• 安装部署
  • 求助: Kubesphere 升级到3.4.0 后出现权限问题

创建部署问题时,请参考下面模板,你提供的信息越多,越容易及时获得解答。如果未按模板创建问题,管理员有权关闭问题。
确保帖子格式清晰易读,用 markdown code block 语法格式化代码块。
你只花一分钟创建的问题,不能指望别人花上半个小时给你解答。

操作系统信息
例如:EKS

Kubernetes版本信息
kubectl version 命令执行结果贴在下方

Client Version: v1.32.1
Kustomize Version: v5.5.0
Server Version: v1.30.8-eks-2d5f260
WARNING: version difference between client (1.32) and server (1.30) exceeds the supported minor version skew of +/-1

容器运行时
docker version / crictl version / nerdctl version 结果贴在下方

containerd

KubeSphere版本信息
V3.4.0

问题是什么

访问主页报错, 安装使用过很长一段时间, 升级到3.4.0 后出现权限问题.

Console: http://172.22.102.59:30880
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot GET path \"/\"",
  "reason": "Forbidden",
  "details": {},
  "code": 403
}

ks-console 日志:

+ kubectl logs -f --namespace kubesphere-system ks-console-56db7577d5-2vdk6

> kubesphere-console@3.0.0 serve /opt/kubesphere/console
> NODE_ENV=production node server/server.js

Dashboard app running at port 8000
TypeError: Cannot read property 'match' of undefined
    at ProxyServer.<anonymous> (/opt/kubesphere/console/server/server.js:38335:41)
    at ProxyServer.emit (/opt/kubesphere/console/server/server.js:38796:35)
    at Array.stream (/opt/kubesphere/console/server/server.js:40055:26)
    at ProxyServer.<anonymous> (/opt/kubesphere/console/server/server.js:38500:21)
    at Server.<anonymous> (/opt/kubesphere/console/server/server.js:38332:13)
    at Server.emit (events.js:314:20)
    at onParserExecuteCommon (_http_server.js:641:14)
    at onParserExecute (_http_server.js:575:3)
NOT exit...

ks-apiserver

+ kubectl logs -f --namespace kubesphere-system ks-apiserver-7cdc895f47-vn2g4
W0219 14:33:59.828190       1 client_config.go:618] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
W0219 14:33:59.830945       1 client_config.go:618] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
W0219 14:33:59.846498       1 cache.go:64] In-memory cache will be used, this may cause data inconsistencies when running with multiple replicas.
I0219 14:33:59.846818       1 interface.go:50] start helm repo informer
I0219 14:34:00.070081       1 apiserver.go:428] Start cache objects
I0219 14:34:07.199496       1 apiserver.go:619] Finished caching objects
I0219 14:34:07.199535       1 apiserver.go:297] Start listening on :9090

对比过其他环境的 configmap ks-console-config kubesphere-config 没有任何区别.

我理解应该是service account 没权限, 有什么排查思路么?

翻看了下源码, 错误在 wsProxy.js 获取不到 cookie,

_req.headers.cookie, 是空的, 我清楚掉浏览器缓存, 甚至使用Chrome 隐身模式, 还是同样的问题.

const httpProxy = require('http-proxy');
const { getServerConfig } = require('../libs/utils');

const { server: serverConfig, agent } = getServerConfig();

module.exports = function (app) {
  const wsProxy = httpProxy.createProxyServer({
    ws: true,
    changeOrigin: true,
    agent,
  });

  app.server.on('upgrade', (req, socket, head) => {
    const target = serverConfig.apiServer.wsUrl;
    wsProxy.ws(req, socket, head, { target });

    wsProxy.on('proxyReqWs', (proxyReq, _req) => {
      const token = _req.headers.cookie.match(new RegExp('(?:^|;)\\s?token=(.*?)(?:;|$)', 'i'))[1];
      proxyReq.setHeader('Authorization', `Bearer ${token}`);
    });
  });
};

抱歉, 找到问题原因了, 是我自己犯傻 设置了ingress snippet. 没往这里想…

proxy_set_header Upgrade websocket;