kubesphere2.1 使用inject-ks-account脚本对接LDAP后console无法访问

naveenzhang

kubesphere2.1 使用inject-ks-account脚本对接LDAP后，console无法打开访问，
相关信息如下：

kubectl -n kubesphere-system get pods

NAME READY STATUS RESTARTS AGE
etcd-5769d4997f-bmdvj 1/1 Running 0 4d23h
ks-account-84695f7c9d-4vdkf ½ CrashLoopBackOff 9 23m
ks-account-84695f7c9d-kww9j ½ CrashLoopBackOff 9 23m
ks-account-9ffb94b99-5gmng 1/1 Running 0 4d23h
ks-account-9ffb94b99-wtthr 1/1 Running 0 4d23h
ks-apigateway-d899b7b98-48gzs 1/1 Running 0 4d23h
ks-apigateway-d899b7b98-r2d4c 1/1 Running 0 18h
ks-apigateway-d899b7b98-vrxzc 1/1 Running 1 18h
ks-apiserver-5c5759c866-ctsrb 1/1 Running 4 18h
ks-apiserver-5c5759c866-hjkpl 1/1 Running 4 18h
ks-apiserver-5c5759c866-m6bwm 1/1 Running 0 4d23h
ks-console-97cf4db85-9jhkz 1/1 Running 0 4d23h
ks-console-97cf4db85-h7qzp 1/1 Running 0 4d23h
ks-console-97cf4db85-wgcn6 1/1 Running 0 4d23h
ks-controller-manager-9dcc6599f-99sgk 1/1 Running 0 4d23h
ks-controller-manager-9dcc6599f-bch4w 1/1 Running 1 4d23h
ks-controller-manager-9dcc6599f-hdqtc 1/1 Running 0 4d23h
ks-installer-7d9fb945c7-gpj2d 1/1 Running 0 4d23h
minio-845b7bd867-qvqmm 1/1 Running 1 4d23h
mysql-66df969d-4lxff 1/1 Running 0 4d23h
openldap-0 1/1 Running 0 4d23h
openldap-1 1/1 Running 0 4d23h
redis-ha-haproxy-ffb8d889d-9rlwv 1/1 Running 0 4d23h
redis-ha-haproxy-ffb8d889d-g5jzh 1/1 Running 0 4d23h
redis-ha-haproxy-ffb8d889d-pn6qx 1/1 Running 0 4d23h
redis-ha-server-0 2/2 Running 0 4d23h
redis-ha-server-1 2/2 Running 0 4d23h
redis-ha-server-2 2/2 Running 0 4d23h

