部署k8s ssl集群实践13:work节点配置kubelet

部署 kubelet 组件

这个是全新部署,四个节点都要部署

kublet 运行在每个 worker 节点上,接收 kube-apiserver 发送的请求,管理 Pod 容器,
执行交互式命令,如 exec、run、logs 等。
kublet 启动时自动向 kube-apiserver 注册节点信息,内置的 cadvisor 统计和监控节点的
资源使用情况。
为确保安全,本文档只开启接收 https 请求的安全端口,对请求进行认证和授权,拒绝
未授权的访问(如 apiserver、heapster)。

先把前面下载好的二进制执行文件分发到所有work节点

[root@k8s-master1 bin]# scp kubelet kubeadm kube-proxy  root@k8s-master1:/opt/k8s/bin/
kubelet                                                                                         100%  146MB   5.4MB/s   00:27   
kubeadm                                                                                         100%  149MB   4.3MB/s   00:35   
kube-proxy                                                                                      100%   49MB   3.3MB/s   00:15   
[root@k8s-master1 bin]# scp kubelet kubeadm kube-proxy  root@k8s-master2:/opt/k8s/bin/
kubelet                                                                                         100%  146MB  48.6MB/s   00:03   
kubeadm                                                                                         100%  149MB   7.1MB/s   00:21   
kube-proxy                                                                                      100%   49MB  24.5MB/s   00:02   
[root@k8s-master1 bin]# scp kubelet kubeadm kube-proxy  root@k8s-master3:/opt/k8s/bin/
kubelet                                                                                         100%  146MB   6.6MB/s   00:22   
kubeadm                                                                                         100%  149MB   7.5MB/s   00:20   
kube-proxy                                                                                      100%   49MB  12.3MB/s   00:04   
[root@k8s-master1 bin]# scp kubelet kubeadm kube-proxy  root@k8s-node3:/opt/k8s/bin/

创建 kubelet bootstrap kubeconfig 文件
分别按顺序跑:
k8s-master1
k8smaster2
k8smaster3

[root@k8s-master1 kubelet]# export BOOTSTRAP_TOKEN=$(kubeadm token create --description kubelet-bootstrap-token --groups system:bootstrappers:k8s-master1 --kubeconfig ~/.kube/config)

[root@k8s-master1 kubelet]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/cert/ca.pem --embed-certs=true --server=https://192.168.211.127:8443 --kubeconfig=kubelet-bootstrap-k8s-master1.kubeconfig
Cluster "kubernetes" set.

[root@k8s-master1 kubelet]# kubectl config set-credentials kubelet-bootstrap --token=${BOOTSTRAP_TOKEN} --kubeconfig=kubelet-bootstrap-k8s-master1.kubeconfig
User "kubelet-bootstrap" set.

[root@k8s-master1 kubelet]# kubectl config set-context default --cluster=kubernetes --user=kubelet-bootstrap --kubeconfig=kubelet-bootstrap-k8s-master1.kubeconfig
Context "default" created.

[root@k8s-master1 kubelet]# kubectl config use-context default --kubeconfig=kubelet-bootstrap-k8s-master1.kubeconfig
Switched to context "default".

分发 bootstrap kubeconfig 文件到 worker 节点

[root@k8s-master1 kubelet]# scp kubelet-bootstrap-k8s-master1.kubeconfig root@192.168.211.128:/etc/kubernetes/kubelet-bootstrap.kubeconfig
kubelet-bootstrap-k8s-master1.kubeconfig                                                        100% 2087     2.0KB/s   00:00   
[root@k8s-master1 kubelet]# scp kubelet-bootstrap-k8s-master1.kubeconfig root@192.168.211.129:/etc/kubernetes/kubelet-bootstrap.kubeconfig
kubelet-bootstrap-k8s-master1.kubeconfig                                                        100% 2087     2.0KB/s   00:00   
[root@k8s-master1 kubelet]# scp kubelet-bootstrap-k8s-master1.kubeconfig root@192.168.211.130:/etc/kubernetes/kubelet-bootstrap.kubeconfig
kubelet-bootstrap-k8s-master1.kubeconfig                                                        100% 2087     2.0KB/s   00:00   
[root@k8s-master1 kubelet]# scp kubelet-bootstrap-k8s-master1.kubeconfig root@192.168.211.131:/etc/kubernetes/kubelet-bootstrap.kubeconfig
root@192.168.211.131's password:
Permission denied, please try again.
root@192.168.211.131's password:
kubelet-bootstrap-k8s-master1.kubeconfig                                                        100% 2087     2.0KB/s   00:00   
[root@k8s-master1 kubelet]# scp kubelet-bootstrap-k8s-master2.kubeconfig root@192.168.211.128:/etc/kubernetes/kubelet-bootstrap.kubeconfig
kubelet-bootstrap-k8s-master2.kubeconfig                                                        100% 2087     2.0KB/s   00:00   
[root@k8s-master1 kubelet]# scp kubelet-bootstrap-k8s-master2.kubeconfig root@192.168.211.129:/etc/kubernetes/kubelet-bootstrap.kubeconfig
kubelet-bootstrap-k8s-master2.kubeconfig                                                        100% 2087     2.0KB/s   00:00   
[root@k8s-master1 kubelet]# scp kubelet-bootstrap-k8s-master2.kubeconfig root@192.168.211.130:/etc/kubernetes/kubelet-bootstrap.kubeconfig
kubelet-bootstrap-k8s-master2.kubeconfig                                                        100% 2087     2.0KB/s   00:00   
[root@k8s-master1 kubelet]# scp kubelet-bootstrap-k8s-master2.kubeconfig root@192.168.211.131:/etc/kubernetes/kubelet-bootstrap.kubeconfig
root@192.168.211.131's password:
kubelet-bootstrap-k8s-master2.kubeconfig                                                        100% 2087     2.0KB/s   00:00   
[root@k8s-master1 kubelet]# scp kubelet-bootstrap-k8s-master3.kubeconfig root@192.168.211.128:/etc/kubernetes/kubelet-bootstrap.kubeconfig
kubelet-bootstrap-k8s-master3.kubeconfig                                                        100% 2087     2.0KB/s   00:00   
[root@k8s-master1 kubelet]# scp kubelet-bootstrap-k8s-master3.kubeconfig root@192.168.211.129:/etc/kubernetes/kubelet-bootstrap.kubeconfig
kubelet-bootstrap-k8s-master3.kubeconfig                                                        100% 2087     2.0KB/s   00:00   
[root@k8s-master1 kubelet]# scp kubelet-bootstrap-k8s-master3.kubeconfig root@192.168.211.130:/etc/kubernetes/kubelet-bootstrap.kubeconfig
kubelet-bootstrap-k8s-master3.kubeconfig                                                        100% 2087     2.0KB/s   00:00   
[root@k8s-master1 kubelet]# scp kubelet-bootstrap-k8s-master3.kubeconfig root@192.168.211.131:/etc/kubernetes/kubelet-bootstrap.kubeconfig
root@192.168.211.131's password:
kubelet-bootstrap-k8s-master3.kubeconfig                                                        100% 2087     2.0KB/s   00:00   
[root@k8s-master1 kubelet]#

创建和分发 kubelet 参数配置文件

[root@k8s-master1 kubelet]# cat kubelet.config.json.template
{
"kind": "KubeletConfiguration",
"apiVersion": "kubelet.config.k8s.io/v1beta1",
"authentication": {
"x509": {
"clientCAFile": "/etc/kubernetes/cert/ca.pem"
},
"webhook": {
"enabled": true,
"cacheTTL": "2m0s"
},
"anonymous": {
"enabled": false
}
},
"authorization": {
"mode": "Webhook",
"webhook": {
"cacheAuthorizedTTL": "5m0s",
"cacheUnauthorizedTTL": "30s"
}
},
"address": "##NODE_IP##",
"port": 10250,
"readOnlyPort": 0,
"cgroupDriver": "cgroupfs",
"hairpinMode": "promiscuous-bridge",
"serializeImagePulls": false,
"featureGates": {
"RotateKubeletClientCertificate": true,
"RotateKubeletServerCertificate": true
},
"clusterDomain": "${CLUSTER_DNS_DOMAIN}",
"clusterDNS": ["${CLUSTER_DNS_SVC_IP}"]
}
[root@k8s-master1 kubelet]#

