部署kubesphere2.1集群后,采用inject-ks-account.sh同步了ldap,因最初userSearchBase规则问题,同步了全量数据(用户数量几十万),因此ks-account pods 一直 CrashLoopBackOff状态,ad-sidecar 在重复重启;查看ad-sidecar的log显示,用户数据一直在同步
想咨询一下:
怎么停止这个同步,做下用户初始化;便于调整同步规则,重新执行同步?@hongming 非常感谢!!
ldap用户调整
hongmingK零SK壹S
naveenzhang 这个用户量级比较大, 全部同步过来也不方便管理,可以稍微等等我们的oauth2 方式的账户接入
calvinyuK零S
KubeSphere作为一个管理平台,会有几十万的用户需要访问么?如果不需要,是否可以加一些filter,减少同步的数量
hongming 嗯,userSearchBase规则最初定义不严谨,导致用户是全量同步了,已同步的用户,数据量比较大了,怎么删除比较好?
calvinyu 没有这么多访问kubesphere平台的用户需求,最初对接ldap不熟悉,userSearchBase规则写的不严禁,所以同步了过多的数据,这个有什么方法停止同步吗?或后台如何批量删除已同步的大量用户?
hongmingK零SK壹S
先把 ks-account 中的 ad-sidecar 给删除掉,再把 ks-account 这个service targetPort 还原成 9090
hongming 您好,我删除了ad-sidecar,把ks-account 调整为9090,查看服务没异常
# kubectl get pods -n kubesphere-system
NAME READY STATUS RESTARTS AGE
etcd-5769d4997f-bmdvj 1/1 Running 0 8d
ks-account-5c5fcf6d9d-5xktf 1/1 Running 0 2m31s
ks-account-5c5fcf6d9d-ch872 1/1 Running 0 2m35s
ks-account-5c5fcf6d9d-k6mlq 1/1 Running 0 2m26s
ks-apigateway-d899b7b98-48gzs 1/1 Running 0 8d
ks-apigateway-d899b7b98-r2d4c 1/1 Running 0 3d22h
ks-apigateway-d899b7b98-vrxzc 1/1 Running 1 3d22h
ks-apiserver-5c5759c866-ctsrb 1/1 Running 4 3d22h
ks-apiserver-5c5759c866-hjkpl 1/1 Running 4 3d22h
ks-apiserver-5c5759c866-m6bwm 1/1 Running 0 8d
ks-console-97cf4db85-9jhkz 1/1 Running 0 8d
ks-console-97cf4db85-h7qzp 1/1 Running 0 8d
ks-console-97cf4db85-wgcn6 1/1 Running 0 8d
ks-controller-manager-9dcc6599f-99sgk 1/1 Running 0 8d
ks-controller-manager-9dcc6599f-bch4w 1/1 Running 1 8d
ks-controller-manager-9dcc6599f-hdqtc 1/1 Running 0 8d
ks-installer-7d9fb945c7-gpj2d 1/1 Running 0 8d
minio-845b7bd867-qvqmm 1/1 Running 1 8d
mysql-66df969d-4lxff 1/1 Running 0 8d
openldap-0 1/1 Running 0 8d
openldap-1 1/1 Running 0 8d
redis-ha-haproxy-ffb8d889d-9rlwv 1/1 Running 0 8d
redis-ha-haproxy-ffb8d889d-g5jzh 1/1 Running 0 8d
redis-ha-haproxy-ffb8d889d-pn6qx 1/1 Running 0 8d
redis-ha-server-0 2/2 Running 0 8d
redis-ha-server-1 2/2 Running 0 8d
redis-ha-server-2 2/2 Running 0 8d
web console无法打开访问,查看log
# kubectl logs ks-account-5c5fcf6d9d-k6mlq -n kubesphere-system
W0318 12:01:07.590918 1 client_config.go:549] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
I0318 12:01:16.021698 1 server.go:113] Server listening on 0.0.0.0:9090
是哪操作有问题吗?怎么恢复呀
hongmingK零SK壹S
naveenzhang kubectl -n kubesphere-system get svc
,kubectl -n kubesphere-system get ep
看看改的对不对
hongming
# kubectl -n kubesphere-system get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
etcd ClusterIP 10.233.11.206 <none> 2379/TCP 8d
ks-account ClusterIP 10.233.52.215 <none> 80/TCP 8d
ks-apigateway ClusterIP 10.233.5.166 <none> 80/TCP 8d
ks-apiserver ClusterIP 10.233.40.187 <none> 80/TCP 8d
ks-console NodePort 10.233.38.21 <none> 80:30880/TCP 8d
minio ClusterIP 10.233.24.30 <none> 9000/TCP 8d
mysql ClusterIP 10.233.3.239 <none> 3306/TCP 8d
openldap ClusterIP None <none> 389/TCP 8d
redis ClusterIP 10.233.63.74 <none> 6379/TCP 8d
redis-ha ClusterIP None <none> 6379/TCP,26379/TCP 8d
redis-ha-announce-0 ClusterIP 10.233.27.202 <none> 6379/TCP,26379/TCP 8d
redis-ha-announce-1 ClusterIP 10.233.5.158 <none> 6379/TCP,26379/TCP 8d
redis-ha-announce-2 ClusterIP 10.233.30.54 <none> 6379/TCP,26379/TCP 8d
kubectl -n kubesphere-system get ep
NAME ENDPOINTS AGE
etcd 10.233.100.1:2379 8d
ks-account 10.233.109.21:19090,10.233.116.18:19090,10.233.91.27:19090 8d
ks-apigateway 10.233.116.12:2018,10.233.64.12:2018,10.233.92.12:2018 8d
ks-apiserver 10.233.100.5:9090,10.233.116.13:9090,10.233.92.13:9090 8d
ks-console 10.233.109.9:8000,10.233.91.19:8000,10.233.92.11:8000 8d
ks-controller-manager-leader-election <none> 8d
minio 10.233.65.1:9000 8d
mysql 10.233.120.1:3306 8d
openldap 10.233.64.5:389,10.233.92.3:389 8d
redis 10.233.116.2:6379,10.233.64.3:6379,10.233.92.2:6379 8d
redis-ha 10.233.116.3:6379,10.233.64.4:6379,10.233.92.4:6379 + 3 more... 8d
redis-ha-announce-0 10.233.64.4:6379,10.233.64.4:26379 8d
redis-ha-announce-1 10.233.116.3:6379,10.233.116.3:26379 8d
redis-ha-announce-2 10.233.92.4:6379,10.233.92.4:26379 8d
好像是改的不对?还是没生效,我是
kubectl -n kubesphere-system edit deploy ks-account
修改的
hongmingK零SK壹S
kubectl -n kubesphere-system edit deploy ks-account
移除ad-sidecar 这个 containerkubectl -n kubesphere-system edit svc ks-account
把targetPort 改成 9090
hongming 谢谢,能正常登录主界面了;ad-sidecar已经移除,之前已同步的垃圾用户数据还在,这个是不是得需要修改数据库进行清理?
hongmingK零SK壹S
- 最佳回复由 naveenzhang 选择
naveenzhang 最快的方式肯定是到ldap 里直接删, 如果嫌弃麻烦的话可以把ldap 挂载的pvc删掉, 重启 ldap 和 ks-account 重新初始化账户