Authentication required – Jenkins 认证要求 – Jenkins

huangapple go评论92阅读模式
英文:

kubectl apply Error from server (Forbidden) Authentication required - Jenkins

问题

Here is the translated content:

我在Windows 10上安装了Jenkins,minikube集群是Virtual Box虚拟机。

在minikube集群上,我使用以下YAML文件创建了服务帐户:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: jenkins
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: jenkins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
subjects:
- kind: ServiceAccount
  name: jenkins

列出服务帐户:

kubectl get sa
NAME      SECRETS   AGE
default   1         128m
jenkins   1         99m

kubectl describe sa jenkins
Name:                jenkins
Namespace:           default
Labels:              <none>
Annotations:         kubectl.kubernetes.io/last-applied-configuration:
                       {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"jenkins","namespace":"default"}}
Image pull secrets:  <none>
Mountable secrets:   jenkins-token-rk2mg
Tokens:              jenkins-token-rk2mg
Events:              <none>

我使用该帐户的令牌配置了Jenkins上的Kubernetes插件,连接成功。

在Jenkins文件中,我添加了一个阶段来获取kubectl版本:

stage('Check kubectl version') {
     steps {
             sh 'kubectl version'
      }
  }

但我得到了以下错误:

+ kubectl version
Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.0", GitCommit:"70132b0f130acc0bed193d9ba59dd186f0e634cf", GitTreeState:"clean", BuildDate:"2019-12-07T21:20:10Z", GoVersion:"go1.13.4", Compiler:"gc", Platform:"windows/amd64";}
Error from server (Forbidden): <html><head><meta http-equiv='refresh' content='1;url=/login?from=%2Fversion%3Ftimeout%3D32s'/><script>window.location.replace('/login?from=%2Fversion%3Ftimeout%3D32s');</script></head><body style='background-color:white; color:white;'>

    Authentication required
    <!--
    You are authenticated as: anonymous
    Groups that you are in:
      
    Permission you need to have (but didn't): hudson.model.Hudson.Read
     ... which is implied by: hudson.security.Permission.GenericRead
     ... which is implied by: hudson.model.Hudson.Administer
    -->
英文:

I installed Jenkins on Windows 10, minikube cluster is Virtual Box VM

On minikube cluster i created service account using this yaml:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: jenkins
rules:
- apiGroups: [&quot;&quot;]
  resources: [&quot;pods&quot;]
  verbs: [&quot;create&quot;,&quot;delete&quot;,&quot;get&quot;,&quot;list&quot;,&quot;patch&quot;,&quot;update&quot;,&quot;watch&quot;]
- apiGroups: [&quot;&quot;]
  resources: [&quot;pods/exec&quot;]
  verbs: [&quot;create&quot;,&quot;delete&quot;,&quot;get&quot;,&quot;list&quot;,&quot;patch&quot;,&quot;update&quot;,&quot;watch&quot;]
- apiGroups: [&quot;&quot;]
  resources: [&quot;pods/log&quot;]
  verbs: [&quot;get&quot;,&quot;list&quot;,&quot;watch&quot;]
- apiGroups: [&quot;&quot;]
  resources: [&quot;secrets&quot;]
  verbs: [&quot;get&quot;]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: jenkins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
subjects:
- kind: ServiceAccount
  name: jenkins

List sa:

kubectl get sa
NAME      SECRETS   AGE
default   1         128m
jenkins   1         99m

kubectl describe sa jenkins
Name:                jenkins
Namespace:           default
Labels:              &lt;none&gt;
Annotations:         kubectl.kubernetes.io/last-applied-configuration:
                       {&quot;apiVersion&quot;:&quot;v1&quot;,&quot;kind&quot;:&quot;ServiceAccount&quot;,&quot;metadata&quot;:{&quot;annotations&quot;:{},&quot;name&quot;:&quot;jenkins&quot;,&quot;namespace&quot;:&quot;default&quot;}}
Image pull secrets:  &lt;none&gt;
Mountable secrets:   jenkins-token-rk2mg
Tokens:              jenkins-token-rk2mg
Events:              &lt;none&gt;

