这里查看pod可能会发现有pod一直处于creating状态,通过describe命令可知“istio-token”找不到:
代码语言:javascript
复制MountVolume.SetUp failed for volume "istio-token":failed to fetch token: the API server does not have TokenRequest endpoints enabled
看我们的k8s集群是否支持第三方令牌
代码语言:javascript
复制{
"name": "serviceaccounts/token",
"singularName": "",
"namespaced": true,
"group": "authentication.k8s.io",
"version": "v1",
"kind": "TokenRequest",
"verbs": [
"create"
]
}
配置apiserver添加参数来支持第三方令牌(Third-party-jwt)
代码语言:javascript
复制在/etc/kubernetes/manifests/kube-apiserver.yaml里添加:
- --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-account-issuer=api
- --service-account-api-audiences=api,vault,factors