address:API 监听地址,不能为 127.0.0.1,否则 kube-apiserver、heapster 等不
能调用 kubelet 的 API;
readOnlyPort=0:关闭只读端口(默认 10255),等效为未指定;
authentication.anonymous.enabled:设置为 false,不允许匿名访问 10250 端口;
authentication.x509.clientCAFile:指定签名客户端证书的 CA 证书,开启 HTTP 证
书认证;
authentication.webhook.enabled=true:开启 HTTPs bearer token 认证;
对于未通过 x509 证书和 webhook 认证的请求(kube-apiserver 或其他客户端),将
被拒绝,提示 Unauthorized;
authroization.mode=Webhook:kubelet 使用 SubjectAcce***eview API 查询
kube-apiserver 某 user、group 是否具有操作资源的权限(RBAC);
featureGates.RotateKubeletClientCertificate、
featureGates.RotateKubeletServerCertificate:自动 rotate 证书,证书的有效期取
决于 kube-controller-manager 的 --experimental-cluster-signing-duration 参数;
需要 root 账户运行;

分发并在各节点修改

[root@k8s-master1 kubelet]# scp kubelet.config.json.template root@k8s-master1:/etc/kubernetes/kubelet.config.json
kubelet.config.json.template                                                                    100%  704     0.7KB/s   00:00   
[root@k8s-master1 kubelet]# scp kubelet.config.json.template root@k8s-master2:/etc/kubernetes/kubelet.config.json
kubelet.config.json.template                                                                    100%  704     0.7KB/s   00:00   
[root@k8s-master1 kubelet]# scp kubelet.config.json.template root@k8s-master3:/etc/kubernetes/kubelet.config.json
kubelet.config.json.template                                                                    100%  704     0.7KB/s   00:00   
[root@k8s-master1 kubelet]# scp kubelet.config.json.template root@k8s-node3:/etc/kubernetes/kubelet.config.json

修好
##NODE_IP## 改成节点真实IP

${CLUSTER_DNS_DOMAIN}
${CLUSTER_DNS_SVC_IP}

这两个改成真实的参数,参考见下

[root@k8s-master1 kubelet]# echo ${CLUSTER_DNS_DOMAIN}
cluster.local.
[root@k8s-master1 kubelet]# echo ${CLUSTER_DNS_SVC_IP}
10.254.0.2
[root@k8s-master1 kubelet]#

创建和分发 kubelet systemd unit 文件

[root@k8s-master1 kubelet]# cat kubelet.service.template
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service

[Service]
WorkingDirectory=/var/lib/kubelet
ExecStart=/opt/k8s/bin/kubelet \
  --bootstrap-kubeconfig=/etc/kubernetes/kubelet-bootstrap.kubeconfig \
  --cert-dir=/etc/kubernetes/cert \
  --kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
  --config=/etc/kubernetes/kubelet.config.json \
  --hostname-override=##nodename## \
  --pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest \
  --allow-privileged=true \
  --alsologtostderr=true \
  --logtostderr=false \
  --log-dir=/var/log/kubernetes \
  --v=2
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
[root@k8s-master1 kubelet]#

注意的地方:

WorkingDirectory=/var/lib/kubelet    ##目录默认没有,手动去创建
--hostname-override=##nodename##   ##nodename修改成在节点的名字

分发

[root@k8s-master1 kubelet]# scp kubelet.service.template root@k8s-master1:/etc/systemd/system/kubelet.service
kubelet.service.template                                                                        100%  753     0.7KB/s   00:00   
[root@k8s-master1 kubelet]# scp kubelet.service.template root@k8s-master2:/etc/systemd/system/kubelet.service
kubelet.service.template                                                                        100%  753     0.7KB/s   00:00   
[root@k8s-master1 kubelet]# scp kubelet.service.template root@k8s-master3:/etc/systemd/system/kubelet.service
kubelet.service.template                                                                        100%  753     0.7KB/s   00:00   
[root@k8s-master1 kubelet]# scp kubelet.service.template root@k8s-node3:/etc/systemd/system/kubelet.service
root@k8s-node3's password:
kubelet.service.template                                                                        100%  753     0.7KB/s   00:00   
[root@k8s-master1 kubelet]#

