Centos7二进制部署k8s-v1.20.2 ipvs版本(Metrics-Server服务)
匡晟
一、安装部署
获取最新更新以及文章用到的软件包,请移步点击:查看更新
1、介绍
heapster已经被metrics-server取代,如果使用kubernetes的自动扩容功能的话,那首先得有一个插件,然后该插件将收集到的信息(cpu、memory…)与自动扩容的设置的值进行比对,自动调整pod数量。关于该插件,在kubernetes的早些版本中采用的是heapster,1.13版本正式发布后,丢弃了heapster,官方推荐采用metrics-sever。
2、下载相关yaml文件
https://github.com/kubernetes-incubator/metrics-server
mkdir metrics-server
cd metrics-server/
wget https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.4.2/components.yaml3、修改安装脚本
vim components.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: metrics-server
name: metrics-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: metrics-server
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: system:aggregated-metrics-reader
rules:
- apiGroups:
- metrics.k8s.io
resources:
- pods
- nodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: metrics-server
name: system:metrics-server
rules:
- apiGroups:
- ""
resources:
- pods
- nodes
- nodes/stats
- namespaces
- configmaps
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: metrics-server
name: metrics-server-auth-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
k8s-app: metrics-server
name: metrics-server:system:auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
k8s-app: metrics-server
name: system:metrics-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:metrics-server
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: metrics-server
name: metrics-server
namespace: kube-system
spec:
ports:
- name: https
port: 443
protocol: TCP
targetPort: https
selector:
k8s-app: metrics-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: metrics-server
name: metrics-server
namespace: kube-system
spec:
selector:
matchLabels:
k8s-app: metrics-server
strategy:
rollingUpdate:
maxUnavailable: 0
template:
metadata:
labels:
k8s-app: metrics-server
spec:
containers:
- args:
- --cert-dir=/tmp
- --secure-port=4443
- --kubelet-insecure-tls #需要在配置文件中添加这一条,不验证客户端证书
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --kubelet-use-node-status-port
image: bitnami/metrics-server:0.4.1 #镜像需要修改一下,国外的拉不下来
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /livez
port: https
scheme: HTTPS
periodSeconds: 10
name: metrics-server
ports:
- containerPort: 4443
name: https
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: https
scheme: HTTPS
periodSeconds: 10
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
nodeSelector:
kubernetes.io/os: linux
priorityClassName: system-cluster-critical
serviceAccountName: metrics-server
volumes:
- emptyDir: {}
name: tmp-dir
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
k8s-app: metrics-server
name: v1beta1.metrics.k8s.io
spec:
group: metrics.k8s.io
groupPriorityMinimum: 100
insecureSkipTLSVerify: true
service:
name: metrics-server
namespace: kube-system
version: v1beta1
versionPriority: 100
4、执行安装脚本并产看结果
kubectl create -f components.yaml5、查看结果
kubectl top nodes
NAME CPU(cores) CPU% MEMORY(bytes) MEMORY%
k8s-node1 106m 5% 396Mi 21%
k8s-node2 64m 3% 357Mi 19%
kubernetes 289m 14% 919Mi 48%二、解决报错
1、问题描述
通过二进制方式部署完成 kubernetes 后,部署Metrics Server后,查看日志出现下面错误信息:
E1231 10:33:31.978715 1 configmap_cafile_content.go:243] key failed with:
missing content for CA bundle "client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"
