Kubernetes 安装度量服务器时无法完全收集度量
我已经在kubernetes上安装了metric服务器,但是它不工作,并且没有日志Kubernetes 安装度量服务器时无法完全收集度量,kubernetes,Kubernetes,我已经在kubernetes上安装了metric服务器,但是它不工作,并且没有日志 unable to fully collect metrics: [unable to fully scrape metrics from source kubelet_summary:xxx: unable to fetch metrics from Kubelet ... (X.X): Get https:....: x509: cannot validate certificate for 1x.x. x
unable to fully collect metrics: [unable to fully scrape metrics from source kubelet_summary:xxx: unable to fetch metrics from Kubelet ... (X.X): Get https:....: x509: cannot validate certificate for 1x.x.
x509: certificate signed by unknown authority
如果修改部署yaml并添加
command:
- /metrics-server
- --kubelet-insecure-tls
- --kubelet-preferred-address-types=InternalIP
现在它收集度量,kubectl top节点返回结果
但日志仍然显示
E1120 11:58:45.624974 1 reststorage.go:144] unable to fetch pod metrics for pod dev/pod-6bffbb9769-6z6qz: no metrics known for pod
E1120 11:58:45.625289 1 reststorage.go:144] unable to fetch pod metrics for pod dev/pod-6bffbb9769-rzvfj: no metrics known for pod
E1120 12:00:06.462505 1 manager.go:102] unable to fully collect metrics: [unable to fully scrape metrics from source kubelet_summary:ip-1x.x.x.eu-west-1.compute.internal: unable to get CPU for container ...discarding data: missing cpu usage metric, unable to fully scrape metrics from source
那么问题呢
1) 所有这些在minikube上都有效,但在我的开发集群上却不行,为什么会这样
2) 在生产中,我不想做不安全的tls。。有人能解释一下为什么会出现这个问题吗。。。或者告诉我一些资源。Kubeadm在
/var/lib/kubelet/pki
生成kubelet证书,这些证书(kubelet.crt和kubelet.key
)由不同的CA签名,而该CA用于在/etc/kubelet/pki
生成所有其他证书
您需要重新生成由根CA签名的kubelet证书(/etc/kubernetes/pki/CA.crt
)
您可以使用openssl或cfssl生成新证书(我使用的是cfssl)
创建一个文件kubelet csr.json
:
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"<node_name>",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "US",
"ST": "NY",
"L": "City",
"O": "Org",
"OU": "Unit"
}]
}
现在使用上述文件生成新证书:
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
--config=ca-config.json -profile=kubernetes \
kubelet-csr.json | cfssljson -bare kubelet
用新生成的证书替换旧证书:
$ scp kubelet.pem <nodeip>:/var/lib/kubelet/pki/kubelet.crt
$ scp kubelet-key.pem <nodeip>:/var/lib/kubelet/pki/kubelet.key
查看以下票据以了解问题的背景:
希望这有帮助。我需要ssh连接到集群吗?然后执行这些命令。。。这些不是通过kubectl完成的?是的,您需要登录到主节点并按照以下步骤生成这些证书。不,不需要kubectl命令,因为我们只生成证书。谢谢。。。所以如果我有两位大师。。。我是否需要在这两个节点上都执行此操作?是的,您需要在所有节点上替换kubelet.crt和kubelet.key。请记住,您需要为每个证书生成新的证书,更改
kubelet_csr.json
文件中的node_name
,然后重复这些步骤。欢迎您:)kubernetes在这方面存在一个公开缺陷。看看这里
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
--config=ca-config.json -profile=kubernetes \
kubelet-csr.json | cfssljson -bare kubelet
$ scp kubelet.pem <nodeip>:/var/lib/kubelet/pki/kubelet.crt
$ scp kubelet-key.pem <nodeip>:/var/lib/kubelet/pki/kubelet.key
$ systemctl restart kubelet