Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
451 views
in Technique[技术] by (71.8m points)

kubectl - Kubernetes set image missing resource type 'deployment'

I'm trying to update an image in Kubernetes by using the following command:

kubectl set image deployment/ms-userservice ms-userservice=$DOCKER_REGISTRY_NAME/$BITBUCKET_REPO_SLUG:$BITBUCKET_COMMIT --insecure-skip-tls-verify

But when I receive the following error:

error: the server doesn't have a resource type "deployment"

I have checked that i am in the right namespace, and that the pod with the name exists and is running.

I can't find any meaningful resources in regards to this error.

Sidenote: I'm doing this through Bitbucket and a pipeline, which also builds the image i want to use.

Any suggestions?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

I have a suspicion that it has something to do with user - not much help from the error message.

@TietjeDK is correct that it is just a misleading error message. It means one of two things is happening (or maybe both): the kubectl binary is newer than the supported version range of the cluster (so: using a v1.11 binary against a v1.8 cluster, for example) or the provided JWT is incorrectly signed.

You should be very very careful with --insecure-skip-tls-verify not only because it's bad security hygiene but also because if a kubeconfig is incorrect -- as is very likely the case here -- then seeing the x509 error is a much clearer indication than trying to troubleshoot an invalid JWT.

The indicator that makes me believe it is actually the signature of the token, and not its contents, is that if it were the contents you would seen an RBAC message User "[email protected]" cannot list deployments in $namespace namespace, meaning the apiserver did unpack the JWT and found its assertions were insufficient for the operation. But if you sign a JWT using a random key, the JWT will not unpack since it will fail public key validation and be rejected outright.

So, the tl;dr is two-fold:

  1. fix the kubeconfig to actually contain the correct certificate authority (CA) for the cluster, so --insecure-skip-tls-verify isn't required
  2. while fixing kubeconfig, issue a new token for the (User | ServiceAccount) that comes from the cluster it is designed to interact with

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...