У меня была похожая проблема при игре с Кубернетесом, это было из-за неправильного сертификата
Я сделал следующее:
kubectl -n kube-system logs <etcd>
и нашелчто-то вроде: embed: rejected connection from "172.17.0.3:36950" (error "remote error: tls: bad certificate", ServerName "")
Я получил конфигурацию etcd, у вас должно быть что-то вроде
$ kubectl -n kube-system get cm cilium-config -o yaml
apiVersion: v1
data:
clean-cilium-bpf-state: "false"
clean-cilium-state: "false"
cluster-name: default
ct-global-max-entries-other: "262144"
ct-global-max-entries-tcp: "524288"
debug: "false"
disable-ipv4: "false"
etcd-config: |-
---
endpoints:
- https://<ETCD_URL>:2379
#
# In case you want to use TLS in etcd, uncomment the 'ca-file' line
# and create a kubernetes secret by following the tutorial in
# https://cilium.link/etcd-config
ca-file: '/var/lib/etcd-secrets/etcd-client-ca.crt'
#
# In case you want client to server authentication, uncomment the following
# lines and create a kubernetes secret by following the tutorial in
# https://cilium.link/etcd-config
key-file: '/var/lib/etcd-secrets/etcd-client.key'
cert-file: '/var/lib/etcd-secrets/etcd-client.crt'
legacy-host-allows-world: "false"
monitor-aggregation-level: none
sidecar-istio-proxy-image: cilium/istio_proxy
tunnel: vxlan
kind: ConfigMap
Затем я сравнил ключи kubectl -n kube-system get secret cilium-etcd-client-tls -o yaml
, которые предоставляют 3 значения base64.
Затем я могу проверить ключи, используя curl https://<ETCD_URL>:2379/v2/keys --cacert=etcd-client-ca.crt --cert=etcd-client.crt --key=etcd-client.key
После этого у вас должно быть что-то вроде {"action":"get","node":{"dir":true}}
Затем вы можете проверить развертывание, на моей стороне, у меня есть
kind: Deployment
metadata:
labels:
io.cilium/app: operator
name: cilium-operator
name: cilium-operator
namespace: kube-system
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
io.cilium/app: operator
name: cilium-operator
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
io.cilium/app: operator
name: cilium-operator
spec:
containers:
- args:
- --kvstore=etcd
- --kvstore-opt=etcd.config=/var/lib/etcd-config/etcd.config
command:
- cilium-operator
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_DEBUG
valueFrom:
configMapKeyRef:
key: debug
name: cilium-config
optional: true
- name: CILIUM_CLUSTER_NAME
valueFrom:
configMapKeyRef:
key: cluster-name
name: cilium-config
optional: true
- name: CILIUM_CLUSTER_ID
valueFrom:
configMapKeyRef:
key: cluster-id
name: cilium-config
optional: true
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: AWS_ACCESS_KEY_ID
name: cilium-aws
optional: true
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: AWS_SECRET_ACCESS_KEY
name: cilium-aws
optional: true
- name: AWS_DEFAULT_REGION
valueFrom:
secretKeyRef:
key: AWS_DEFAULT_REGION
name: cilium-aws
optional: true
image: docker.io/cilium/operator:latest
imagePullPolicy: Always
name: cilium-operator
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/lib/etcd-config
name: etcd-config-path
readOnly: true
- mountPath: /var/lib/etcd-secrets
name: etcd-secrets
readOnly: true
dnsPolicy: ClusterFirst
priorityClassName: system-node-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: cilium-operator
serviceAccountName: cilium-operator
terminationGracePeriodSeconds: 30
volumes:
- configMap:
defaultMode: 420
items:
- key: etcd-config
path: etcd.config
name: cilium-config
name: etcd-config-path
- name: etcd-secrets
secret:
defaultMode: 420
optional: true
secretName: cilium-etcd-secrets```