kubectl -n kubesphere-system describe pod ks-account-84695f7c9d-4vdkf

Name: ks-account-84695f7c9d-4vdkf
Namespace: kubesphere-system
Priority: 0
Node: paas03.liuheco.com/10.10.40.103
Start Time: Sun, 15 Mar 2020 14:57:51 +0800
Labels: app=ks-account
pod-template-hash=84695f7c9d
tier=backend
version=v2.1.1
Annotations: kubectl.kubernetes.io/restartedAt: 2020-03-10T07:50:49Z
Status: Running
IP: 10.233.92.14
IPs:
IP: 10.233.92.14
Controlled By: ReplicaSet/ks-account-84695f7c9d
Init Containers:
wait-redis:
Container ID: docker://ecf6b67fa429ed37c1e56d66f19dcd051995c8e6f514cd43a0f21330472eff46
Image: alpine:3.10.4
Image ID: docker-pullable://alpine@sha256:7c3773f7bcc969f03f8f653910001d99a9d324b4b9caa008846ad2c3089f5a5f
Port: <none>
Host Port: <none>
Command:
sh
-c
until nc -z redis.kubesphere-system.svc 6379; do echo “waiting for redis”; sleep 2; done;
State: Terminated
Reason: Completed
Exit Code: 0
Started: Sun, 15 Mar 2020 14:57:52 +0800
Finished: Sun, 15 Mar 2020 14:57:52 +0800
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kubesphere-token-ftdwx (ro)
wait-ldap:
Container ID: docker://82dc44454fafe88d16d1018462b1ddccf68c1ed7a6888a0a666b536fd2b5c9b2
Image: alpine:3.10.4
Image ID: docker-pullable://alpine@sha256:7c3773f7bcc969f03f8f653910001d99a9d324b4b9caa008846ad2c3089f5a5f
Port: <none>
Host Port: <none>
Command:
sh
-c
until nc -z openldap.kubesphere-system.svc 389; do echo “waiting for ldap”; sleep 2; done;
State: Terminated
Reason: Completed
Exit Code: 0
Started: Sun, 15 Mar 2020 14:57:54 +0800
Finished: Sun, 15 Mar 2020 14:57:54 +0800
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kubesphere-token-ftdwx (ro)
Containers:
ks-account:
Container ID: docker://79ee9611213f3f2975ed68dd26acf07be55f2f0ec6366bfe988c597b7ad380c0
Image: kubesphere/ks-account:v2.1.1
Image ID: docker-pullable://kubesphere/ks-account@sha256:6fccef53ab7a269160ce7816dfe3583730ac7fe2064ea5c9e3ce5e366f3470eb
Port: 9090/TCP
Host Port: 0/TCP
Command:
ks-iam
–logtostderr=true
–jwt-secret=$(JWT_SECRET)
–admin-password=$(ADMIN_PASSWORD)
–enable-multi-login=False
–token-idle-timeout=40m
–redis-url=redis://redis.kubesphere-system.svc:6379
–generate-kubeconfig=true
State: Running
Started: Sun, 15 Mar 2020 14:57:55 +0800
Ready: True
Restart Count: 0
Limits:
cpu: 1
memory: 500Mi
Requests:
cpu: 20m
memory: 100Mi
Environment:
KUBECTL_IMAGE: kubesphere/kubectl:v1.0.0
JWT_SECRET: <set to the key ‘jwt-secret’ in secret ‘ks-account-secret’> Optional: false
ADMIN_PASSWORD: <set to the key ‘admin-password’ in secret ‘ks-account-secret’> Optional: false
Mounts:
/etc/ks-iam from user-init (rw)
/etc/kubesphere from kubesphere-config (rw)
/etc/kubesphere/rules from policy-rules (rw)
/var/run/secrets/kubernetes.io/serviceaccount from kubesphere-token-ftdwx (ro)
ad-sidecar:
Container ID: docker://9ada1158c20d97f2122b685e609c1a52f0233f35095edbfd5e91325124166516
Image: kubespheredev/ad-sidecar:v0.0.1
Image ID: docker-pullable://kubespheredev/ad-sidecar@sha256:0cc69753a7503176c7175e2962648de0b7e6014fc7c5910c6feacf7a8ac08fa3
Port: 19090/TCP
Host Port: 0/TCP
Command:
ad-sidecar
–logtostderr=true
–v=2
State: Waiting
Reason: CrashLoopBackOff
Last State: Terminated
Reason: Error
Exit Code: 2
Started: Sun, 15 Mar 2020 15:18:49 +0800
Finished: Sun, 15 Mar 2020 15:18:49 +0800
Ready: False
Restart Count: 9
Environment: <none>
Mounts:
/etc/kubesphere/sync.yaml from ad-sync-config (rw,path=“sync.yaml”)
/var/run/secrets/kubernetes.io/serviceaccount from kubesphere-token-ftdwx (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
policy-rules:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: policy-rules
Optional: false
user-init:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: user-init
Optional: false
kubesphere-config:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: kubesphere-config
Optional: false
ad-sync-config:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: ad-sync-config
Optional: false
kubesphere-token-ftdwx:
Type: Secret (a volume populated by a Secret)
SecretName: kubesphere-token-ftdwx
Optional: false
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: CriticalAddonsOnly
node-role.kubernetes.io/master:NoSchedule
node.kubernetes.io/not-ready:NoExecute for 60s
node.kubernetes.io/unreachable:NoExecute for 60s
Events:
Type Reason Age From Message

