Официальный сайт kubernetes предполагает, что агрегатор должен быть лучше настроен на разные сертификаты; учетные данные. Поэтому я последовал совету официального сайта, заново сгенерировал сертификат CA и подписал сертификат, который будет использоваться агрегатором с этим CA. Затем я добавил параметр конфигурации в параметр запуска kube-apiserver в соответствии с конфигурацией Официальный веб-сайт. Затем запустите api-сервер, но не запустите. Журнал ошибок выглядит следующим образом:
3月 21 19:03:05 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kube-apiserver.service has failed.
--
-- The result is failed.
3月 21 19:03:05 localhost.localdomain systemd[1]: kube-apiserver.service failed.
3月 21 19:03:05 localhost.localdomain kubelet[4084]: I0321 19:03:05.015767 4084 trace.go:116] Trace[1764576244]: "Reflector ListAndWatch" name:k8s.io/kubernetes
3月 21 19:03:05 localhost.localdomain kubelet[4084]: Trace[1764576244]: [14.397574036s] [14.397574036s] END
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.015796 4084 reflector.go:123] k8s.io/kubernetes/pkg/kubelet/config/apiserver.go:46: Failed t
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.215925 4084 reflector.go:123] object-"kube-system"/"coredns-token-v7xr6": Failed to list *v1
3月 21 19:03:05 localhost.localdomain kubelet[4084]: I0321 19:03:05.215962 4084 trace.go:116] Trace[2021737021]: "Reflector ListAndWatch" name:object-"monitorin
3月 21 19:03:05 localhost.localdomain kubelet[4084]: Trace[2021737021]: [14.597630663s] [14.597630663s] END
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.215984 4084 reflector.go:123] object-"monitoring"/"default-token-wk7d4": Failed to list *v1.
3月 21 19:03:06 localhost.localdomain kubelet[4084]: E0321 19:03:06.000788 4084 kubelet_node_status.go:388] Error updating node status, will retry: error gettin
3月 21 19:03:07 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kube-apiserver.service has failed.
--
-- The result is failed.
3月 21 19:03:07 localhost.localdomain systemd[1]: kube-apiserver.service failed.
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.215825 4084 reflector.go:123] object-"kube-system"/"coredns": Failed to list *v1.ConfigMap:
3月 21 19:03:07 localhost.localdomain kubelet[4084]: I0321 19:03:07.215849 4084 trace.go:116] Trace[1596043133]: "Reflector ListAndWatch" name:object-"kube-syst
3月 21 19:03:07 localhost.localdomain kubelet[4084]: Trace[1596043133]: [16.600026154s] [16.600026154s] END
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.215870 4084 reflector.go:123] object-"kube-system"/"calico-kube-controllers-token-n8wt8": Fa
3月 21 19:03:07 localhost.localdomain kubelet[4084]: I0321 19:03:07.415833 4084 trace.go:116] Trace[1895303640]: "Reflector ListAndWatch" name:object-"kube-syst
3月 21 19:03:07 localhost.localdomain kubelet[4084]: Trace[1895303640]: [19.684820866s] [19.684820866s] END
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.415863 4084 reflector.go:123] object-"kube-system"/"calico-config": Failed to list *v1.Confi
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.418879 4084 reflector.go:123] k8s.io/client-go/informers/factory.go:134: Failed to list *v1b
ESCOD
3月 21 19:03:05 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kube-apiserver.service has failed.
--
-- The result is failed.
3月 21 19:03:05 localhost.localdomain systemd[1]: kube-apiserver.service failed.