分别去修改

--hostname-override=##nodename##

创建目录

mkdir -p /var/lib/kubelet && chown -R k8s /var/lib/kubelet

Bootstrap Token Auth 和授予权限
kublet 启动时查找配置的 --kubeletconfig 文件是否存在,如果不存在则使用 --bootstrapkubeconfig
向 kube-apiserver 发送证书签名请求 (CSR)。
kube-apiserver 收到 CSR 请求后,对其中的 Token 进行认证(事先使用 kubeadm 创建
的 token),认证通过后将请求的 user 设置为 system:bootstrap:,group 设置为
system:bootstrappers,这一过程称为 Bootstrap Token Auth。

[root@k8s-master1 kubernetes]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --group=system:bootstrappers
clusterrolebinding.rbac.authorization.k8s.io "kubelet-bootstrap" created

启动起来了

[root@k8s-master1 kubelet]# systemctl status kubelet
● kubelet.service - Kubernetes Kubelet
   Loaded: loaded (/etc/systemd/system/kubelet.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2018-08-30 04:46:51 EDT; 6s ago
     Docs: https://github.com/GoogleCloudPlatform/kubernetes
Main PID: 22228 (kubelet)
   Memory: 10.3M
   CGroup: /system.slice/kubelet.service
           └─22228 /opt/k8s/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/kubelet-bootstrap.kubeconfig --cert-dir=/etc/kub...

Aug 30 04:46:51 k8s-master1 kubelet[22228]: I0830 04:46:51.374637   22228 feature_gate.go:226] feature gates: &{{} map[Ro...true]}
Aug 30 04:46:51 k8s-master1 kubelet[22228]: I0830 04:46:51.390859   22228 mount_linux.go:211] Detected OS with systemd
Aug 30 04:46:51 k8s-master1 kubelet[22228]: W0830 04:46:51.396470   22228 cni.go:171] Unable to update cni config: No net.../net.d
Aug 30 04:46:51 k8s-master1 kubelet[22228]: I0830 04:46:51.406764   22228 server.go:376] Version: v1.10.4
Aug 30 04:46:51 k8s-master1 kubelet[22228]: I0830 04:46:51.406831   22228 feature_gate.go:226] feature gates: &{{} map[Ro...true]}
Aug 30 04:46:51 k8s-master1 kubelet[22228]: I0830 04:46:51.406960   22228 plugins.go:89] No cloud provider specified.
Aug 30 04:46:51 k8s-master1 kubelet[22228]: I0830 04:46:51.406977   22228 server.go:492] No cloud provider specified: "" ...le: ""
Aug 30 04:46:51 k8s-master1 kubelet[22228]: I0830 04:46:51.407001   22228 bootstrap.go:58] Using bootstrap kubeconfig to ...g file
Aug 30 04:46:51 k8s-master1 kubelet[22228]: I0830 04:46:51.498673   22228 csr.go:105] csr for this node already exists, reusing
Aug 30 04:46:51 k8s-master1 kubelet[22228]: I0830 04:46:51.507675   22228 csr.go:113] csr for this node is still valid
Hint: Some lines were ellipsized, use -l to show in full.

kubelet 启动后使用 --bootstrap-kubeconfig 向 kube-apiserver 发送 CSR 请求,当这个
CSR 被 approve 后,kube-controller-manager 为 kubelet 创建 TLS 客户端证书、私钥
和 --kubeletconfig 文件。
注意:kube-controller-manager 需要配置 --cluster-signing-cert-file 和 --
cluster-signing-key-file 参数,才会为 TLS Bootstrap 创建证书和私钥。

