大多数在线说明都适用于 Openshift 的完整/试用版。我正在寻找最近的说明和下载,以便我安装 Openshift 社区版本。
这是一个非常基本的问题,所以我想我一定遗漏了一些明显的东西,openshift 服务是否使用循环在 pod 之间进行负载平衡?还是将请求转发到可用资源最多的 pod?还是完全随机的?
我的服务配置如下所示:
kind: service
metadata:
name: temp
labels:
app: temp
spec:
port:
targetPort: temp-port
to:
kind: Service
name: temp
我最近部署了一个 4.5 版 OKD 集群,一切似乎都很好,但我无法让 Google 身份提供程序用于登录。我按照此处的说明进行操作,但没有成功。当我尝试使用我的公司 google 身份登录时,我收到一条非常通用的错误消息:
我最终得到了以下 OAuth 配置:
spec:
identityProviders:
- google:
clientID: <my-ID>.apps.googleusercontent.com
clientSecret:
name: google-secret
hostedDomain: <company domain>
mappingMethod: claim
name: googleidp
type: Google
我也按照描述设置了谷歌项目。刚刚创建了 Oauth2.0 凭据,回调 URL(这是正确的,因为我在同意屏幕后返回 OKD),没有额外的同意范围;只是个人资料、电子邮件和 openid,OKD 不请求任何其他范围。该项目设置为内部,因此只有公司用户可以登录。
经过一些调查后,我设法增加了 oauth-openshift pod 的详细程度,以下是失败尝试的日志中显示的内容:
1 handler.go:156] Got auth data
I0929 15:30:10.036799 1 round_trippers.go:423] curl -k -v -XPOST -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" 'https://www.googleapis.com/oauth2/v3/token'
I0929 15:30:10.071829 1 round_trippers.go:443] POST https://www.googleapis.com/oauth2/v3/token 401 Unauthorized in 35 milliseconds
I0929 15:30:10.071871 1 round_trippers.go:449] Response Headers:
I0929 15:30:10.071879 1 round_trippers.go:452] Server: scaffolding on HTTPServer2
I0929 15:30:10.071885 1 round_trippers.go:452] Cache-Control: private
I0929 15:30:10.071891 1 round_trippers.go:452] X-Content-Type-Options: nosniff
I0929 15:30:10.071897 1 round_trippers.go:452] Vary: Origin
I0929 15:30:10.071902 1 round_trippers.go:452] Vary: X-Origin
I0929 15:30:10.071909 1 round_trippers.go:452] Vary: Referer
I0929 15:30:10.071915 1 round_trippers.go:452] Date: Tue, 29 Sep 2020 15:30:10 GMT
I0929 15:30:10.071920 1 round_trippers.go:452] Alt-Svc: h3-Q050=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
I0929 15:30:10.071926 1 round_trippers.go:452] Content-Type: application/json; charset=utf-8
I0929 15:30:10.071934 1 round_trippers.go:452] X-Xss-Protection: 0
I0929 15:30:10.071939 1 round_trippers.go:452] X-Frame-Options: SAMEORIGIN
I0929 15:30:10.072004 1 handler.go:176] Error getting access token: Unauthorized
E0929 15:30:10.072031 1 errorpage.go:26] AuthenticationError: Unauthorized
I0929 15:30:10.072428 1 httplog.go:90] verb="GET" URI="/oauth2callback/googleidp?state=<token>&code=<token>&scope=email%20profile%20openid%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile&authuser=0&hd=<companydomain>&prompt=consent" latency=35.835162ms resp=200 UserAgent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36" srcIP="10.129.2.28:49228":
我找不到 Unauthorized 错误的原因,因此非常感谢任何帮助。
在 openshift 4.x 中,您有一个 APIproject似乎与namespace创建项目时创建的命名空间完全相似,反之亦然。我知道namespace这是 Kubernetes 中的标准对象,而项目是特定于 Openshift 的。那么project带来了什么?
# list projects
oc get projects
NAME DISPLAY NAME STATUS
default Active
kube-node-lease Active
kube-public Active
kube-system Active
local-storage Active
openshift Active
openshift-apiserver Active
# list namespaces
$ oc get ns
NAME STATUS AGE
default Active 17d
kube-node-lease Active 17d
kube-public Active 17d
kube-system Active 17d
local-storage Active 16d
openshift Active 17d
openshift-apiserver Active 17d
openshift-apiserver-operator Active 17d
该列表是相同的,除了不同的列
oc get project foo
Error from server (NotFound): namespaces "foo" not found
oc get ns foo
Error from server (NotFound): namespaces "foo" not found
15:30 $ oc new-project foo
Now using project "foo" on server "https://api.goo.tadadidou.bo:6443".
...
$ oc get project foo
NAME DISPLAY NAME STATUS
foo Active
$ oc get ns foo
NAME STATUS AGE
foo Active 70s
甚至 yaml 输出也是相似的,除了字段的值Kind:是Projector Namespace。