在 Kubernetes 1.22 版中,Kubernetes 專案已淘汰用戶端 (例如 kubectl 指令列工具) 用來存取 Kubernetes API 伺服器的內建驗證機制。Kubernetes 1.26 預計會移除內建驗證機制。如需相關資訊,請參閱 GitHub PR 102181。
如果叢集部署的運算子使用 Kubernetes 服務帳戶與 API 伺服器通訊,則不受這項異動影響。
你應該怎麼做?
GKE 已發布更新版驗證外掛程式,
gke-gcloud-auth-plugin。這個外掛程式會使用 client-go 憑證外掛程式架構,提供驗證權杖來與 GKE 叢集通訊。
您必須先安裝外掛程式,才能將指令列用戶端更新至 1.26 以上版本。如果未安裝外掛程式,您會看到類似以下的錯誤訊息。
如需操作說明,請參閱「安裝必要外掛程式」。
錯誤示例:找不到驗證提供者
Unable to connect to the server: getting credentials: exec: executable gke-gcloud-auth-plugin not found
panic: no Auth Provider found for name gcp
錯誤示例:找不到可執行檔 gke-cloud-auth-plugin
Unable to connect to the server: getting credentials: exec: executable gke-gcloud-auth-plugin not found
It looks like you are trying to use a client-go credential plugin that is not installed.
To learn more about this feature, consult the documentation available at:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
Install gke-gcloud-auth-plugin for use with kubectl by following \
https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke.