可能的文档修正:
storageclass.yaml 文件中涉及rbac部分的配置应添加kube-system命名空间的用户
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: run-nfs-provisioner
subjects:
- kind: ServiceAccount
name: nfs-provisioner
namespace: default
- kind: ServiceAccount //这三行之前没有
name: nfs-provisioner
namespace: kube-system
roleRef:
kind: ClusterRole
name: nfs-provisioner-runner
apiGroup: rbac.authorization.k8s.io
出现的问题:kubesphere-system 命名空间下除了ks-installer的其他三个pod一直为pending状态
后定位到pod nfs-client-provisioner 的日志
[root@kubesphere01 ~]# kubectl logs nfs-client-provisioner-7f959768b5-vchmj
...
E0830 07:12:31.186152 1 leaderelection.go:234] error retrieving resource lock kube-system/fuseim.pri-ifs: endpoints "fuseim.pri-ifs" is forbidden: User "system:serviceaccount:kube-system:nfs-provisioner" cannot get resource "endpoints" in API group "" in the namespace "kube-system"
E0830 07:12:34.579320 1 leaderelection.go:234] error retrieving resource lock kube-system/fuseim.pri-ifs: endpoints "fuseim.pri-ifs" is forbidden: User "system:serviceaccount:kube-system:nfs-provisioner" cannot get resource "endpoints" in API group "" in the namespace "kube-system"
E0830 07:12:36.602935 1 leaderelection.go:234] error retrieving resource lock kube-system/fuseim.pri-ifs: endpoints "fuseim.pri-ifs" is forbidden: User "system:serviceaccount:kube-system:nfs-provisioner" cannot get resource "endpoints" in API group "" in the namespace "kube-system"
E0830 07:12:40.947084 1 leaderelection.go:234] error retrieving resource lock kube-system/fuseim.pri-ifs: endpoints "fuseim.pri-ifs" is forbidden: User "system:serviceaccount:kube-system:nfs-provisioner" cannot get resource "endpoints" in API group "" in the namespace "kube-system"
E0830 07:12:45.005643 1 leaderelection.go:234] error retrieving resource lock kube-system/fuseim.pri-ifs: endpoints "fuseim.pri-ifs" is forbidden: User "system:serviceaccount:kube-system:nfs-provisioner" cannot get resource "endpoints" in API group "" in the namespace "kube-system"
修改rbac配置并apply后,一切正常,pod转为Running状态