E1231 10:34:22.710836 1 configmap_cafile_content.go:243] kube-system/extension-apiserver-authentication failed with:
missing content for CA bundle "client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"
E1231 10:34:31.978769 1 configmap_cafile_content.go:243] key failed with:
missing content for CA bundle "client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"根据错误日志信息,可以知道是缺少认证的证书文件,导致不能访问kube-apiserver 而出现的问题。
2、问题分析
查找资料分析原因
经过网上查找搜寻,之所以出现这个错误是因为 kube-apiserver 没有开启 API 聚合功能。所以需要配置kube-apiserver 参数,开启聚合功能即可。
什么是 API 聚合
这里的 API 聚合机制 是 Kubernetes 1.7 版本引入的特性,能够将用户扩展的 API 注册到 kube-apiserver上,仍然通过 API Server 的 HTTP URL对新的API进行访问和操作。为了实现这个机制,Kubernetes 在kube-apiserver 服务中引入了一个API 聚合层(API Aggregation Layer),用于将扩展 API的访问请求转发到用户服务的功能。
为了能够将用户自定义的 API 注册到 Master 的 API Server中,首先需要在 Master 节点所在服务器,配置kube-apiserver 应用的启动参数来启用 API 聚合功能,参数如下:
--runtime-config=api/all=true \
--requestheader-allowed-names=aggregator \
--requestheader-group-headers=X-Remote-Group \
--requestheader-username-headers=X-Remote-User \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem \
--proxy-client-cert-file=/opt/kubernetes/ssl/proxy-client.pem \
--proxy-client-key-file=/opt/kubernetes/ssl/proxy-client-key.pem \如果 kube-apiserver所在的主机上没有运行kube-proxy,即无法通过服务的ClusterIP进行访问,那么还需要设置以下启动参数:
--enable-aggregator-routing=true在设置完成重启 kube-apiserver 服务,就启用 API 聚合功能了。
systemctl daemon-reload && systemctl restart kube-apiserver3、解决问题
按照上面的解决问题思路,我们可以开启 API 聚合功能,然后重启 Metrics Server 服务,步骤如下:
#创建 proxy-client-csr.json 配置文件
{
"CN": "aggregator",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
#生成证书和秘钥
cfssl gencert -profile=kubernetes -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json proxy-client-csr.json | cfssljson -bare proxy-client
#将证书访问指定的目录下,这里我将其放到 /opt/kubernetes/ssl下
cp proxy-client*.pem /opt/kubernetes/ssl/
#修改 kube-apiserver 参数
vim /etc/kubernetes/manifests/kube-apiserver.yaml
--runtime-config=api/all=true \
--requestheader-allowed-names=aggregator \
--requestheader-group-headers=X-Remote-Group \
--requestheader-username-headers=X-Remote-User \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem \
--proxy-client-cert-file=/opt/kubernetes/ssl/proxy-client.pem \
--proxy-client-key-file=/opt/kubernetes/ssl/proxy-client-key.pem \参数说明:
- –requestheader-client-ca-file: 客户端 CA 证书。
- –requestheader-allowed-names: 允许访问的客户端 common names 列表,通过 header 中 –requestheader-username-headers 参数指定的字段获取。客户端 common names 的名称需要在 client-ca-file 中进行设置,将其设置为空值时,表示任意客户端都可访问。
- –requestheader-username-headers: 参数指定的字段获取。
- –requestheader-extra-headers-prefix: 请求头中需要检查的前缀名。
- –requestheader-group-headers 请求头中需要检查的组名。
- –requestheader-username-headers 请求头中需要检查的用户名。
- –proxy-client-cert-file: 在请求期间验证 Aggregator 的客户端 CA 证书。
- –proxy-client-key-file: 在请求期间验证 Aggregator 的客户端私钥。
- –requestheader-allowed-names: 允许访问的客户端 common names 列表,通过 header 中 –requestheader-username-headers 参数指定的字段获取。客户端 common names 的名称需要在 client-ca-file 中进行设置,将其设置为空值时,表示任意客户端都可访问。
4、重启 kube-apiserver 组件
重启三个 Master 服务器中全部 kube-apiserver 组件:
systemctl daemon-reload && systemctl restart kube-apiserver5、重启 Metrics Server 应用
查看已有的 metrics server 的 pod,相当于更新pod
kubectl get pods -n kube-system | grep metrics-server
kubectl delete pods metrics-server-7455879dcc-w9dw7 -n kube-system
类似资料: