安装Rancher cert-manager报错kube-system forbidden
原创
©著作权归作者所有:来自51CTO博客作者无锋剑客的原创作品,请联系作者获取转载授权,否则将追究法律责任
1:Rancher生成证书服务报错
默认情况下,Rancher会生成CA并用于cert-manager颁发证书以访问Rancher服务器界面。因为rancher是默认选项ingress.tls.source,我们ingress.tls.source在运行helm install命令时没有指定。
helm install stable/cert-manager \
--name cert-manager \
--namespace kube-system \
--version v0.5.2
安装stable/cert-manager报错
Error: namespaces "kube-system" is forbidden: User "system:serviceaccount:kube-system:default"
cannot get resource "namespaces" in API group "" in the namespace "kube-system"
解决办法:
kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl delete deployment tiller-deploy --namespace kube-system
helm init --service-account tiller
2:如果之前安装过,可能报错如下:
[root@kubm-01 ~]# helm install stable/cert-manager --name cert-manager --namespace kube-system --version v0.5.2
Error: customresourcedefinitions.apiextensions.k8s.io "certificates.certmanager.k8s.io" already exists
解决办法:
查看现有 custom resource definition
[root@kubm-01 ~]# kubectl get customresourcedefinitions --all-namespaces=true |grep certmanager.*
certificates.certmanager.k8s.io 2019-08-20T04:03:16Z
clusterissuers.certmanager.k8s.io 2019-08-02T06:32:05Z
issuers.certmanager.k8s.io 2019-08-02T06:32:06Z
#删除
[root@kubm-01 ~]# kubectl delete customresourcedefinition
kubectl delete customresourcedefinition certificates.certmanager.k8s.io
kubectl delete customresourcedefinition clusterissuers.certmanager.k8s.io
kubectl delete customresourcedefinition issuers.certmanager.k8s.io
参考信息:https://github.com/jetstack/cert-manager/issues/870
再次执行安装
helm install stable/cert-manager \
--name cert-manager \
--namespace kube-system \
--version v0.5.2
查看安装状态
kubectl -n kube-system rollout status deploy/cert-manager
cert-manager has been deployed successfully!
参考信息:推荐
https://helm.sh/docs/using_helm/#tiller-and-role-based-access-control