Normal Scheduled <unknown> default-scheduler Successfully assigned kubesphere-system/ks-account-84695f7c9d-4vdkf to paas03.liuheco.com
Normal Pulled 24m kubelet, paas03.liuheco.com Container image “alpine:3.10.4″ already present on machine
Normal Created 24m kubelet, paas03.liuheco.com Created container wait-redis
Normal Started 24m kubelet, paas03.liuheco.com Started container wait-redis
Normal Pulled 24m kubelet, paas03.liuheco.com Container image “alpine:3.10.4″ already present on machine
Normal Created 24m kubelet, paas03.liuheco.com Created container wait-ldap
Normal Started 24m kubelet, paas03.liuheco.com Started container wait-ldap
Normal Pulled 24m kubelet, paas03.liuheco.com Container image “kubesphere/ks-account:v2.1.1” already present on machine
Normal Created 24m kubelet, paas03.liuheco.com Created container ks-account
Normal Started 24m kubelet, paas03.liuheco.com Started container ks-account
Normal Pulling 24m kubelet, paas03.liuheco.com Pulling image “kubespheredev/ad-sidecar:v0.0.1″
Normal Pulled 24m kubelet, paas03.liuheco.com Successfully pulled image “kubespheredev/ad-sidecar:v0.0.1”
Normal Started 24m (x3 over 24m) kubelet, paas03.liuheco.com Started container ad-sidecar
Normal Created 23m (x4 over 24m) kubelet, paas03.liuheco.com Created container ad-sidecar
Normal Pulled 23m (x3 over 24m) kubelet, paas03.liuheco.com Container image “kubespheredev/ad-sidecar:v0.0.1” already present on machine
Warning BackOff 4m17s (x93 over 24m) kubelet, paas03.liuheco.com Back-off restarting failed container

kubectl -n kubesphere-system logs ks-account-84695f7c9d-4vdkf

Error from server (BadRequest): a container name must be specified for pod ks-account-84695f7c9d-4vdkf, choose one of: [ks-account ad-sidecar] or one of the init containers: [wait-redis wait-ldap]

hongming

naveenzhang kubectl -n kubesphere-system logs -l app=ks-account 可以这么看看日志

Feynman

@hongming 有空了请帮忙看看这个问题吧

naveenzhang

hongming [root@paas01 ~]# kubectl -n kubesphere-system get pods NAME READY STATUS RESTARTS AGE etcd-5769d4997f-bmdvj 1/1 Running 0 5d19h ks-account-84695f7c9d-4vdkf 1/2 CrashLoopBackOff 248 20h ks-account-84695f7c9d-q8mzm 1/2 CrashLoopBackOff 240 20h ks-account-9ffb94b99-5gmng 1/1 Running 0 5d19h ks-account-9ffb94b99-wtthr 1/1 Running 0 5d19h ks-apigateway-d899b7b98-48gzs 1/1 Running 0 5d19h ks-apigateway-d899b7b98-r2d4c 1/1 Running 0 38h ks-apigateway-d899b7b98-vrxzc 1/1 Running 1 38h ks-apiserver-5c5759c866-ctsrb 1/1 Running 4 38h ks-apiserver-5c5759c866-hjkpl 1/1 Running 4 38h ks-apiserver-5c5759c866-m6bwm 1/1 Running 0 5d19h ks-console-97cf4db85-9jhkz 1/1 Running 0 5d19h ks-console-97cf4db85-h7qzp 1/1 Running 0 5d19h ks-console-97cf4db85-wgcn6 1/1 Running 0 5d19h ks-controller-manager-9dcc6599f-99sgk 1/1 Running 0 5d19h ks-controller-manager-9dcc6599f-bch4w 1/1 Running 1 5d19h ks-controller-manager-9dcc6599f-hdqtc 1/1 Running 0 5d19h ks-installer-7d9fb945c7-gpj2d 1/1 Running 0 5d19h minio-845b7bd867-qvqmm 1/1 Running 1 5d19h mysql-66df969d-4lxff 1/1 Running 0 5d19h openldap-0 1/1 Running 0 5d19h openldap-1 1/1 Running 0 5d19h redis-ha-haproxy-ffb8d889d-9rlwv 1/1 Running 0 5d19h redis-ha-haproxy-ffb8d889d-g5jzh 1/1 Running 0 5d19h redis-ha-haproxy-ffb8d889d-pn6qx 1/1 Running 0 5d19h redis-ha-server-0 2/2 Running 0 5d19h redis-ha-server-1 2/2 Running 0 5d19h redis-ha-server-2 2/2 Running 0 5d19h [root@paas01 ~]# kubectl -n kubesphere-system logs -l app=ks-account Error from server (BadRequest): a container name must be specified for pod ks-account-84695f7c9d-4vdkf, choose one of: [ks-account ad-sidecar] or one of the init containers: [wait-redis wait-ldap] [root@paas01 ~]# kubectl logs -n kubesphere-system ks-account-84695f7c9d-4vdkf Error from server (BadRequest): a container name must be specified for pod ks-account-84695f7c9d-4vdkf, choose one of: [ks-account ad-sidecar] or one of the init containers: [wait-redis wait-ldap] [root@paas01 ~]# 您好，日志这样好像没差异

