外部-DNS EKS AWS

Question

AWS EKS 1.13

我正在尝试设置外部-dns，如下所述：

https://github.com/kubernetes-incubator/external-dns/blob/master/docs/tutorials/aws.md

我想在名称空间中设置它，下面是代码：

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: external-dns
  namespace: qa
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: external-dns
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get","watch","list"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get","watch","list"]
- apiGroups: ["extensions"]
  resources: ["ingresses"]
  verbs: ["get","watch","list"]
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: external-dns-viewer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-dns
subjects:
- kind: ServiceAccount
  name: external-dns
  namespace: qa
---

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: external-dns
  namespace: qa
spec:
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: external-dns
    spec:
      serviceAccountName: external-dns
      containers:
      - name: external-dns
        image: registry.opensource.zalan.do/teapot/external-dns:latest
        args:
        - --source=service
        - --source=ingress
        - --domain-filter=xxxxxx.domain.com
        - --provider=aws
        - --policy=sync
        - --aws-zone-type=public
        - --registry=txt
        - --txt-owner-id=xxxxxxx

不幸的是，这不起作用，吊舱的状态是"CrashLoopBackOff“

这是豆荚的原木：

time="2019-07-15T21:07:22Z" level=info msg="config: {Master: KubeConfig: RequestTimeout:30s IstioIngressGatewayServices:[istio-system/istio-ingressgateway] Sources:[service ingress] Namespace: AnnotationFilter: FQDNTemplate: CombineFQDNAndAnnotation:false IgnoreHostnameAnnotation:false Compatibility: PublishInternal:false PublishHostIP:false ConnectorSourceServer:localhost:8080 Provider:aws GoogleProject: DomainFilter:[xxxx] ExcludeDomains:[] ZoneIDFilter:[] AlibabaCloudConfigFile:/etc/kubernetes/alibaba-cloud.json AlibabaCloudZoneType: AWSZoneType:public AWSZoneTagFilter:[] AWSAssumeRole: AWSBatchChangeSize:1000 AWSBatchChangeInterval:1s AWSEvaluateTargetHealth:true AWSAPIRetries:3 AzureConfigFile:/etc/kubernetes/azure.json AzureResourceGroup: CloudflareProxied:false CloudflareZonesPerPage:50 RcodezeroTXTEncrypt:false InfobloxGridHost: InfobloxWapiPort:443 InfobloxWapiUsername:admin InfobloxWapiPassword: InfobloxWapiVersion:2.3.1 InfobloxSSLVerify:true InfobloxView: InfobloxMaxResults:0 DynCustomerName: DynUsername: DynPassword: DynMinTTLSeconds:0 OCIConfigFile:/etc/kubernetes/oci.yaml InMemoryZones:[] PDNSServer:http://localhost:8081 PDNSAPIKey: PDNSTLSEnabled:false TLSCA: TLSClientCert: TLSClientCertKey: Policy:sync Registry:txt TXTOwnerID:ZTZ2FLS733BGN TXTPrefix: Interval:1m0s Once:false DryRun:false LogFormat:text MetricsAddress::7979 LogLevel:info TXTCacheInterval:0s ExoscaleEndpoint:https://api.exoscale.ch/dns ExoscaleAPIKey: ExoscaleAPISecret: CRDSourceAPIVersion:externaldns.k8s.io/v1alpha1 CRDSourceKind:DNSEndpoint ServiceTypeFilter:[] CFAPIEndpoint: CFUsername: CFPassword: RFC2136Host: RFC2136Port:0 RFC2136Zone: RFC2136Insecure:false RFC2136TSIGKeyName: RFC2136TSIGSecret: RFC2136TSIGSecretAlg: RFC2136TAXFR:false NS1Endpoint: NS1IgnoreSSL:false TransIPAccountName: TransIPPrivateKeyFile:}"
time="2019-07-15T21:07:22Z" level=fatal msg="invalid configuration: no configuration has been provided"

但是，如果我在默认名称空间中部署完全相同的代码，则不会出现任何问题。

有什么帮助吗？

谢谢

Answer 1

invalid configuration: no configuration has been provided位来自试图在没有显式配置的情况下构造Kube配置。如果没有提供显式的信任，则尝试使用集群内的默认API服务器位置进行猜测。如果猜测失败，则显示此错误消息。

如果下列情况下，此默认配置可能失败：

1. 您使用的是非标准配置(不同的apiserver URL?)
2. Pod和API服务器之间存在一个网络问题
3. RBAC配置不当

假设您添加了一个ServiceAccount、ClusterRole、ClusterRoleBinding等，这看起来就像Terraform 未能挂载ServiceAccount秘密。

现在看来，您必须手动挂载秘密(请参阅链接获取更多信息)：

resource "kubernetes_service_account" "foo" {
    name = "foo"
}
resource "kubernetes_deployment" "foo" {
    ...
    spec {
        ...
        template {
            ...
            spec {
                # Normally, this is what you should do:
                #service_account_name = "${kubernetes_service_account.foo.name}"

                volume {
                    name = "${kubernetes_service_account.foo.default_secret_name}"
                    secret {
                        secret_name = "${kubernetes_service_account.foo.default_secret_name}"
                    }
                }
                ...
                container {
                    ...
                    volume_mount {
                        name       = "${kubernetes_service_account.foo.default_secret_name}"
                        mount_path = "/var/run/secrets/kubernetes.io/serviceaccount"
                        read_only  = true
                    }
                }
            }
        }
    }
}