Rancher Server 设置
- Rancher 版本:2.9.2
- 安装选项 (Docker install/Helm Chart): Docker
- 如果是 Helm Chart 安装,需要提供 Local 集群的类型(RKE1, RKE2, k3s, EKS, 等)和版本:
- 在线或离线部署:
下游集群信息
- Kubernetes 版本:
- Cluster Type (Local/Downstream): v1.30.8 rke2r1
- 如果 Downstream,是什么类型的集群?(自定义/导入或为托管 等):
用户信息
- 登录用户的角色是什么? (管理员/集群所有者/集群成员/项目所有者/项目成员/自定义):管理员
- 如果自定义,自定义权限集:
**主机操作系统:linux centos7
*问题描述:
1、我发布了kyuubi程序到k8s,kyuubi会启动spark,spark会提交任务到k8s
2、在kyuubi的pod中,pod账号是root,在默认目录放了k8s的coinfig,/root/.kube/config
3、然后设置了root账号,default、spark的serviceaccount,绑定到cluster-admin的clusterrole上面
4、在程序访问kyuubi时,可以连接,但是在spark要提交到k8s时就报错403没有权限访问
报错信息如下
2025-02-12 02:55:15.292 ERROR kubernetes-dispatcher: Thread-78 io.fabric8.kubernetes.client.informers.impl.cache.Reflector: listSyncAndWatch failed for v1/namespaces/default/pods, will stop
java.util.concurrent.CompletionException: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.38.149.107:10443/k8s/clusters/c-m-b7wftmdh/api/v1/namespaces/default/pods?labelSelector=kyuubi-unique-tag&resourceVersion=0. Received status: Status(apiVersion=v1, code=403, details=null, kind=Status, message=null, metadata=null, reason=null, status=null, additionalProperties={Code={Code=Forbidden, Status=403}, Message=clusters.management.cattle.io “c-m-b7wftmdh” is forbidden: User “system:unauthenticated” cannot get resource “clusters” in API group “management.cattle.io” at the cluster scope, Cause=null, FieldName=}).
at java.base/java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:314)
at java.base/java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:319)
at java.base/java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:645)
at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
at java.base/java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2073)
at io.fabric8.kubernetes.client.http.StandardHttpClient.lambda$completeOrCancel$10(StandardHttpClient.java:140)
at java.base/java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:859)
at java.base/java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:837)
at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
at java.base/java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2073)
at io.fabric8.kubernetes.client.http.ByteArrayBodyHandler.onBodyDone(ByteArrayBodyHandler.java:52)
at java.base/java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:859)
at java.base/java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:837)
at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
at java.base/java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2073)
at io.fabric8.kubernetes.client.okhttp.OkHttpClientImpl$OkHttpAsyncBody.doConsume(OkHttpClientImpl.java:137)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.38.149.107:10443/k8s/clusters/c-m-b7wftmdh/api/v1/namespaces/default/pods?labelSelector=kyuubi-unique-tag&resourceVersion=0. Received status: Status(apiVersion=v1, code=403, details=null, kind=Status, message=null, metadata=null, reason=null, status=null, additionalProperties={Code={Code=Forbidden, Status=403}, Message=clusters.management.cattle.io “c-m-b7wftmdh” is forbidden: User “system:unauthenticated” cannot get resource “clusters” in API group “management.cattle.io” at the cluster scope, Cause=null, FieldName=}).
at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.requestFailure(OperationSupport.java:660)
at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.requestFailure(OperationSupport.java:640)
at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.assertResponseCode(OperationSupport.java:589)
at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.lambda$handleResponse$0(OperationSupport.java:549)
at java.base/java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:642)
… 16 more
尝试了很多,绑定cluster role的方法,仍然没用,始终报这个错,找不到问题点了,请求帮助*