hongming

naveenzhang kubectl -n kubesphere-system logs -l app=ks-account -c ad-sidecar 加上-c 指定container

naveenzhang

hongming [root@paas01 ~]# kubectl -n kubesphere-system logs -l app=ks-account -c ks-account-84695f7c9d-4vdkf Error from server (BadRequest): container ks-account-84695f7c9d-4vdkf is not valid for pod ks-account-84695f7c9d-4vdkf [root@paas01 ~]# kubectl -n kubesphere-system logs -l app=ks-account -c ks-account-84695f7c9d-q8mzm Error from server (BadRequest): container ks-account-84695f7c9d-q8mzm is not valid for pod ks-account-84695f7c9d-4vdkf

😅

hongming

命令复制错了，kubectl -n kubesphere-system logs -l app=ks-account -c ad-sidecar

naveenzhang

hongming 亲，没理解；[root@paas01 ~]# kubectl -n kubesphere-system logs -l app=ks-account -c ad-sidecar Error from server (BadRequest): container ad-sidecar is not valid for pod ks-account-9ffb94b99-5gmng

hongming

注意提示

hongming

因为还有几个pod 并没有重启，需要看一下 crash 的那几个pod 的日志，加上 -c ad-sidecar ，例如 kubectl -n kubesphere-system logs ks-account-84695f7c9d-4vdkf -c ad-sidecar

naveenzhang

hongming [root@paas01 ~]# kubectl get pods -n kubesphere-system NAME READY STATUS RESTARTS AGE etcd-5769d4997f-bmdvj 1/1 Running 0 5d22h ks-account-84695f7c9d-4vdkf 1/2 CrashLoopBackOff 275 23h ks-account-84695f7c9d-q8mzm 1/2 CrashLoopBackOff 267 22h ks-account-9ffb94b99-5gmng 1/1 Running 0 5d22h ks-account-9ffb94b99-wtthr 1/1 Running 0 5d22h ks-apigateway-d899b7b98-48gzs 1/1 Running 0 5d22h ks-apigateway-d899b7b98-r2d4c 1/1 Running 0 40h ks-apigateway-d899b7b98-vrxzc 1/1 Running 1 40h ks-apiserver-5c5759c866-ctsrb 1/1 Running 4 40h ks-apiserver-5c5759c866-hjkpl 1/1 Running 4 40h ks-apiserver-5c5759c866-m6bwm 1/1 Running 0 5d22h ks-console-97cf4db85-9jhkz 1/1 Running 0 5d22h ks-console-97cf4db85-h7qzp 1/1 Running 0 5d22h ks-console-97cf4db85-wgcn6 1/1 Running 0 5d22h ks-controller-manager-9dcc6599f-99sgk 1/1 Running 0 5d22h ks-controller-manager-9dcc6599f-bch4w 1/1 Running 1 5d22h ks-controller-manager-9dcc6599f-hdqtc 1/1 Running 0 5d22h ks-installer-7d9fb945c7-gpj2d 1/1 Running 0 5d22h minio-845b7bd867-qvqmm 1/1 Running 1 5d22h mysql-66df969d-4lxff 1/1 Running 0 5d22h openldap-0 1/1 Running 0 5d22h openldap-1 1/1 Running 0 5d22h redis-ha-haproxy-ffb8d889d-9rlwv 1/1 Running 0 5d22h redis-ha-haproxy-ffb8d889d-g5jzh 1/1 Running 0 5d22h redis-ha-haproxy-ffb8d889d-pn6qx 1/1 Running 0 5d22h redis-ha-server-0 2/2 Running 0 5d22h redis-ha-server-1 2/2 Running 0 5d22h redis-ha-server-2 2/2 Running 0 5d22h [root@paas01 ~]# kubectl -n kubesphere-system logs ks-account-84695f7c9d-4vdkf -c ad-sidecar [root@paas01 ~]# kubectl -n kubesphere-system logs ks-account-84695f7c9d-q8mzm -c ad-sidecar [root@paas01 ~]# kubectl -n kubesphere-system logs -l app=ks-account-84695f7c9d-4vdkf -c ad-sidecar

这个没反馈信息

hongming

naveenzhang kubectl -n kubesphere-system logs ks-account-84695f7c9d-4vdkf -c ad-sidecar -p 加上-p

naveenzhang

hongming [root@paas01 ~]# [root@paas01 ~]# kubectl -n kubesphere-system logs ks-account-84695f7c9d-4vdkf -c ad-sidecar -p [root@paas01 ~]# 一样的情况

hongming

那就要看看是不是其他 container 报错，kubectl -n kubesphere-system logs ks-account-84695f7c9d-4vdkf -c ks-account, kubectl -n kubesphere-system logs ks-account-84695f7c9d-4vdkf -c ks-account -p

naveenzhang

hongming [root@paas01 ~]# kubectl get pods -n kubesphere-system NAME READY STATUS RESTARTS AGE etcd-5769d4997f-bmdvj 1/1 Running 0 5d22h ks-account-84695f7c9d-4vdkf 1/2 CrashLoopBackOff 283 23h ks-account-84695f7c9d-q8mzm 1/2 CrashLoopBackOff 276 23h ks-account-9ffb94b99-5gmng 1/1 Running 0 5d22h ks-account-9ffb94b99-wtthr 1/1 Running 0 5d22h ks-apigateway-d899b7b98-48gzs 1/1 Running 0 5d22h ks-apigateway-d899b7b98-r2d4c 1/1 Running 0 41h ks-apigateway-d899b7b98-vrxzc 1/1 Running 1 41h ks-apiserver-5c5759c866-ctsrb 1/1 Running 4 41h ks-apiserver-5c5759c866-hjkpl 1/1 Running 4 41h ks-apiserver-5c5759c866-m6bwm 1/1 Running 0 5d22h ks-console-97cf4db85-9jhkz 1/1 Running 0 5d22h ks-console-97cf4db85-h7qzp 1/1 Running 0 5d22h ks-console-97cf4db85-wgcn6 1/1 Running 0 5d22h ks-controller-manager-9dcc6599f-99sgk 1/1 Running 0 5d22h ks-controller-manager-9dcc6599f-bch4w 1/1 Running 1 5d22h ks-controller-manager-9dcc6599f-hdqtc 1/1 Running 0 5d22h ks-installer-7d9fb945c7-gpj2d 1/1 Running 0 5d23h minio-845b7bd867-qvqmm 1/1 Running 1 5d23h mysql-66df969d-4lxff 1/1 Running 0 5d22h openldap-0 1/1 Running 0 5d23h openldap-1 1/1 Running 0 5d22h redis-ha-haproxy-ffb8d889d-9rlwv 1/1 Running 0 5d23h redis-ha-haproxy-ffb8d889d-g5jzh 1/1 Running 0 5d23h redis-ha-haproxy-ffb8d889d-pn6qx 1/1 Running 0 5d23h redis-ha-server-0 2/2 Running 0 5d23h redis-ha-server-1 2/2 Running 0 5d23h redis-ha-server-2 2/2 Running 0 5d23h

