4e}, 0xc000543ce0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util/helpers.go:96 +0xc5
k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util.checkErr({0x1fed760, 0xc000543ce0}, 0x1e797d0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util/helpers.go:191 +0x7d7
k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util.CheckErr(...)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util/helpers.go:118
k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/auth.NewCmdCanI.func1(0xc00045b180, {0xc000492410, 0x0, 0x5})
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/auth/cani.go:133 +0xc5
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).execute(0xc00045b180, {0xc0004923c0, 0x5, 0x5})
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/github.com/spf13/cobra/command.go:860 +0x5f8
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc0000a6f00)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/github.com/spf13/cobra/command.go:974 +0x3bc
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).Execute(...)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/github.com/spf13/cobra/command.go:902
k8s.io/kubernetes/vendor/k8s.io/component-base/cli.run(0xc0000a6f00)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/component-base/cli/run.go:146 +0x325
k8s.io/kubernetes/vendor/k8s.io/component-base/cli.RunNoErrOutput(...)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/component-base/cli/run.go:84
main.main()
        _output/dockerized/go/src/k8s.io/kubernetes/cmd/kubectl/kubectl.go:30 +0x1e

goroutine 6 [chan receive]:
k8s.io/kubernetes/vendor/k8s.io/klog/v2.(*loggingT).flushDaemon(0x0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:1181 +0x6a
created by k8s.io/kubernetes/vendor/k8s.io/klog/v2.init.0
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:420 +0xfb

goroutine 18 [select]:
k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0x0, {0x1febb40, 0xc0005c0000}, 0x1, 0xc00007e360)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:167 +0x13b
k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil(0x0, 0x12a05f200, 0x0, 0x0, 0x0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133 +0x89
k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait.Until(...)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:90
k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait.Forever(0x0, 0x0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:81 +0x28
created by k8s.io/kubernetes/vendor/k8s.io/component-base/logs.InitLogs
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/component-base/logs/logs.go:179 +0x85

又或者不用TOKEN,直接打命令,也一样报错 

root@honeypod-5d6bcdbcdb-s764h:/# /home//kubectl auth can-i --list --server https://192.168.85.198:6443 -v=9
Please enter Username: a
Please enter Password: I0316 01:42:49.432361     282 merged_client_builder.go:163] Using in-cluster namespace
I0316 01:42:49.432601     282 request.go:1181] Request Body: {"kind":"SelfSubjectRulesReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"namespace":"default"},"status":{"resourceRules":null,"nonResourceRules":null,"incomplete":false}}
I0316 01:42:49.432653     282 round_trippers.go:466] curl -v -XPOST  -H "Accept: application/json, */*" -H "Authorization: Basic <masked>" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.23.6 (linux/amd64) kubernetes/ad33385" 'https://192.168.85.198:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews'
I0316 01:42:49.433134     282 round_trippers.go:510] HTTP Trace: Dial to tcp:192.168.85.198:6443 succeed
I0316 01:42:49.435363     282 round_trippers.go:570] HTTP Statistics: DNSLookup 0 ms Dial 0 ms TLSHandshake 2 ms Duration 2 ms
I0316 01:42:49.435372     282 round_trippers.go:577] Response Headers:
I0316 01:42:49.435400     282 helpers.go:237] Connection error: Post https://192.168.85.198:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews: x509: certificate signed by unknown authority
F0316 01:42:49.435413     282 helpers.go:118] Unable to connect to the server: x509: certificate signed by unknown authority
goroutine 1 [running]:
k8s.io/kubernetes/vendor/k8s.io/klog/v2.stacks(0x1)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:1038 +0x8a
k8s.io/kubernetes/vendor/k8s.io/klog/v2.(*loggingT).output(0x3080040, 0x3, 0x0, 0xc0005d4000, 0x2, {0x25f2ec7, 0x10}, 0xc00005cc00, 0x0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:987 +0x5fd
k8s.io/kubernetes/vendor/k8s.io/klog/v2.(*loggingT).printDepth(0xc000047630, 0x4e, 0x0, {0x0, 0x0}, 0x5b, {0xc000048e50, 0x1, 0x1})
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:735 +0x1ae
k8s.io/kubernetes/vendor/k8s.io/klog/v2.FatalDepth(...)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:1518
k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util.fatal({0xc000047630, 0x4e}, 0xc0005383f0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util/helpers.go:96 +0xc5
k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util.checkErr({0x1fed760, 0xc0005383f0}, 0x1e797d0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util/helpers.go:191 +0x7d7
k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util.CheckErr(...)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/util/helpers.go:118
k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/auth.NewCmdCanI.func1(0xc000672f00, {0xc000491140, 0x0, 0x4})
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/cmd/auth/cani.go:133 +0xc5
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).execute(0xc000672f00, {0xc000491100, 0x4, 0x4})
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/github.com/spf13/cobra/command.go:860 +0x5f8
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc0005d2f00)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/github.com/spf13/cobra/command.go:974 +0x3bc
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).Execute(...)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/github.com/spf13/cobra/command.go:902
k8s.io/kubernetes/vendor/k8s.io/component-base/cli.run(0xc0005d2f00)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/component-base/cli/run.go:146 +0x325
k8s.io/kubernetes/vendor/k8s.io/component-base/cli.RunNoErrOutput(...)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/component-base/cli/run.go:84
main.main()
        _output/dockerized/go/src/k8s.io/kubernetes/cmd/kubectl/kubectl.go:30 +0x1e

goroutine 18 [chan receive]:
k8s.io/kubernetes/vendor/k8s.io/klog/v2.(*loggingT).flushDaemon(0x0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:1181 +0x6a
created by k8s.io/kubernetes/vendor/k8s.io/klog/v2.init.0
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:420 +0xfb

goroutine 5 [select]:
k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0x0, {0x1febb40, 0xc000386a50}, 0x1, 0xc000090360)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:167 +0x13b
k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil(0x0, 0x12a05f200, 0x0, 0x0, 0x0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133 +0x89
k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait.Until(...)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:90
k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait.Forever(0x0, 0x0)
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:81 +0x28
created by k8s.io/kubernetes/vendor/k8s.io/component-base/logs.InitLogs
        /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/component-base/logs/logs.go:179 +0x85

解决方法

kubectl增加--insecure-skip-tls-verify参数即可


http://www.kler.cn/a/587989.html

相关文章:

  • 计算机视觉中的MIP算法全解析
  • 使用VSCode开发STM32补充(Debug调试)
  • AI+视觉测试:如何提升前端测试质量?
  • 五大基础算法——模拟算法
  • MySQL -- 基本函数
  • 【Linux进程通信】————匿名管道命名管道
  • Matlab 风力发电机磁悬浮轴承模型pid控制
  • 从需求文档到智能化测试:基于 PaddleOCR 的图片信息处理与自动化提取
  • 每日Attention学习28——Strip Pooling
  • CVPR2024 | TT3D | 物理世界中可迁移目标性 3D 对抗攻击
  • day04_Java高级
  • 练习题:89
  • 考研专业课复习方法:如何高效记忆和理解?
  • 应用于电池模块的 Fluent 共轭传热耦合
  • C++学习笔记(二十)——类之运算符重载
  • 代码随想录算法训练营第32天 | 509. 斐波那契数 70. 爬楼梯 746. 使用最小花费爬楼梯
  • 【数据分析】读取文档(读取Excel)
  • Varjo:为战场各兵种综合训练提供XR技术支持
  • DeepSeek-R1大模型微调技术深度解析:架构、方法与应用全解析
  • 【论文阅读】Cross-View Fusion for Multi-View Clustering