#发现api-server没启动排错
[root@k8s-master02 cfg]# source /data/soft/kubernetes/cfg/kube-apiserver [root@k8s-master02 cfg]# /data/soft/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS error: failed to create listener: failed to listen on 192.168.0.10:6443: listen tcp 192.168.0.10:6443: bind: cannot assign requested address [root@k8s-master02 cfg]# grep 10 * kube-apiserver:--etcd-servers=https://192.168.0.10:2379,https://192.168.0.12:2379,https://192.168.0.4:2379 \ kube-apiserver:--bind-address=192.168.0.10 \ **--bind-address=192.168.0.12 要修改成本机的。我模拟了该错误,怎么排查** [root@k8s-master02 cfg]# systemctl start kube-apiserver.service 链接api-server报错(证书问题)这个时候如果出现连接api-server 报错时,多数情况是因为api-server 证书连接没有被允许。
可以看出,我们从其他非master的机器通过证书和命令链接到机器中[其实就是通过加载证书,链接apiserver,我没有其他闲置机器。我使用了node1节点,你找其他机器都可以,但是保证你的apiserver的证书中允许该ip]
如果需要再后面配置多个地址链接apiserver,需要提前在k8s-cert.sh中指定了api server允许链接的ip,就是下面这个配置中
cat > api-server-csr.json <<EOF { "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "192.168.0.10", "192.168.0.12", "192.168.0.7", "192.168.0.8", "192.168.0.4", "192.168.0.9", "192.168.0.200", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Shenzhen", "ST": "Shenzhen", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server # 具体参考安装master时候,给apiserver 制作的证书 我在做master+nginx slb的时候把证书和启动文件拷贝到node1上 启动的时候加载了证书,显示显示如下: [root@k8s-node01 ~]# kubectl --kubeconfig=./config get node # 其实就是去链接apiserver[apiserver中ip限制]. Unable to connect to the server: x509: certificate is valid for 10.0.0.1, 127.0.0.1, 192.168.0.10, 192.168.0.12, 192.168.0.7,192.168.0.8,192.168.0.4, 192.168.0.9, 192.168.0.200, not 192.168.186.100 后面发现我的vip 192.168.0.200不在apiserver 信任里面。解决办法: 1. 修改我制作apiserver的时候预留的ip 2. 重新制作spiserver证书,分发到其他机器上。 我们选择了第一种 普通用户操作systemd服务启动和重启 普通用户操作systemd服务 解决方案: 根据上面提示得知权限由polkit进行管理,对应的是org.freedesktop.systemd1.policy这个配置文件下的manae-units动作 进入/usr/share/polkit-1/actions/org.freedesktop.systemd1.policy, 配置如下: <action> 省略... <defaults> <allow_any>yes</allow_any> <allow_inactive>yes</allow_inactive> <allow_active>yes</allow_active> </defaults> </action> end--- 将对应manae-units的defaults中的授权全部改为yes,然后执行systemctl restart polkit重启polkit 查看pod日志报错 kubectl logs nginx-6db489d4b7-2xnhg error: You must be logged in to the server (the server has asked for the client to provide credentials ( pods/log nginx-6db489d4b7-2xnhg))查看日志出现这个错误,需要先授权。
[root@k8s-master01 bin]# kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=system:anonymous clusterrolebinding.rbac.authorization.k8s.io/cluster-system-anonymous created [root@k8s-master01 bin]# kubectl logs nginx-5c7588df-c58ql 172.17.66.0 - - [18/Apr/2019:10:17:42 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.29.0" "-" 172.17.66.0 - - [18/Apr/2019:10:18:50 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.2