[root@paas01 ~]# kubectl get deployment -n kubesphere-system NAME READY UP-TO-DATE AVAILABLE AGE etcd 1/1 1 1 5d22h ks-account 2/3 2 2 5d22h ks-apigateway 3/3 3 3 5d22h ks-apiserver 3/3 3 3 5d22h ks-console 3/3 3 3 5d22h ks-controller-manager 3/3 3 3 5d22h ks-installer 1/1 1 1 5d23h minio 1/1 1 1 5d23h mysql 1/1 1 1 5d22h redis-ha-haproxy 3/3 3 3 5d23h

相关查询如下
[root@paas01 ~]# kubectl -n kubesphere-system logs ks-account-84695f7c9d-4vdkf -c ks-account W0315 06:57:55.215708 1 client_config.go:549] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work. I0315 06:57:55.893499 1 server.go:113] Server listening on 0.0.0.0:9090 [root@paas01 ~]# kubectl -n kubesphere-system logs ks-account-84695f7c9d-4vdkf -c ks-account -p Error from server (BadRequest): previous terminated container "ks-account" in pod "ks-account-84695f7c9d-4vdkf" not found [root@paas01 ~]# kubectl -n kubesphere-system logs ks-account-84695f7c9d-q8mzm -c ks-account W0315 07:35:56.276173 1 client_config.go:549] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work. I0315 07:35:56.914237 1 server.go:113] Server listening on 0.0.0.0:9090 [root@paas01 ~]# kubectl -n kubesphere-system logs ks-account-84695f7c9d-q8mzm -c ks-account -p Error from server (BadRequest): previous terminated container "ks-account" in pod "ks-account-84695f7c9d-q8mzm" not found [root@paas01 ~]# kubectl -n kubesphere-system logs ks-account-9ffb94b99-5gmng -c ks-account W0310 07:51:51.680599 1 client_config.go:549] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work. I0310 07:51:52.322949 1 server.go:113] Server listening on 0.0.0.0:9090 [root@paas01 ~]# kubectl -n kubesphere-system logs ks-account-9ffb94b99-5gmng -c ks-account -p Error from server (BadRequest): previous terminated container "ks-account" in pod "ks-account-9ffb94b99-5gmng" not found [root@paas01 ~]# kubectl -n kubesphere-system logs ks-account-9ffb94b99-wtthr -c ks-account W0310 07:51:07.242536 1 client_config.go:549] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work. I0310 07:51:07.873259 1 server.go:113] Server listening on 0.0.0.0:9090 [root@paas01 ~]# @

hongming

把kubectl -n kubesphere-system edit deploy ks-account 修改一下 ad-sidecar 的log level ，看看有没有错误日志输出，一般是因为配置问题，也可以把 kubectl -n kubesphere-system get cm ad-sync-config -o yaml 这个配置贴出来看看。

Command:
ad-sidecar
–logtostderr=true
–v=6

hongming

naveenzhang
src:
host: “10.10.20.59:389″
managerDN: “kube_bind”
这里的managerDN 配置的有点问题

naveenzhang

hongming managerDN 这个值有什么特别说明嘛？我理解的就是对接LDAP时的连接用户

naveenzhang

已解决，日志级别调整之后建议restart一下，属于LDAP端ACL导致，调整userSearchBase 和ldap acl后可以正常同步数据

hzz1989

naveenzhang ldap acl 做了什么调整？