一、服务器环境准备

出现该问题是因为 Kubernetes API Server 新增了 --anonymous-auth 选项,允许匿名请求访问 secure port 。没有被其他 authentication 方法拒绝的请求即 Anonymous requests, 这样的匿名请求的 username 为 system:anonymous , 归属的组为 system:unauthenticated。并且该选线是默认的。这样一来,当采用 chrome 浏览器访问 dashboard UI 或者 apiserver 时很可能无法弹出用户名、密码输入对话框,导致后续authorization失败。为了保证用户名、密码输入对话框的弹出,需要将 --anonymous-auth 设置为 false。

如果 apiserver 是手动安装的,则修改 /etc/kubernetes/apiserver 文件,在 KUBE_API_ARGS="" 中加入 --anonymous-auth=false

vim?/etc/kubernetes/apiserver
KUBE_API_ARGS="--anonymous-auth=false"

如果 apiserver 是通过 kubeadm 安装的,则修改 /etc/kubernetes/manifests/kube-apiserver.yaml 文件,在 command 下加入 - --anonymous-auth=false

[root@master?~]#?vim?/etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion:?v1
kind:?Pod
metadata:
??creationTimestamp:?null
??labels:
????component:?kube-apiserver
????tier:?control-plane
??name:?kube-apiserver
??namespace:?kube-system
spec:
??containers:
??-?command:
????-?kube-apiserver
????-?--advertise-address=192.168.10.102
????-?--allow-privileged=true
????-?--authorization-mode=Node,RBAC
????-?--client-ca-file=/etc/kubernetes/pki/ca.crt
????-?--enable-admission-plugins=NodeRestriction
????-?--enable-bootstrap-token-auth=true
????-?--etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
????-?--etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
????-?--etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
????-?--etcd-servers=http://www.ib911.com/259:2379
????-?--insecure-port=0
????-?--kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
????-?--kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
????-?--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
????-?--proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
????-?--proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
????-?--requestheader-allowed-names=front-proxy-client
????-?--requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
????-?--requestheader-extra-headers-prefix=X-Remote-Extra-
????-?--requestheader-group-headers=X-Remote-Group
????-?--requestheader-username-headers=X-Remote-User
????-?--secure-port=6443
????-?--service-account-key-file=/etc/kubernetes/pki/sa.pub
????-?--service-cluster-ip-range=10.1.0.0/16
????-?--tls-cert-file=/etc/kubernetes/pki/apiserver.crt
????-?--tls-private-key-file=/etc/kubernetes/pki/apiserver.key
????-?--anonymous-auth=false
????image:?k8s.gcr.io/kube-apiserver:v1.15.0
????imagePullPolicy:?IfNotPresent

经过上面的操作之后重启 apiserver 后可恢复正常。