kubernetes - 配置聚合器后,kubeapiserver启动失败
问题描述
kubernetes官网建议聚合器最好配置不同的ca证书;凭据。于是,我按照官网的建议,重新生成了一个ca证书,并用这个ca签署了聚合器使用的证书。官网。然后启动api-server,但是启动失败。失败日志如下:
3月 21 19:03:05 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kube-apiserver.service has failed.
--
-- The result is failed.
3月 21 19:03:05 localhost.localdomain systemd[1]: kube-apiserver.service failed.
3月 21 19:03:05 localhost.localdomain kubelet[4084]: I0321 19:03:05.015767 4084 trace.go:116] Trace[1764576244]: "Reflector ListAndWatch" name:k8s.io/kubernetes
3月 21 19:03:05 localhost.localdomain kubelet[4084]: Trace[1764576244]: [14.397574036s] [14.397574036s] END
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.015796 4084 reflector.go:123] k8s.io/kubernetes/pkg/kubelet/config/apiserver.go:46: Failed t
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.215925 4084 reflector.go:123] object-"kube-system"/"coredns-token-v7xr6": Failed to list *v1
3月 21 19:03:05 localhost.localdomain kubelet[4084]: I0321 19:03:05.215962 4084 trace.go:116] Trace[2021737021]: "Reflector ListAndWatch" name:object-"monitorin
3月 21 19:03:05 localhost.localdomain kubelet[4084]: Trace[2021737021]: [14.597630663s] [14.597630663s] END
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.215984 4084 reflector.go:123] object-"monitoring"/"default-token-wk7d4": Failed to list *v1.
3月 21 19:03:06 localhost.localdomain kubelet[4084]: E0321 19:03:06.000788 4084 kubelet_node_status.go:388] Error updating node status, will retry: error gettin
3月 21 19:03:07 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kube-apiserver.service has failed.
--
-- The result is failed.
3月 21 19:03:07 localhost.localdomain systemd[1]: kube-apiserver.service failed.
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.215825 4084 reflector.go:123] object-"kube-system"/"coredns": Failed to list *v1.ConfigMap:
3月 21 19:03:07 localhost.localdomain kubelet[4084]: I0321 19:03:07.215849 4084 trace.go:116] Trace[1596043133]: "Reflector ListAndWatch" name:object-"kube-syst
3月 21 19:03:07 localhost.localdomain kubelet[4084]: Trace[1596043133]: [16.600026154s] [16.600026154s] END
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.215870 4084 reflector.go:123] object-"kube-system"/"calico-kube-controllers-token-n8wt8": Fa
3月 21 19:03:07 localhost.localdomain kubelet[4084]: I0321 19:03:07.415833 4084 trace.go:116] Trace[1895303640]: "Reflector ListAndWatch" name:object-"kube-syst
3月 21 19:03:07 localhost.localdomain kubelet[4084]: Trace[1895303640]: [19.684820866s] [19.684820866s] END
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.415863 4084 reflector.go:123] object-"kube-system"/"calico-config": Failed to list *v1.Confi
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.418879 4084 reflector.go:123] k8s.io/client-go/informers/factory.go:134: Failed to list *v1b
ESCOD
3月 21 19:03:05 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kube-apiserver.service has failed.
--
-- The result is failed.
3月 21 19:03:05 localhost.localdomain systemd[1]: kube-apiserver.service failed.
3月 21 19:03:05 localhost.localdomain kubelet[4084]: I0321 19:03:05.015767 4084 trace.go:116] Trace[1764576244]: "Reflector ListAndWatch" name:k8s.io/kubernetes
3月 21 19:03:05 localhost.localdomain kubelet[4084]: Trace[1764576244]: [14.397574036s] [14.397574036s] END
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.015796 4084 reflector.go:123] k8s.io/kubernetes/pkg/kubelet/config/apiserver.go:46: Failed t
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.215925 4084 reflector.go:123] object-"kube-system"/"coredns-token-v7xr6": Failed to list *v1
3月 21 19:03:05 localhost.localdomain kubelet[4084]: I0321 19:03:05.215962 4084 trace.go:116] Trace[2021737021]: "Reflector ListAndWatch" name:object-"monitorin
3月 21 19:03:05 localhost.localdomain kubelet[4084]: Trace[2021737021]: [14.597630663s] [14.597630663s] END
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.215984 4084 reflector.go:123] object-"monitoring"/"default-token-wk7d4": Failed to list *v1.
