英文:
kubectl apply Error from server (Forbidden) Authentication required - Jenkins
问题
Here is the translated content:
我在Windows 10上安装了Jenkins,minikube集群是Virtual Box虚拟机。
在minikube集群上,我使用以下YAML文件创建了服务帐户:
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
列出服务帐户:
kubectl get sa
NAME SECRETS AGE
default 1 128m
jenkins 1 99m
kubectl describe sa jenkins
Name: jenkins
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"jenkins","namespace":"default"}}
Image pull secrets: <none>
Mountable secrets: jenkins-token-rk2mg
Tokens: jenkins-token-rk2mg
Events: <none>
我使用该帐户的令牌配置了Jenkins上的Kubernetes插件,连接成功。
在Jenkins文件中,我添加了一个阶段来获取kubectl版本:
stage('Check kubectl version') {
steps {
sh 'kubectl version'
}
}
但我得到了以下错误:
+ kubectl version
Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.0", GitCommit:"70132b0f130acc0bed193d9ba59dd186f0e634cf", GitTreeState:"clean", BuildDate:"2019-12-07T21:20:10Z", GoVersion:"go1.13.4", Compiler:"gc", Platform:"windows/amd64";}
Error from server (Forbidden): <html><head><meta http-equiv='refresh' content='1;url=/login?from=%2Fversion%3Ftimeout%3D32s'/><script>window.location.replace('/login?from=%2Fversion%3Ftimeout%3D32s');</script></head><body style='background-color:white; color:white;'>
Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:
Permission you need to have (but didn't): hudson.model.Hudson.Read
... which is implied by: hudson.security.Permission.GenericRead
... which is implied by: hudson.model.Hudson.Administer
-->
英文:
I installed Jenkins on Windows 10, minikube cluster is Virtual Box VM
On minikube cluster i created service account using this yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
List sa:
kubectl get sa
NAME SECRETS AGE
default 1 128m
jenkins 1 99m
kubectl describe sa jenkins
Name: jenkins
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"jenkins","namespace":"default"}}
Image pull secrets: <none>
Mountable secrets: jenkins-token-rk2mg
Tokens: jenkins-token-rk2mg
Events: <none>
I used token from that account and configured Kubernetes plugin on Jenkins, connection is sucessfull
In Jenkins file i added stage to get kubectl version:
stage('Check kubectl version') {
steps {
sh 'kubectl version'
}
}
And i'm getting:
+ kubectl version
Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.0", GitCommit:"70132b0f130acc0bed193d9ba59dd186f0e634cf", GitTreeState:"clean", BuildDate:"2019-12-07T21:20:10Z", GoVersion:"go1.13.4", Compiler:"gc", Platform:"windows/amd64"}
Error from server (Forbidden): <html><head><meta http-equiv='refresh' content='1;url=/login?from=%2Fversion%3Ftimeout%3D32s'/><script>window.location.replace('/login?from=%2Fversion%3Ftimeout%3D32s');</script></head><body style='background-color:white; color:white;'>
Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:
Permission you need to have (but didn't): hudson.model.Hudson.Read
... which is implied by: hudson.security.Permission.GenericRead
... which is implied by: hudson.model.Hudson.Administer
-->
答案1
得分: 0
您已经通过身份验证为匿名用户。
您必须以您为Jenkins创建的ServiceAccount jenkins 身份进行身份验证。
在您的Jenkinsfile 步骤/阶段中使用 withCredentials 并加载属于jenkins ServiceAccount 的令牌。您必须首先识别属于您生成的ServiceAccount 的令牌的秘密。
在使用kubectl命令时,请指定您希望使用令牌进行身份验证,可能还需要指定ApiServer的服务器主机名。
例如,类似这样:
kubectl apply -f <directory-or-file> --token $TOKEN_FROM_WITH_CREDENTIALS --server apiserver.hostname.local
英文:
> You are authenticated as: anonymous
You must authenticate as the ServiceAccount jenkins that you created for Jenkins.
Use withCredentials in your Jenkinsfile step/stage and load the token that belongs to the ServiceAccount for jenkins. You must first identify the secret with the token that belongs to your generated ServiceAccount.
When using the kubectl command, specify that you want to authenticate with your token and possibly a server hostname for the ApiServer.
E.g. something like this:
kubectl apply -f <diretory-or-file> --token $TOKEN_FROM_WITH_CREDENTIALS --server apiserver.hostname.local
答案2
得分: 0
我遇到了相同的问题。而且在 Jenkins 中有几个 k8s 环境。
最初的 kubectl apply 命令是
kubectl apply -f <directory-or-file>
为了解决它,添加 --context 参数以添加特定的集群
kubectl apply -f <directory-or-file> --context <CLUSTER_NAME>
英文:
I meet the same issue. And there are several k8s environments in Jenkins.
Originally the kubectl apply commands is
kubectl apply -f <directory-or-file>
To solve it, add --context parameter to add specific cluster
kubectl apply -f <directory-or-file> --context <CLUSTER_NAME>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论