[root@k8s-master1 kubelet]# kubectl get csr
NAME                                                   AGE       REQUESTOR                 CONDITION
node-csr-4lLI6VjKHHWjZg4je3Ht3mgkyc0kSDALWgqyE6hJGLY   4m        system:bootstrap:7beznt   Pending
node-csr-BX_rIIl3T80GWXCZqCQISgB2BWKXd_-QuD04IfXyvBU   4m        system:bootstrap:7beznt   Pending
node-csr-BhI2aoEZzt8UlcSevQr8RQ9tY4ATbawpr3GklGbkdYI   54s       system:bootstrap:m435c8   Pending
node-csr-CYy34cOnA7RStasf8ieh9ZF5crDLmTFbvDOZV7UaulI   3m        system:bootstrap:m435c8   Pending
node-csr-G4fpzkI_gkD9R7LUh1fOHMBllMCTnIzfcWYUhcjbNLQ   28s       system:bootstrap:m435c8   Pending
node-csr-GtBzeHjXzw0FThw7SwAQRq7_uWO_LmJutmAKOU19lpM   5m        system:bootstrap:3lb82j   Pending
node-csr-IMzMrDG99ht6FRazQyfq4XFmG0MU0iN7rFj87dJ_LO0   6m        system:bootstrap:3lb82j   Pending
node-csr-Ne6k_9kYNM5xZPzlMIMOiew6KYbCccgEoGEsD-A2mDI   59s       system:bootstrap:m435c8   Pending
node-csr-S3MvbCy6G8vyMmZxPxHtSj7yXWsMKiTFhiEolNhbOcc   2m        system:bootstrap:m435c8   Pending
node-csr-TobXYGLVUitHRfAJD3cy1uwLbD9xeLRqfVKRWcaqzG8   4m        system:bootstrap:7beznt   Pending
node-csr-XCHccj91PEcvcgtoYIlUTVwjPntZ1QJ3x0FwaiKiaBQ   3m        system:bootstrap:m435c8   Pending
node-csr-XWCrqdKkPfKiG20VpU8cn9N8ZRcOWlbfhPr8LMaW_PU   2m        system:bootstrap:m435c8   Pending
node-csr-_Sp69LiFaATOGVn9fmAnOLHweAWwoVzeP9U0AxtsLPE   4m        system:bootstrap:7beznt   Pending
node-csr-b71vB9tiCT7Ru5q6LQco_nb_hbIABmcDPmNi7fH7Vn8   1m        system:bootstrap:m435c8   Pending
node-csr-czzY0kNjKg_6OAcU8m2dRzVt2KR9zY3FQ31t1QE3tXk   5m        system:bootstrap:3lb82j   Pending
node-csr-oA3SifuLsmgSMkZyIN9dJhE66iuMXCzciaLDWH3pl8E   57s       system:bootstrap:m435c8   Pending
node-csr-pWeUuvcTZCGqq1sh0KufCNzziyCYfhh-KUB_WAC2lpw   3m        system:bootstrap:m435c8   Pending
node-csr-uWlqsUKKcVd_HQIMYBHusZS8hJc9yAntfE7qpGNJnSg   3m        system:bootstrap:m435c8   Pending
node-csr-wfcltVjp2D_nzjRu7PdnB74L4JlXTFWfaumRnMAEmDg   5m        system:bootstrap:3lb82j   Pending
node-csr-zaniEi7eNGTuzIherUJbNIdPAic1EnB1tKAAGvuzoAc   2m        system:bootstrap:m435c8   Pending
node-csr-zggzAUVrryNXFp49lytoSZYe0qBYOd4Jz5Fa4WODeKQ   1m        system:bootstrap:m435c8   Pending

approve kubelet CSR 请求
可以手动或自动 approve CSR 请求。推荐使用自动的方式,因为从 v1.8 版本开始,可
以自动轮转approve csr 后生成的证书。

[root@k8s-master1 kubelet]# kubectl certificate approve node-csr--67xqDb2wzwOWPy9wzdbQs6XQwIf67skc43jRrpGwLk
certificatesigningrequest.certificates.k8s.io "node-csr--67xqDb2wzwOWPy9wzdbQs6XQwIf67skc43jRrpGwLk" approved

[root@k8s-master1 kubelet]# kubectl describe csr node-csr--67xqDb2wzwOWPy9wzdbQs6XQwIf67skc43jRrpGwLk
Name:               node-csr--67xqDb2wzwOWPy9wzdbQs6XQwIf67skc43jRrpGwLk
Labels:             <none>
Annotations:        <none>
CreationTimestamp:  Thu, 30 Aug 2018 04:51:10 -0400
Requesting User:    system:bootstrap:m435c8
Status:             Approved,Issued
Subject:
         Common Name:    system:node:k8s-node3
         Serial Number: 
         Organization:   system:nodes
Events:  <none>
[root@k8s-master1 kubelet]#

