K8S学习心得 == kube-controller-manager 报错configmaps "extension-apiserver-authentication" is forbidden: User "kubernetes" cannot get resource "configmaps" in API group ""

      当我按照教材设置证书，配置好kube-controller的相关条件后，启动kube-controller-manage组件，却意外报错。

一、基本信息如下：

1. kube-controller-manager.service 文件如下

[Unit]
Description=kubernetes controller-manager service
After=network.target
After=network-online.target
Wants=network-online.target
# because the etcd service isn't in this machine
# After=etcd.service
# Wants=etcd.service

[Service]
EnvironmentFile=/k8s/kubernetes/cfg/kube-controller-manager-env
ExecStart=/k8s/kubernetes/bin/kube-controller-manager
--port=0
--secure-port=10252
--bind-address=127.0.0.1
--kubeconfig=${KUBECONFIG}
--authentication-kubeconfig=${KUBECONFIG}
--authorization-kubeconfig=${KUBECONFIG}
--service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}
--cluster-name=kubernetes
--cluster-signing-cert-file=/k8s/kubernetes/ssl/k8s-ca.pem
--cluster-signing-key-file=/k8s/kubernetes/ssl/k8s-ca-key.pem
--experimental-cluster-signing-duration=8760h
--root-ca-file=/k8s/kubernetes/ssl/k8s-ca.pem
--service-account-private-key-file=/k8s/kubernetes/ssl/k8s-ca-key.pem
--leader-elect=true
--feature-gates=RotateKubeletServerCertificate=true
--controllers=*,bootstrapsigner,tokencleaner
--horizontal-pod-autoscaler-use-rest-clients=true
--horizontal-pod-autoscaler-sync-period=10s
--tls-cert-file=/k8s/kubernetes/ssl/kube-controller-manager-server.pem
--tls-private-key-file=/k8s/kubernetes/ssl/kube-controller-manager-server-key.pem
--use-service-account-credentials=true
--alsologtostderr=true
--logtostderr=false
--log-dir=${LOG_DIR}
--v=4
LimitNOFILE=1000000
User=root

[Install]
WantedBy=multi-user.target

2. 环境配置文件，如下

KUBECONFIG="/k8s/kubernetes/cfg/kube-controller-manager.kubeconfig"
SERVICE_CLUSTER_IP_RANGE="10.0.0.0/24"
LOG_DIR="/var/log/k8s/kube-controller-manager"

3. 错误信息如下：

configmaps "extension-apiserver-authentication" is forbidden: User "kubernetes" cannot get resource "configmaps" in API group ""

二、错误原因和修复

后面发现根本不是configmap无权限或config文件生成有误。而是我们的kube-controller-manager.service.文件中参数开启了[非安全模式http]“--port=0”导致。

当我们删除配置文件1中的两行标黄的参数后，再重新执行服务启动命令，这次发现kube-controller-manager成功启动了。

备注：参数【安全模式https】“--secure-port=10252”一定要去掉，否则启动服务会报错“10252 已经被使用”

root >> systemctl daemon-reload

root >> systemctl restart kube-controller-manager

root >> netstat -nltp | grep kube

root >> kubectl get cs

root >> journalctl -u kube-controller-manager --since '2019-05-25 18:33:00'