Kubernetes 离线安装的坑我采了
- 一、Error from server: Get "https://xx.xx.xx.xx:10250/containerLogs/kube-system/calico-node-8dnvs/calico-node": tls: failed to verify certificate: x509: certificate signed by unknown authority
- 二、calico 或 pod 启动正常,但是执行 kubectl logs -n kube-system calico-node-v9z7m 时提示:Error from server: Get "https://worker02:10250/containerLogs/kube-system/calico-node-v9z7m/calico-node": tls: failed to verify certificate: x509: certificate signed by unknown authority
- 三、kubelet 无法拉取镜像问题
- 四、calico 安装报错:[ERROR][73] felix/health.go 360: Health endpoint failed, trying to restart it... error=listen tcp: lookup localhost on [::1]:53: dial udp [::1]:53: connect: no route to host
- 五、pod 无法删除,可以使用强制删除命令:kubectl delete pod <pod名称> --force --grace-period=0
- 六、containerd 拉取代码是总是以 https 的方式拉取,
- 七、pause 镜像拉取不到
- 八、argocd 安装后部署服务提示 Failed to load live state: Namespace "x" for Deployment "x" is not managed
一、Error from server: Get “https://xx.xx.xx.xx:10250/containerLogs/kube-system/calico-node-8dnvs/calico-node”: tls: failed to verify certificate: x509: certificate signed by unknown authority
- 背景
集群部署完成后,在安装网络组件 calico 的时候,运行后执行pod状态一直为 CrashLoopBackOff,集群节点状态为 NotReady。如下所示
- 排查经过
# 查看 pod 节点日志
kubectl logs -f -n kube-system calico-node-mm2vh
发现可能是证书的问题,然后去node节点查找详细的日志,锁定日志文件
find / -name calico*
cat /var/log/containers/calico-node-2bdcs_kube-system_install-cni-c6f4768750c25d1dd8d6908e0f3e0caf6a4e1f65974f0e6b6ade01859a52ff89.log
确定是证书的问题,证书有 etcd 证书,apiserver 证书,controller-manager 证书,scheduler 证书。排查后发现上述问题主要是 apiserver 证书存在问题。
- 解决方案
将 IP 添加到证书生成的 hosts 中,重新生成上述证书,替换、calico 中 ETCD 证书
二、calico 或 pod 启动正常,但是执行 kubectl logs -n kube-system calico-node-v9z7m 时提示:Error from server: Get “https://worker02:10250/containerLogs/kube-system/calico-node-v9z7m/calico-node”: tls: failed to verify certificate: x509: certificate signed by unknown authority
-
问题原因
是因为 apiserver 组件和 kubelet 组件通信证书问题 -
解决方法:
有两种解决方法,第一种是在 kubelet config 配置文件 kubelet-config.yml 中增加配置,推荐这个方法
...
podPidsLimit: 100000
maxOpenFiles: 1000000
maxPods: 110
rotateCer