I used token from that account and configured Kubernetes plugin on Jenkins, connection is sucessfull

Authentication required – Jenkins
认证要求 – Jenkins

In Jenkins file i added stage to get kubectl version:

stage(&#39;Check kubectl version&#39;) {
         steps {
                 sh &#39;kubectl version&#39;
          }
      }

And i'm getting:

+ kubectl version
Client Version: version.Info{Major:&quot;1&quot;, Minor:&quot;17&quot;, GitVersion:&quot;v1.17.0&quot;, GitCommit:&quot;70132b0f130acc0bed193d9ba59dd186f0e634cf&quot;, GitTreeState:&quot;clean&quot;, BuildDate:&quot;2019-12-07T21:20:10Z&quot;, GoVersion:&quot;go1.13.4&quot;, Compiler:&quot;gc&quot;, Platform:&quot;windows/amd64&quot;}
Error from server (Forbidden): &lt;html&gt;&lt;head&gt;&lt;meta http-equiv=&#39;refresh&#39; content=&#39;1;url=/login?from=%2Fversion%3Ftimeout%3D32s&#39;/&gt;&lt;script&gt;window.location.replace(&#39;/login?from=%2Fversion%3Ftimeout%3D32s&#39;);&lt;/script&gt;&lt;/head&gt;&lt;body style=&#39;background-color:white; color:white;&#39;&gt;


    Authentication required
    &lt;!--
    You are authenticated as: anonymous
    Groups that you are in:
      
    Permission you need to have (but didn&#39;t): hudson.model.Hudson.Read
     ... which is implied by: hudson.security.Permission.GenericRead
     ... which is implied by: hudson.model.Hudson.Administer
    --&gt;

答案1

得分: 0

您已经通过身份验证为匿名用户。

您必须以您为Jenkins创建的ServiceAccount jenkins 身份进行身份验证。

在您的Jenkinsfile 步骤/阶段中使用 withCredentials 并加载属于jenkins ServiceAccount 的令牌。您必须首先识别属于您生成的ServiceAccount 的令牌的秘密。

在使用kubectl命令时,请指定您希望使用令牌进行身份验证,可能还需要指定ApiServer的服务器主机名。

例如,类似这样:

kubectl apply -f <directory-or-file> --token $TOKEN_FROM_WITH_CREDENTIALS --server apiserver.hostname.local
英文:

> You are authenticated as: anonymous

You must authenticate as the ServiceAccount jenkins that you created for Jenkins.

Use withCredentials in your Jenkinsfile step/stage and load the token that belongs to the ServiceAccount for jenkins. You must first identify the secret with the token that belongs to your generated ServiceAccount.

When using the kubectl command, specify that you want to authenticate with your token and possibly a server hostname for the ApiServer.

E.g. something like this:

kubectl apply -f &lt;diretory-or-file&gt; --token $TOKEN_FROM_WITH_CREDENTIALS --server apiserver.hostname.local

答案2

得分: 0

我遇到了相同的问题。而且在 Jenkins 中有几个 k8s 环境。

最初的 kubectl apply 命令是

kubectl apply -f <directory-or-file>

为了解决它,添加 --context 参数以添加特定的集群

kubectl apply -f <directory-or-file> --context <CLUSTER_NAME>
英文:

I meet the same issue. And there are several k8s environments in Jenkins.

Originally the kubectl apply commands is

kubectl apply -f &lt;directory-or-file&gt;

To solve it, add --context parameter to add specific cluster

kubectl apply -f &lt;directory-or-file&gt; --context &lt;CLUSTER_NAME&gt;

huangapple
  • 本文由 发表于 2020年1月3日 21:31:14
  • 转载请务必保留本文链接:https://go.coder-hub.com/59579482.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定