Bootstrap

/apis/metrics.k8s.io/v1beta1: 403

参考:https://ask.csdn.net/questions/6250475
https://github.com/kubernetes-sigs/metrics-server/issues/378

k8s:1.19安装metrics-server(v4.0.1),执行kubectl top node,系统日志报错:/apis/metrics.k8s.io/v1beta1: 403
问题原因:apiserver未开启聚合层
处理方法:

  • 1、生成证书
# 创建ca证书(之前有可以不新建)
cat > ca-config.json << EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF
cat > ca-csr.json << EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

# 创建证书请求文件
cat > aggregator-csr.json << EOF
{
  "CN": "aggregator",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

注意CN名称

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes aggregator.json | cfssljson -bare aggregator
cp *.pem /opt/kubernetes/ssl
  • 2、配置apiserver
    添加配置:
    /opt/kubernetes/cfg/kube-apiserver.conf
--enable-aggregator-routing=true \  # 发现不加这个参数也可以
--runtime-config=api/all=true \
--proxy-client-cert-file=/opt/kubernetes/ssl/kube-proxy.pem \
--proxy-client-key-file=/opt/kubernetes/ssl/kube-proxy-key.pem \
--requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem \
--requestheader-allowed-names= \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-group-headers=X-Remote-Group \
--requestheader-username-headers=X-Remote-User \
  • 3、修改metrics-server.yaml
    创建secret
kubectl create secret generic aggregator-ca-cert --from-file=/opt/kubernetes/ssl/ca.pem -n kube-system

添加配置:
挂载证书:

        volumeMounts:
        - name: aggregator-ca
          mountPath: /etc/kubelet/ca
          
      volumes:
      - name: aggregator-ca
        secret:
          secretName: aggregator-ca-cert

启动参数:

      containers:
      - args:
        - --cert-dir=/tmp
        - --secure-port=4443
        - --requestheader-allowed-names=aggregator    # 这个名字与证书的CN一致
        - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
        - --kubelet-use-node-status-port
        - --requestheader-client-ca-file=/etc/kubelet/ca/ca.pem  # 这个名字要与ca证书本身名字一致
        - --logtostderr
        - --v=3
  • 4、重启apiserver并部署mertrics-server
systemctl restart kube-apiserver
kubectl apply -f mertrics-server.yaml
  • 5、测试
kubectl top node
;