prometheus
kubectl logs 報錯
kubectl create clusterrolebinding cluster-system:kubernetes --clusterrole=cluster-admin --user=system:kubernetes
提示錯誤
caller=klog.go:96 component=k8s_client_runtime func=ErrorDepth msg="/app/discovery/kubernetes/kubernetes.go:427: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:monitoring:prometheus\" cannot list resource \"services\" in API group \"\" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io \"prometheus\" not found"
綁定權限
kubectl create clusterrolebinding prometheus-clusterrolebinding -n monitoring --clusterrole=cluster-admin --serviceaccount=monitoring:prometheus
##########
創建ingress報錯
Error from server (InternalError): error when creating "ingress-myapp.yaml": Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": Post "https://ingress-nginx-controller-admission.ingress-nginx.svc:443/networking/v1/ingresses?timeout=10s": context deadline exceeded
[root@master01 pod]# kubectl get ValidatingWebhookConfiguration
NAME WEBHOOKS AGE
ingress-nginx-admission 1 6m6s
[root@master01 pod]# kubectl delete ValidatingWebhookConfiguration ingress-ngin x-admission
validatingwebhookconfiguration.admissionregistration.k8s.io "ingress-nginx-admis sion" deleted
[root@master01 pod]# kubectl apply -f ingress-myapp.yaml
ingress.networking.k8s.io/ingress-myapp created
[root@master01 pod]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-myapp <none> tomcat.lucky.com 80 13s
[root@master01 pod]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-myapp <none> tomcat.lucky.com 192.168.1.20,192.168.1.21,192.168.1.22 80 2m38s
##########
https://blog.csdn.net/who__are__you_/article/details/115677777
metrics kube-api日志報錯
no RequestInfo found in the context
Apr 10 11:21:32 master01 kube-apiserver[38370]: E0410 11:21:32.374734 38370 controller.go:116] loading OpenAPI spec for "v1beta1.metrics.k8s.io" f
ailed with: failed to retrieve openAPI spec, http error: ResponseCode: 503, Body: service unavailable
容器內會報ca相關錯誤
查看證書過期默認1年(更新證書后顯示)
[root@master01 kubernetes]# openssl x509 -in ssl/proxy-client.pem -noout -text |grep Not
Not Before: May 28 06:31:00 2023 GMT
Not After : May 27 06:31:00 2024 GMT
更新證書
cfssl gencert -profile=kubernetes -ca=/etc/kubernetes/ssl/ca.pem -ca-key=/etc/kubernetes/ssl/ca-key.pem proxy-client-csr.json
vim proxy-client-csr.json
cfssl gencert -profile=kubernetes -ca=/etc/kubernetes/ssl/ca.pem -ca-key=/etc/kubernetes/ssl/ca-key.pem proxy-client-csr.json | cfssljson -bare proxy-client
cp proxy-client* /etc/kubernetes/ssl/
for i in master02 master03;do scp proxy-client* root@$i:/etc/kubernetes/ssl/ ;done
for i in master01 master02 master03;do ssh root@$i systemctl daemon-reload && systemctl restart kube-apiserver ;done
metrics 安裝需要在master -> kube-apiserver 配置文件添加
cfssl 生成proxy-client key
metric.yaml 添加字段
hostNetwork=True
- --kubelet-insecure-tls
image: registry.cn-hangzhou.aliyuncs.com/zailushang/metrics-server:v0.6.0
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: metrics-server
name: metrics-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: metrics-server
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: system:aggregated-metrics-reader
rules:
- apiGroups:
- metrics.k8s.io
resources:
- pods
- nodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: metrics-server
name: system:metrics-server
rules:
- apiGroups:
- ""
resources:
- nodes/metrics
verbs:
- get
- apiGroups:
- ""
resources:
- pods
- nodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: metrics-server
name: metrics-server-auth-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
k8s-app: metrics-server
name: metrics-server:system:auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
k8s-app: metrics-server
name: system:metrics-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:metrics-server
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: metrics-server
name: metrics-server
namespace: kube-system
spec:
ports:
- name: https
port: 443
protocol: TCP
targetPort: https
selector:
k8s-app: metrics-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: metrics-server
name: metrics-server
namespace: kube-system
spec:
selector:
matchLabels:
k8s-app: metrics-server
strategy:
rollingUpdate:
maxUnavailable: 0
template:
metadata:
labels:
k8s-app: metrics-server
spec:
nodeName: node01
hostNetwork: true
containers:
- args:
- --cert-dir=/tmp
- --secure-port=4443
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --kubelet-use-node-status-port
- --metric-resolution=15s
- --kubelet-insecure-tls
image: registry.cn-hangzhou.aliyuncs.com/zailushang/metrics-server:v0.6.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /livez
port: https
scheme: HTTPS
periodSeconds: 10
name: metrics-server
ports:
- containerPort: 4443
name: https
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: https
scheme: HTTPS
initialDelaySeconds: 20
periodSeconds: 10
resources:
requests:
cpu: 100m
memory: 200Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
nodeSelector:
kubernetes.io/os: linux
priorityClassName: system-cluster-critical
serviceAccountName: metrics-server
volumes:
- emptyDir: {}
name: tmp-dir
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
k8s-app: metrics-server
name: v1beta1.metrics.k8s.io
spec:
group: metrics.k8s.io
groupPriorityMinimum: 100
insecureSkipTLSVerify: true
service:
name: metrics-server
namespace: kube-system
version: v1beta1
versionPriority: 100