kubectl apply 来自服务器的错误(禁止)需要身份验证 - Jenkins
kubectl apply Error from server (Forbidden) Authentication required - Jenkins
我在Windows10上安装了Jenkins,minikube集群是Virtual Box VM
在 minikube 集群上,我使用此 yaml 创建了服务帐户:
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
列表 sa:
kubectl get sa
NAME SECRETS AGE
default 1 128m
jenkins 1 99m
kubectl describe sa jenkins
Name: jenkins
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"jenkins","namespace":"default"}}
Image pull secrets: <none>
Mountable secrets: jenkins-token-rk2mg
Tokens: jenkins-token-rk2mg
Events: <none>
我使用该帐户的令牌并在 Jenkins 上配置了 Kubernetes 插件,连接成功
在 Jenkins 文件中,我添加了阶段以获取 kubectl 版本:
stage('Check kubectl version') {
steps {
sh 'kubectl version'
}
}
我得到:
+ kubectl version
Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.0", GitCommit:"70132b0f130acc0bed193d9ba59dd186f0e634cf", GitTreeState:"clean", BuildDate:"2019-12-07T21:20:10Z", GoVersion:"go1.13.4", Compiler:"gc", Platform:"windows/amd64"}
Error from server (Forbidden): <html><head><meta http-equiv='refresh' content='1;url=/login?from=%2Fversion%3Ftimeout%3D32s'/><script>window.location.replace('/login?from=%2Fversion%3Ftimeout%3D32s');</script></head><body style='background-color:white; color:white;'>
Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:
Permission you need to have (but didn't): hudson.model.Hudson.Read
... which is implied by: hudson.security.Permission.GenericRead
... which is implied by: hudson.model.Hudson.Administer
-->
You are authenticated as: anonymous
您必须验证为您为 Jenkins 创建的服务帐户 jenkins。
在您的 Jenkinsfile step/stage 中使用 withCredentials 并加载属于 jenkins 的 ServiceAccount 的令牌。您必须首先使用属于您生成的 ServiceAccount 的令牌来识别机密。
使用 kubectl 命令时,请指定您要使用您的令牌进行身份验证,并可能使用 ApiServer 的服务器主机名。
例如像这样:
kubectl apply -f <diretory-or-file> --token $TOKEN_FROM_WITH_CREDENTIALS --server apiserver.hostname.local
我遇到了同样的问题。而且Jenkins里面有好几个k8s环境
最初 kubectl apply 命令是
kubectl apply -f <directory-or-file>
要解决它,添加--context参数以添加特定的集群
kubectl apply -f <directory-or-file> --context <CLUSTER_NAME>
我在Windows10上安装了Jenkins,minikube集群是Virtual Box VM
在 minikube 集群上,我使用此 yaml 创建了服务帐户:
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
列表 sa:
kubectl get sa
NAME SECRETS AGE
default 1 128m
jenkins 1 99m
kubectl describe sa jenkins
Name: jenkins
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"jenkins","namespace":"default"}}
Image pull secrets: <none>
Mountable secrets: jenkins-token-rk2mg
Tokens: jenkins-token-rk2mg
Events: <none>
我使用该帐户的令牌并在 Jenkins 上配置了 Kubernetes 插件,连接成功
在 Jenkins 文件中,我添加了阶段以获取 kubectl 版本:
stage('Check kubectl version') {
steps {
sh 'kubectl version'
}
}
我得到:
+ kubectl version
Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.0", GitCommit:"70132b0f130acc0bed193d9ba59dd186f0e634cf", GitTreeState:"clean", BuildDate:"2019-12-07T21:20:10Z", GoVersion:"go1.13.4", Compiler:"gc", Platform:"windows/amd64"}
Error from server (Forbidden): <html><head><meta http-equiv='refresh' content='1;url=/login?from=%2Fversion%3Ftimeout%3D32s'/><script>window.location.replace('/login?from=%2Fversion%3Ftimeout%3D32s');</script></head><body style='background-color:white; color:white;'>
Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:
Permission you need to have (but didn't): hudson.model.Hudson.Read
... which is implied by: hudson.security.Permission.GenericRead
... which is implied by: hudson.model.Hudson.Administer
-->
You are authenticated as: anonymous
您必须验证为您为 Jenkins 创建的服务帐户 jenkins。
在您的 Jenkinsfile step/stage 中使用 withCredentials 并加载属于 jenkins 的 ServiceAccount 的令牌。您必须首先使用属于您生成的 ServiceAccount 的令牌来识别机密。
使用 kubectl 命令时,请指定您要使用您的令牌进行身份验证,并可能使用 ApiServer 的服务器主机名。
例如像这样:
kubectl apply -f <diretory-or-file> --token $TOKEN_FROM_WITH_CREDENTIALS --server apiserver.hostname.local
我遇到了同样的问题。而且Jenkins里面有好几个k8s环境
最初 kubectl apply 命令是
kubectl apply -f <directory-or-file>
要解决它,添加--context参数以添加特定的集群
kubectl apply -f <directory-or-file> --context <CLUSTER_NAME>