kubernetes官网建议聚合器最好配置不同的ca证书;凭据。于是,我按照官网的建议,重新生成了一个ca证书,并用这个ca签署了聚合器使用的证书。官网。然后启动api-server,但是启动失败。失败日志如下:
3月 21 19:03:05 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kube-apiserver.service has failed.
--
-- The result is failed.
3月 21 19:03:05 localhost.localdomain systemd[1]: kube-apiserver.service failed.
3月 21 19:03:05 localhost.localdomain kubelet[4084]: I0321 19:03:05.015767 4084 trace.go:116] Trace[1764576244]: "Reflector ListAndWatch" name:k8s.io/kubernetes
3月 21 19:03:05 localhost.localdomain kubelet[4084]: Trace[1764576244]: [14.397574036s] [14.397574036s] END
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.015796 4084 reflector.go:123] k8s.io/kubernetes/pkg/kubelet/config/apiserver.go:46: Failed t
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.215925 4084 reflector.go:123] object-"kube-system"/"coredns-token-v7xr6": Failed to list *v1
3月 21 19:03:05 localhost.localdomain kubelet[4084]: I0321 19:03:05.215962 4084 trace.go:116] Trace[2021737021]: "Reflector ListAndWatch" name:object-"monitorin
3月 21 19:03:05 localhost.localdomain kubelet[4084]: Trace[2021737021]: [14.597630663s] [14.597630663s] END
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.215984 4084 reflector.go:123] object-"monitoring"/"default-token-wk7d4": Failed to list *v1.
3月 21 19:03:06 localhost.localdomain kubelet[4084]: E0321 19:03:06.000788 4084 kubelet_node_status.go:388] Error updating node status, will retry: error gettin
3月 21 19:03:07 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kube-apiserver.service has failed.
--
-- The result is failed.
3月 21 19:03:07 localhost.localdomain systemd[1]: kube-apiserver.service failed.
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.215825 4084 reflector.go:123] object-"kube-system"/"coredns": Failed to list *v1.ConfigMap:
3月 21 19:03:07 localhost.localdomain kubelet[4084]: I0321 19:03:07.215849 4084 trace.go:116] Trace[1596043133]: "Reflector ListAndWatch" name:object-"kube-syst
3月 21 19:03:07 localhost.localdomain kubelet[4084]: Trace[1596043133]: [16.600026154s] [16.600026154s] END
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.215870 4084 reflector.go:123] object-"kube-system"/"calico-kube-controllers-token-n8wt8": Fa
3月 21 19:03:07 localhost.localdomain kubelet[4084]: I0321 19:03:07.415833 4084 trace.go:116] Trace[1895303640]: "Reflector ListAndWatch" name:object-"kube-syst
3月 21 19:03:07 localhost.localdomain kubelet[4084]: Trace[1895303640]: [19.684820866s] [19.684820866s] END
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.415863 4084 reflector.go:123] object-"kube-system"/"calico-config": Failed to list *v1.Confi
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.418879 4084 reflector.go:123] k8s.io/client-go/informers/factory.go:134: Failed to list *v1b
ESCOD
3月 21 19:03:05 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kube-apiserver.service has failed.
--
-- The result is failed.
3月 21 19:03:05 localhost.localdomain systemd[1]: kube-apiserver.service failed.
3月 21 19:03:05 localhost.localdomain kubelet[4084]: I0321 19:03:05.015767 4084 trace.go:116] Trace[1764576244]: "Reflector ListAndWatch" name:k8s.io/kubernetes
3月 21 19:03:05 localhost.localdomain kubelet[4084]: Trace[1764576244]: [14.397574036s] [14.397574036s] END
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.015796 4084 reflector.go:123] k8s.io/kubernetes/pkg/kubelet/config/apiserver.go:46: Failed t
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.215925 4084 reflector.go:123] object-"kube-system"/"coredns-token-v7xr6": Failed to list *v1
3月 21 19:03:05 localhost.localdomain kubelet[4084]: I0321 19:03:05.215962 4084 trace.go:116] Trace[2021737021]: "Reflector ListAndWatch" name:object-"monitorin
3月 21 19:03:05 localhost.localdomain kubelet[4084]: Trace[2021737021]: [14.597630663s] [14.597630663s] END
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.215984 4084 reflector.go:123] object-"monitoring"/"default-token-wk7d4": Failed to list *v1.
3月 21 19:03:06 localhost.localdomain kubelet[4084]: E0321 19:03:06.000788 4084 kubelet_node_status.go:388] Error updating node status, will retry: error gettin
3月 21 19:03:07 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kube-apiserver.service has failed.
--
-- The result is failed.
3月 21 19:03:07 localhost.localdomain systemd[1]: kube-apiserver.service failed.
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.215825 4084 reflector.go:123] object-"kube-system"/"coredns": Failed to list *v1.ConfigMap:
3月 21 19:03:07 localhost.localdomain kubelet[4084]: I0321 19:03:07.215849 4084 trace.go:116] Trace[1596043133]: "Reflector ListAndWatch" name:object-"kube-syst
3月 21 19:03:07 localhost.localdomain kubelet[4084]: Trace[1596043133]: [16.600026154s] [16.600026154s] END
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.215870 4084 reflector.go:123] object-"kube-system"/"calico-kube-controllers-token-n8wt8": Fa
3月 21 19:03:07 localhost.localdomain kubelet[4084]: I0321 19:03:07.415833 4084 trace.go:116] Trace[1895303640]: "Reflector ListAndWatch" name:object-"kube-syst
3月 21 19:03:07 localhost.localdomain kubelet[4084]: Trace[1895303640]: [19.684820866s] [19.684820866s] END
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.415863 4084 reflector.go:123] object-"kube-system"/"calico-config": Failed to list *v1.Confi
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.418879 4084 reflector.go:123] k8s.io/client-go/informers/factory.go:134: Failed to list *v1b
ESCOD
3月 21 19:03:05 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kube-apiserver.service has failed.
--
-- The result is failed.
我所做的所有步骤如下:
第 1 步:生成证书
mkdir -p /work/deploy/kubernetes/security/aggregatorLayer_tls
cd /work/deploy/kubernetes/security/aggregatorLayer_tls
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.pem -subj "/CN=k8s-aggregator/O=k8s-egg"
openssl genrsa -out aggregator.key 2048
openssl req -new -key aggregator.key -out aggregator.csr -subj "/O=k8s-egg/CN=aggregator"
openssl x509 -req -days 3650 -in aggregator.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out aggregator.pem
第二步:配置参数
vim /etc/kubernetes/apiserver
KUBE_AGGREGATOR_ARGS="--requestheader-client-ca-file=/work/deploy/kubernetes/security/aggregatorLayer_tls/ca.pem --requestheader-allowed-names=aggregator --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --proxy-client-cert-file=/work/deploy/kubernetes/security/aggregatorLayer_tls/aggregator.pem --proxy-client-key-file=aggregator.key"
第三步:将启动参数添加到启动文件中
[root@localhost ~]# cat /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kube-apiserver Service
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
Type=notify
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/apiserver
ExecStart=/usr/bin/kube-apiserver $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_ETCD_SERVERS $KUBE_API_ADDRESS $KUBE_API_PORT $KUBELET_PORT $KUBE_SERVICE_ADDRESSES $KUBE_ADMISSION_CONTROL $KUBE_API_ARGS $KUBE_AGGREGATOR_ARGS
Restart=always
LimitNOFILE=65536
[Install]
WantedBy=default.target
第四步:启动 kube - apiserver 启动失败,日志如上