Rancher Server 设置
- Rancher 版本:2.6.10
- 安装选项 (Docker install/Helm Chart):
- 如果是 Helm Chart 安装,需要提供 Local 集群的类型(RKE1, RKE2, k3s, EKS, 等)和版本:
- 在线或离线部署:
在线单节点安装
下游集群信息
- Kubernetes 版本: 1.24.9
- Cluster Type (Local/Downstream):
- 如果 Downstream,是什么类型的集群?(自定义/导入或为托管 等):
自定义kubeadm 1.24集群
- 如果 Downstream,是什么类型的集群?(自定义/导入或为托管 等):
用户信息
- 登录用户的角色是什么? (管理员/集群所有者/集群成员/项目所有者/项目成员/自定义):
- 如果自定义,自定义权限集:
主机操作系统:
centos7 Linux 5.4.244-1.el7.elrepo.x86_64
问题描述:
rancher 2.6.10 导入kubeadm k8s 1.24集群后,导入成功,进入集群界面后卡住
重现步骤:
curl --insecure -sfL https://rancher.cecwpc-k8s.in/v3/import/******-m-xhnfckcf.yaml | kubectl apply -f -
结果:
agent报错:
56 reflector.go:139] pkg/mod/github.com/rancher/client-go@v1.24.0-rancher1/tools/cache/reflector.go:168: Failed to watch *summary.SummarizedObject: failed to list *summary.SummarizedObject: connection is unauthorized: bgpfilters.crd.projectcalico.org is forbidden: User “system:serviceaccount:calico-apiserver:calico-apiserver” cannot list resource “bgpfilters” in API group “crd.projectcalico.org” at the cluster scope
预期结果:
进入导入的cluster界面卡住,agnet报错
看错误是calico rbac问题,但添加clusterrolebinding cluster-admin ~ calico-apiserver后,仍然报错。 rbac如下:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: “2023-06-06T06:24:20Z”
name: cluster-admin-binding-calico5
resourceVersion: “254648”
uid: bcd9b720-6dcb-458e-b272-93b9059894c8
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: calico-apiserver
截图:
其他上下文信息:
日志
56 reflector.go:139] pkg/mod/github.com/rancher/client-go@v1.24.0-rancher1/tools/cache/reflector.go:168: Failed to watch *summary.SummarizedObject: failed to list *summary.SummarizedObject: connection is unauthorized: bgpfilters.crd.projectcalico.org is forbidden: User "system:serviceaccount:calico-apiserver:calico-apiserver" cannot list resource "bgpfilters" in API group "crd.projectcalico.org" at the cluster scope
W0606 06:43:14.620117 56 reflector.go:325] pkg/mod/github.com/rancher/client-go@v1.24.0-rancher1/tools/cache/reflector.go:168: failed to list *summary.SummarizedObject: connection is unauthorized: bgpfilters.crd.projectcalico.org is forbidden: User "system:serviceaccount:calico-apiserver:calico-apiserver" cannot list resource "bgpfilters" in API group "crd.projectcalico.org" at the cluster scope
E0606 06:43:14.620153 56 reflector.go:139] pkg/mod/github.com/rancher/client-go@v1.24.0-rancher1/tools/cache/reflector.go:168: Failed to watch *summary.SummarizedObject: failed to list *summary.SummarizedObject: connection is unauthorized: bgpfilters.crd.projectcalico.org is forbidden: User "system:serviceaccount:calico-apiserver:calico-apiserver" cannot list resource "bgpfilters" in API group "crd.projectcalico.org" at the cluster scope