我是 kubernetes 的新手,我终于意识到如何启动 metrics-server 作为记录的 kubernetes-sigs/metrics-server。如果其他人想知道您需要部署在主节点上,并且集群中至少有一个工作人员。
所以我得到这个错误:
E0818 15:25:22.835094 1 manager.go:111] unable to fully collect metrics: [unable to fully scrape metrics from source kubelet_summary:<hostname-master>: unable to fetch metrics from Kubelet <hostname-master> (<hostname-master>): Get https://<hostname-master>:10250/stats/summary?only_cpu_and_memory=true: x509: certificate signed by unknown authority, unable to fully scrape metrics from source kubelet_summary:<hostname-worker>: unable to fetch metrics from Kubelet <hostname-worker> (<hostname-worker>): Get https://<hostname-worker>:10250/stats/summary?only_cpu_and_memory=true: x509: certificate signed by unknown authority]
我正在使用我自己的 CA(非自签名)并且我修改了 components.yml 文件(示例):
args:
- --cert-dir=/tmp/metricsServerCas
- --secure-port=4443
- --kubelet-preferred-address-types=Hostname
我知道我可以通过使用--kubelet-insecure-tls
我已经尝试过的这个标志来禁用 tls。我想使用我自己的 CA 来提高安全性。
我看到了其他许多相关问题(样本很少),例如:
x509 证书由未知机构签署 - Kubernetes和kubectl 无法连接到服务器:x509:证书由未知机构签署
虽然我已经应用了 chown 我$HOME/.kube/config
仍然看到这个错误。
我哪里错了?
更新:在工作人员上,我正在创建一个目录,例如/tmp/ca
,我在目录中添加了 ca 文件。
我对安装点还不是很好,我认为我做错了什么。图像的默认语法可以在这里找到kubernetes-sigs/metrics-server/v0.3.7(参见 components.yml 文件)。
我试图在我的工作人员上创建一个目录,例如 /tmp/ca 我修改了标志--cert-dir=/tmp/ca
和mountPath: /tmp/ca
当我部署文件时,例如:
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.3.7/components.yaml
我不断收到来自 metrics-server-xxxx 的错误:
panic: open /tmp/client-ca-file805316981: read-only file system
尽管我已授予对目录的完全访问权限,例如:
$ ls -la /tmp/ca
total 8
drwxr-xr-x. 2 user user 20 Aug 19 16:59 .
drwxrwxrwt. 18 root root 4096 Aug 19 17:34 ..
-rwxr-xr-x. 1 user user 1025 Aug 19 16:59 ca.crt
我不确定我哪里出错了。
如何配置以便有人可以使用非自签名证书?我可以看到大多数人都在使用我想避免的非 SSL。
图像中我的参数示例:
spec:
selector:
matchLabels:
k8s-app: metrics-server
template:
metadata:
name: metrics-server
labels:
k8s-app: metrics-server
spec:
serviceAccountName: metrics-server
volumes:
# mount in tmp so we can safely use from-scratch images and/or read-only containers
- name: tmp-dir
emptyDir: {}
containers:
- name: metrics-server
image: k8s.gcr.io/metrics-server/metrics-server:v0.3.7
imagePullPolicy: IfNotPresent
args:
- --cert-dir=/tmp/ca
- --secure-port=4443
- --kubelet-preferred-address-types=Hostname
ports:
- name: main-port
containerPort: 4443
protocol: TCP
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- name: tmp-dir
mountPath: /tmp/ca
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: "amd64"
更新 2:将 curl 命令从 Master 添加到 Worker,包括错误输出:
$ curl --cacert /etc/kubernetes/pki/ca.crt https://node_hostname:10250/stats/summary?only_cpu_and_memory=true
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.