Requesting User :请求 CSR 的用户,kube-apiserver 对它进行认证和授权;
Subject :请求签名的证书信息;
证书的 CN 是 system:node:kube-node2, Organization 是 system:nodes,kubeapiserver
的 Node 授权模式会授予该证书的相关权限

自动 approve CSR 请求
创建三个 ClusterRoleBinding,分别用于自动 approve client、renew client、renew
server 证书:

[root@k8s-master1 kubelet]# cat csr-crb.yaml
# Approve all CSRs for the group "system:bootstrappers"
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: auto-approve-csrs-for-group
subjects:
- kind: Group
  name: system:bootstrappers
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
  apiGroup: rbac.authorization.k8s.io
---
# To let a node of the group "system:nodes" renew its own credentials
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: node-client-cert-renewal
subjects:
- kind: Group
  name: system:nodes
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
  apiGroup: rbac.authorization.k8s.io
---
# A ClusterRole which instructs the CSR approver to approve a node requesting a
# serving cert matching its client cert.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: approve-node-server-renewal-csr
rules:
- apiGroups: ["certificates.k8s.io"]
  resources: ["certificatesigningrequests/selfnodeserver"]
  verbs: ["create"]
---
# To let a node of the group "system:nodes" renew its own server credentials
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: node-server-cert-renewal
subjects:
- kind: Group
  name: system:nodes
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: approve-node-server-renewal-csr
  apiGroup: rbac.authorization.k8s.io
[root@k8s-master1 kubelet]#
[root@k8s-master1 kubelet]# kubectl apply -f csr-crb.yaml
clusterrolebinding.rbac.authorization.k8s.io "auto-approve-csrs-for-group" created
clusterrolebinding.rbac.authorization.k8s.io "node-client-cert-renewal" created
clusterrole.rbac.authorization.k8s.io "approve-node-server-renewal-csr" created
clusterrolebinding.rbac.authorization.k8s.io "node-server-cert-renewal" created

等待一段时间(1-10 分钟),节点的 CSR 都被自动 approve:

[root@k8s-master1 kubelet]# kubectl get csr
NAME                                                   AGE       REQUESTOR                 CONDITION
csr-7685f                                              53s       system:node:k8s-master2   Approved,Issued
csr-8qkxl                                              1m        system:node:k8s-node3     Approved,Issued
csr-n56tk                                              44s       system:node:k8s-master1   Approved,Issued
csr-p8h92                                              28s       system:node:k8s-master3   Pending

nodes起来了

[root@k8s-master2 kubernetes]# kubectl get nodes
NAME          STATUS    ROLES     AGE       VERSION
k8s-master1   Ready     <none>    2m        v1.10.4
k8s-master2   Ready     <none>    2m        v1.10.4
k8s-master3   Ready     <none>    2m        v1.10.4
k8s-node3     Ready     <none>    2m        v1.10.4
[root@k8s-master2 kubernetes]#
[root@k8s-master2 kubernetes]# netstat -lnpt|grep kubelet
tcp        0      0 192.168.211.129:10250   0.0.0.0:*               LISTEN      20752/kubelet      
tcp        0      0 192.168.211.129:4194    0.0.0.0:*               LISTEN      20752/kubelet      
tcp        0      0 127.0.0.1:10248         0.0.0.0:*               LISTEN      20752/kubelet      
[root@k8s-master2 kubernetes]#

cadvisor 和 metrics
cadvisor 统计所在节点各容器的资源(CPU、内存、磁盘、网卡)使用情况,分别在自己
的 http web 页面(4194 端口)和 10250 以 promehteus metrics 的形式输出。
浏览器访问 http://192.168.211.128:4194/containers/ 可以查看到 cadvisor 的监控页面:
部署k8s ssl集群实践13:work节点配置kubelet

启动服务报错

[root@k8s-master1 kubernetes]# systemctl daemon-reload && systemctl enable kubelet && systemctl restart kubelet 
F0830 04:05:24.413219   10947 server.go:233] failed to run Kubelet: cannot create certificate signing request: Post http://192.168.211.127/apis/certificates.k8s.io/v1beta1/certificatesigningrequests: dial tcp 192.168.211.127:80: getsockopt: connection refused
goroutine 1 [running]:

这个报错是因为
kubelet-bootstrap.kubeconfig 文件的配置不对导致

转载于:https://blog.51cto.com/goome/2167920

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值