[root@node1 ~]# kubectl get pod -n kube-system -owide NAME READY STATUS RESTARTS AGE IP NODE calico-kube-controllers-cd96b6c89-bpjp6 1/1 Running 0 40h 10.10.0.1 node3 calico-node-ffsz8 1/1 Running 0 14s 10.10.0.1 node3 calico-node-nsmwl 1/1 Running 0 14s 10.10.0.2 node2 calico-node-w4ngt 1/1 Running 0 14s 10.10.0.1 node1 coredns-55c8f5fd88-hw76t 1/1 Running 1 260d 192.168.135.55 node3 xxx-55c8f5fd88-vqwbz 1/1 ContainerCreating 1 319d 192.168.104.22 node2
分析过程
describe查看
1 2 3 4 5 6 7
[root@node1 ~]# kubectl describe pod -n xxx xxx Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 52m default-scheduler Successfully assigned xxx/xxx to node1 Warning FailedCreatePodSandBox 52m kubelet Failed to create pod sandbox: rpc error: code = Unknown desc = [failed to set up sandbox container "xxx" network for pod "xxx": networkPlugin cni failed to set up pod "xxx" network: connection is unauthorized: Unauthorized, failed to clean up sandbox container "xxx" network for pod "xxx": networkPlugin cni failed to teardown pod "xxx" network: error getting ClusterInformation: connection is unauthorized: Unauthorized] Normal SandboxChanged 50m (x10 over 52m) kubelet Pod sandbox changed, it will be killed and re-created.
1. How can this feature be enabled / disabled in a live cluster? Feature gate name: BoundServiceAccountTokenVolume Components depending on the feature gate: kube-apiserver and kube-controller-manager Will enabling / disabling the feature require downtime of the control plane? yes, need to restart kube-apiserver and kube-controller-manager. Will enabling / disabling the feature require downtime or reprovisioning of a node? no. 2. Does enabling the feature change any default behavior? yes, pods' service account tokens will expire after 1 year by default and are not stored as Secrets any more.