3月 21 19:03:05 localhost.localdomain kubelet[4084]: I0321 19:03:05.015767 4084 trace.go:116] Trace[1764576244]: "Reflector ListAndWatch" name:k8s.io/kubernetes
3月 21 19:03:05 localhost.localdomain kubelet[4084]: Trace[1764576244]: [14.397574036s] [14.397574036s] END
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.015796 4084 reflector.go:123] k8s.io/kubernetes/pkg/kubelet/config/apiserver.go:46: Failed t
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.215925 4084 reflector.go:123] object-"kube-system"/"coredns-token-v7xr6": Failed to list *v1
3月 21 19:03:05 localhost.localdomain kubelet[4084]: I0321 19:03:05.215962 4084 trace.go:116] Trace[2021737021]: "Reflector ListAndWatch" name:object-"monitorin
3月 21 19:03:05 localhost.localdomain kubelet[4084]: Trace[2021737021]: [14.597630663s] [14.597630663s] END
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.215984 4084 reflector.go:123] object-"monitoring"/"default-token-wk7d4": Failed to list *v1.
3月 21 19:03:06 localhost.localdomain kubelet[4084]: E0321 19:03:06.000788 4084 kubelet_node_status.go:388] Error updating node status, will retry: error gettin
3月 21 19:03:07 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kube-apiserver.service has failed.
--
-- The result is failed.
3月 21 19:03:07 localhost.localdomain systemd[1]: kube-apiserver.service failed.
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.215825 4084 reflector.go:123] object-"kube-system"/"coredns": Failed to list *v1.ConfigMap:
3月 21 19:03:07 localhost.localdomain kubelet[4084]: I0321 19:03:07.215849 4084 trace.go:116] Trace[1596043133]: "Reflector ListAndWatch" name:object-"kube-syst
3月 21 19:03:07 localhost.localdomain kubelet[4084]: Trace[1596043133]: [16.600026154s] [16.600026154s] END
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.215870 4084 reflector.go:123] object-"kube-system"/"calico-kube-controllers-token-n8wt8": Fa
3月 21 19:03:07 localhost.localdomain kubelet[4084]: I0321 19:03:07.415833 4084 trace.go:116] Trace[1895303640]: "Reflector ListAndWatch" name:object-"kube-syst
3月 21 19:03:07 localhost.localdomain kubelet[4084]: Trace[1895303640]: [19.684820866s] [19.684820866s] END
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.415863 4084 reflector.go:123] object-"kube-system"/"calico-config": Failed to list *v1.Confi
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.418879 4084 reflector.go:123] k8s.io/client-go/informers/factory.go:134: Failed to list *v1b
ESCOD
3月 21 19:03:05 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kube-apiserver.service has failed.
--
-- The result is failed.
Все шаги, которые я сделал, следующие:
шаг 1: Генерация сертификат
mkdir -p /work/deploy/kubernetes/security/aggregatorLayer_tls
cd /work/deploy/kubernetes/security/aggregatorLayer_tls
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.pem -subj "/CN=k8s-aggregator/O=k8s-egg"
openssl genrsa -out aggregator.key 2048
openssl req -new -key aggregator.key -out aggregator.csr -subj "/O=k8s-egg/CN=aggregator"
openssl x509 -req -days 3650 -in aggregator.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out aggregator.pem
шаг 2: параметры конфигурации
vim / etc / kubernetes / apiserver
KUBE_AGGREGATOR_ARGS="--requestheader-client-ca-file=/work/deploy/kubernetes/security/aggregatorLayer_tls/ca.pem --requestheader-allowed-names=aggregator --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --proxy-client-cert-file=/work/deploy/kubernetes/security/aggregatorLayer_tls/aggregator.pem --proxy-client-key-file=aggregator.key"
шаг 3: добавление параметров загрузки в загрузочный файл
[root@localhost ~]# cat /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kube-apiserver Service
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
Type=notify
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/apiserver
ExecStart=/usr/bin/kube-apiserver $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_ETCD_SERVERS $KUBE_API_ADDRESS $KUBE_API_PORT $KUBELET_PORT $KUBE_SERVICE_ADDRESSES $KUBE_ADMISSION_CONTROL $KUBE_API_ARGS $KUBE_AGGREGATOR_ARGS
Restart=always
LimitNOFILE=65536
[Install]
WantedBy=default.target
шаг 4: Не удалось запустить kube - apiserver, журнал как выше