Kubelet bootstrap认证配置步骤,重新认证
- 报错
Error from server (AlreadyExists): clusterrolebindings.rbac.authorization.k8s.io "kubelet-bootstrap" already exists
kubectl delete clusterrolebindings kubelet-bootstrap
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap修改过配置文件然后重启了kubelet之后node节点无法注册
- 报错
5月 25 09:59:05 node2 kubelet[28402]: E0525 09:59:05.106033 28402 kubelet_node_status.go:92] Unable to register node "node2" with API server: nodes "node2" is forbidden: node "master1" is not allowed to modify node "node2"
5月 25 09:59:05 node2 kubelet[28402]: E0525 09:59:05.150663 28402 kubelet.go:2267] node "node2" not found
5月 25 09:59:05 node2 kubelet[28402]: E0525 09:59:05.251501 28402 kubelet.go:2267] node "node2" not found- 解决:
k8s删除一个节点使用以下命令
删除一个节点前,先驱赶掉上面的pod
kubectl drain $nodeIP --delete-local-data
因为我这里是测试环境还没有pod就直接删除了,没有做驱逐
1、删除node节点重新注册
master节点上: kubectl delete node $nodename
2、node节点上删除client文件
rm -f /etc/kubernetes/ssl/kubelet-client-*
3、node节点上重启kubelet服务
systemctl restart kubelet
#重启后会自动生成kubelet-client-文件
4、master上查看注册请求
kubectl get csr
#CONDITION是pending状态就是待审批,Approved,Issued是已审批
5、master上审批注册请求
kubectl certificate approve $NAME
[root@master1 work]# kubectl certificate approve node-csr-nbczXKuKZpXVEwrEfplaF2WZcjaphB5_PNyCAUW46TU
certificatesigningrequest.certificates.k8s.io/node-csr-nbczXKuKZpXVEwrEfplaF2WZcjaphB5_PNyCAUW46TU approved
#$NAME是上一步get出来的请求
6、master上kubectl get csr显示已审批完
7、master上kubectl get nodes可以看到node节点是ready状态
[root@master1 work]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master1 Ready <none> 19h v1.18.0
node1 Ready <none> 30m v1.18.0
node2 Ready <none> 24m v1.18.0iptables版本过低导致kube-proxy无法启动
- 报错
6月 03 19:00:39 k8s-master kube-proxy[24182]: I0603 19:00:39.751854 24182 proxier.go:1848] Not using `--random-fully` in the MASQUERADE rule for iptables because the local version of iptables does not support it- 解决方法
升级iptables步骤:
查看当前版本:
iptables --version
安装编译工具:
yum -y install gcc gcc-c++ bzip2 libmnl
下载最新版本的包:
wget http://ftp.netfilter.org/pub/iptables/iptables-1.8.7.tar.bz2
tar -xjf iptables-1.8.7.tar.bz2
cd iptables-1.8.7
./configure --disable-nftables
make
make install
cd /usr/local/sbin
\cp /usr/local/sbin/iptables /sbin/
\cp /usr/local/sbin/iptables-restore /sbin/
\cp /usr/local/sbin/iptables-save /sbin/
iptables -V
yum -y install conntrack
重启kubelet和kube-proxy
systemctl restart kubelet
systemctl restart kube-proxy
新建k8s集群dashboard访问无数据
- 原因
因为没有设置cluster-admin导致获取namespace失败
kubectl logs -n kubernetes-dashboard kubernetes-dashboard-7b544877d5-kpwdlNon-critical error occurred during resource retrieval: pods is forbidden: User "system:serviceaccount:kube-dashboard:kubernetes-dashboard" cannot list resource "pods" in API group "" in the namespace "kube-dashboard"
- 解决
vim dashboard-admin.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: dashboard-admin
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin-bind-cluster-role
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kubernetes-dashboardkubectl create -f dashboard-admin.yaml刷新重新访问dashboard可以看到有数据了