3月 21 19:03:06 localhost.localdomain kubelet[4084]: E0321 19:03:06.000788 4084 kubelet_node_status.go:388] Error updating node status, will retry: error gettin
3月 21 19:03:07 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kube-apiserver.service has failed.
--
-- The result is failed.
3月 21 19:03:07 localhost.localdomain systemd[1]: kube-apiserver.service failed.
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.215825 4084 reflector.go:123] object-"kube-system"/"coredns": Failed to list *v1.ConfigMap:
3月 21 19:03:07 localhost.localdomain kubelet[4084]: I0321 19:03:07.215849 4084 trace.go:116] Trace[1596043133]: "Reflector ListAndWatch" name:object-"kube-syst
3月 21 19:03:07 localhost.localdomain kubelet[4084]: Trace[1596043133]: [16.600026154s] [16.600026154s] END
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.215870 4084 reflector.go:123] object-"kube-system"/"calico-kube-controllers-token-n8wt8": Fa
3月 21 19:03:07 localhost.localdomain kubelet[4084]: I0321 19:03:07.415833 4084 trace.go:116] Trace[1895303640]: "Reflector ListAndWatch" name:object-"kube-syst
3月 21 19:03:07 localhost.localdomain kubelet[4084]: Trace[1895303640]: [19.684820866s] [19.684820866s] END
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.415863 4084 reflector.go:123] object-"kube-system"/"calico-config": Failed to list *v1.Confi
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.418879 4084 reflector.go:123] k8s.io/client-go/informers/factory.go:134: Failed to list *v1b
ESCOD
3月 21 19:03:05 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kube-apiserver.service has failed.
--
-- The result is failed.
我所做的所有步骤如下:
第 1 步:生成证书
mkdir -p /work/deploy/kubernetes/security/aggregatorLayer_tls
cd /work/deploy/kubernetes/security/aggregatorLayer_tls
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.pem -subj "/CN=k8s-aggregator/O=k8s-egg"
openssl genrsa -out aggregator.key 2048
openssl req -new -key aggregator.key -out aggregator.csr -subj "/O=k8s-egg/CN=aggregator"
openssl x509 -req -days 3650 -in aggregator.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out aggregator.pem
第二步:配置参数
vim /etc/kubernetes/apiserver
KUBE_AGGREGATOR_ARGS="--requestheader-client-ca-file=/work/deploy/kubernetes/security/aggregatorLayer_tls/ca.pem --requestheader-allowed-names=aggregator --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --proxy-client-cert-file=/work/deploy/kubernetes/security/aggregatorLayer_tls/aggregator.pem --proxy-client-key-file=aggregator.key"
第三步:将启动参数添加到启动文件中
[root@localhost ~]# cat /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kube-apiserver Service
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
Type=notify
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/apiserver
ExecStart=/usr/bin/kube-apiserver $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_ETCD_SERVERS $KUBE_API_ADDRESS $KUBE_API_PORT $KUBELET_PORT $KUBE_SERVICE_ADDRESSES $KUBE_ADMISSION_CONTROL $KUBE_API_ARGS $KUBE_AGGREGATOR_ARGS
Restart=always
LimitNOFILE=65536
[Install]
WantedBy=default.target
第四步:启动 kube - apiserver 启动失败,日志如上
解决方案
推荐阅读
- typescript - lint 问题 - 打字稿 - 禁止使用非箭头函数
- python - 使用分箱值查找 Pandas DataFrame 中值的运行标准偏差
- python - GPT-2的“提示”可以输入多少个字符
- html - 井面板的闪亮高度不适应内容
- python - 如何使用python将一组图像转换为字体`.ttf`文件?
- flutter - 如何在页面视图中嵌套列表视图
- r - 防止在 facet_wrap() 中重新排序
- azure - 关于 Azure 负载均衡器/Azure 流量管理器的问题
- python - 我在 python 中添加了脚本路径,Pycharm 说目录中没有 python
- java - 如何为 Spring Data Cassandra 创建自定义转换?