K8s API Server的鉴权问题由来已久。默认情况下K8s API Server会开启两个端口:8080(Localhost Port)和 6443(Secure Port),其中8080端口为WEB UI Dashboard,无需认证,用于本地测试与监控;6443端口需要认证且有TLS保护,用于远程连接(如:通过kubectl管理集群)。
root@ubuntu:~# kubectl label node bogon node-role.kubernetes.io/worker=worker Unable to connect to the server: dial tcp 10.10.16.82:6443: connect: network is unreachable root@ubuntu:~# systemctl status firewalld Unit firewalld.service could not be found. root@ubuntu:~#
root@ubuntu:~# kubeadm reset
root@ubuntu:~# kubeadm init --kubernetes-version=v1.18.1 --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=10.10.16.82 --image-repository registry.aliyuncs.com/google_containers
W0618 18:47:56.560541 2512 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[init] Using Kubernetes version: v1.18.1
[preflight] Running pre-flight checks
[WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/
error execution phase preflight: [preflight] Some fatal errors occurred:
[ERROR FileContent--proc-sys-net-bridge-bridge-nf-call-iptables]: /proc/sys/net/bridge/bridge-nf-call-iptables does not exist
[preflight] If you know what you are doing, you can make a check non-fatal with `--ignore-preflight-errors=...`
To see the stack trace of this error execute with --v=5 or higher
root@ubuntu:~# echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
-bash: /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
root@ubuntu:~# modprobe br_netfilter root@ubuntu:~# echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables -bash: /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory root@ubuntu:~# ls /proc/sys/net/bridge ls: cannot access '/proc/sys/net/bridge': No such file or directory root@ubuntu:~#
MASTER端+NODE共同服务 systemctl restart etcd systemctl daemon-reload systemctl enable flanneld systemctl restart flanneld MASTER端独有服务 systemctl daemon-reload systemctl enable kube-apiserver systemctl restart kube-apiserver systemctl daemon-reload systemctl enable kube-controller-manager systemctl restart kube-controller-manager systemctl daemon-reload systemctl enable kube-scheduler systemctl restart kube-scheduler NODE端独有服务 systemctl daemon-reload systemctl enable kubelet systemctl restart kubelet(status状态为 not ready时候重启即可) systemctl daemon-reload systemctl enable kube-proxy systemctl restart kube-proxy systemctl status etcd systemctl status flanneld systemctl status kube-apiserver systemctl status kube-controller-manager systemctl status kube-scheduler systemctl status kubelet systemctl status kube-proxy