参考:https://ask.csdn.net/questions/6250475
https://github.com/kubernetes-sigs/metrics-server/issues/378
k8s:1.19安装metrics-server(v4.0.1),执行kubectl top node,系统日志报错:/apis/metrics.k8s.io/v1beta1: 403
问题原因:apiserver未开启聚合层
处理方法:
- 1、生成证书
# 创建ca证书(之前有可以不新建)
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
# 创建证书请求文件
cat > aggregator-csr.json << EOF
{
"CN": "aggregator",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
注意CN名称
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes aggregator.json | cfssljson -bare aggregator
cp *.pem /opt/kubernetes/ssl
- 2、配置apiserver
添加配置:
/opt/kubernetes/cfg/kube-apiserver.conf
--enable-aggregator-routing=true \ # 发现不加这个参数也可以
--runtime-config=api/all=true \
--proxy-client-cert-file=/opt/kubernetes/ssl/kube-proxy.pem \
--proxy-client-key-file=/opt/kubernetes/ssl/kube-proxy-key.pem \
--requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem \
--requestheader-allowed-names= \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-group-headers=X-Remote-Group \
--requestheader-username-headers=X-Remote-User \
- 3、修改metrics-server.yaml
创建secret
kubectl create secret generic aggregator-ca-cert --from-file=/opt/kubernetes/ssl/ca.pem -n kube-system
添加配置:
挂载证书:
volumeMounts:
- name: aggregator-ca
mountPath: /etc/kubelet/ca
volumes:
- name: aggregator-ca
secret:
secretName: aggregator-ca-cert
启动参数:
containers:
- args:
- --cert-dir=/tmp
- --secure-port=4443
- --requestheader-allowed-names=aggregator # 这个名字与证书的CN一致
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --kubelet-use-node-status-port
- --requestheader-client-ca-file=/etc/kubelet/ca/ca.pem # 这个名字要与ca证书本身名字一致
- --logtostderr
- --v=3
- 4、重启apiserver并部署mertrics-server
systemctl restart kube-apiserver
kubectl apply -f mertrics-server.yaml
- 5、测试
kubectl top node