未完成!!!
1、安装监控组件Metrics Server
官网:https://github.com/kubernetes-sigs/metrics-server
当前dashboard不能展示pod的CPU、内存等图形,由kubernetes-metrics-scraper从Metrics Server获取这些信息
下载:cd /tmp
wget https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.4.1/components.yaml
修改点1: spec:
containers:
- args:
- --cert-dir=/tmp
- --secure-port=4443
- --kubelet-preferred-address-types=InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP
- --kubelet-use-node-status-port
- --kubelet-insecure-tls
- --metric-resolution=30skubectl apply -f components.yaml
2、提示报错kubectl logs metrics-server-bfcc967d6-vgzlw -n kube-system
Error: unable to load configmap based request-header-client-ca-file: Get "https://10.96.0.1:443/api/v1/namespaces/kube-system/configmaps/extension-apiserver-authentication": dial tcp 10.96.0.1:443: i/o timeout
测试:curl -k https://10.96.0.1:443/api/v1/namespaces/kube-system/configmaps/extension-apiserver-authentication{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "configmaps \"extension-apiserver-authentication\" is forbidden: User \"system:anonymous\" cannot get resource \"configmaps\" in API group \"\" in the namespace \"kube-system\"",
"reason": "Forbidden",
"details": {
"name": "extension-apiserver-authentication",
"kind": "configmaps"
},
"code": 403
}
修改点1: spec:
nodeName: k8s-master
containers:
- args:
- --cert-dir=/tmp
- --secure-port=4443
- --kubelet-preferred-address-types=InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP
- --kubelet-use-node-status-port
- --kubelet-insecure-tls
- --metric-resolution=30s
3、验证报错
只能读到主节点的信息kubectl top node
NAME CPU(cores) CPU% MEMORY(bytes) MEMORY%
k8s-master 151m 7% 1376Mi 79%
k8s-node1 <unknown> <unknown> <unknown> <unknown>
k8s-node2 <unknown> <unknown> <unknown> <unknown>
kubectl top pod
W1123 05:14:54.320800 21780 top_pod.go:265] Metrics not available for pod default/httpd-84898796c-nr7vh, age: 101h11m21.320757123s
error: Metrics not available for pod default/httpd-84898796c-nr7vh, age: 101h11m21.320757123s
4、查看问题kubectl logs metrics-server-79678b4c97-25cv2 -n kube-system
提示类似的错误:unable to fully scrape metrics: [unable to fully scrape metrics from node k8s-node1: unable to fetch metrics from node k8s-node1: Get "https://192.168.101.2:10250/stats/summary?only_cpu_and_memory=true": context deadline exceeded, unable to fully scrape metrics from node k8s-node2: unable to fetch metrics from node k8s-node2: Get "https://192.168.101.3:10250/stats/summary?only_cpu_and_memory=true": context deadline exceeded]
直接curl:curl -k https://192.168.101.2:10250/stats/summary?only_cpu_and_memory=true
返回Unauthorized,是身份验证没过
5、网上查询说是没有ca证书认证未通过
1)添加–requestheader-client-ca-file,在请求头传递有效的客户端证书以针对指定的CA进行验证
2)kubelet通过port指定的端口(默认10250)对外暴露服务,这个服务是需要TLS认证的,同时也可以通过 readOnlyPort 端口(默认10255,0表示关闭)对外暴露只读服务,这个服务是不需要认证的
3)kubelet的证书在/var/lib/kubelet/pki/下,从/etc/kubernetes/kubelet.conf中获取到的信息
4)metrics-server –> node节点上的kubelet –> apiserver,获取node信息
5)–kubelet-insecure-tls
表示metrics-server不node的服务端证书,因为kubelet一般是独立于k8集群的自签名证书,每个node自由CA
问题:
那么kubelet客户端证书从哪里获得???
使用的是哪个证书???
是否自己建立?自己建立如何配置???
如何设置认证授权???
有多个node如何统一设置,公用一个还是分别设置???