标签:kubernetes etc 部署 server metrics -- client pki
安装 metrics-server
通过 kubeadm 安装的 k8s 集群默认是没有安装 metrics-server,因此需要手工安装。
k8s 版本 v1.22.2
系统 Anolis OS 7.9
内核版本 3.10.0-1160.an7.x86_64
docker 版本 20.10.21
ingress-nginx 版本 v1.4.0
修改 api server
先检查 k8s 集群的 api server 是否有启用API Aggregator:
[root@k8s01 ~]# ps -ef | grep apiserver
root 4350 32424 0 14:27 pts/4 00:00:00 grep --color=auto apiserver
root 22557 22536 8 2022 ? 2-18:00:06 kube-apiserver --advertise-address=172.168.150.1 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/12 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
对比:
[root@k8s01 ~]# ps -ef | grep apiserver | grep enable-aggregator-routing
默认是没有开启的。因此需要修改 k8s apiserver 的配置文件:
[root@k8s01 ~]# vim /etc/kubernetes/manifests/kube-apiserver.yaml
增加 --enable-aggregator-routing=true
apiVersion: v1
kind: Pod
......
spec:
containers:
- command:
- kube-apiserver
......
- --enable-bootstrap-token-auth=true
- --enable-aggregator-routing=true # 增加这行
api server 会自动重启,稍后用命令验证一下:
[root@k8s01 ~]# ps -ef | grep apiserver | grep enable-aggregator-routing
root 7577 7558 14 14:31 ? 00:00:15 kube-apiserver --advertise-address=172.168.150.1 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --enable-aggregator-routing=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/12 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
下载并修改安装文件
先下载安装文件,直接用最新版本:
[root@k8s01 yaml]# wget https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
如果要安装指定版本,请查看 https://github.com/kubernetes-sigs/metrics-server/releases/ 页面。
修改下载下来的 components.yaml, 增加 --kubelet-insecure-tls 并修改 --kubelet-preferred-address-types:
template:
metadata:
labels:
k8s-app: metrics-server
spec:
containers:
- args:
- --cert-dir=/tmp
- --secure-port=4443
- --kubelet-preferred-address-types=InternalIP # 修改这行,默认是InternalIP,ExternalIP,Hostname
- --kubelet-use-node-status-port
- --metric-resolution=15s
- --kubelet-insecure-tls # 增加这行
[root@k8s01 yaml]# kubectl apply -f components.yaml
serviceaccount/metrics-server created
clusterrole.rbac.authorization.k8s.io/system:aggregated-metrics-reader created
clusterrole.rbac.authorization.k8s.io/system:metrics-server created
rolebinding.rbac.authorization.k8s.io/metrics-server-auth-reader created
clusterrolebinding.rbac.authorization.k8s.io/metrics-server:system:auth-delegator created
clusterrolebinding.rbac.authorization.k8s.io/system:metrics-server created
service/metrics-server created
deployment.apps/metrics-server created
apiservice.apiregistration.k8s.io/v1beta1.metrics.k8s.io created
稍等片刻看是否启动:
[root@k8s01 yaml]# kubectl get pod -n kube-system | grep metrics-server
[root@k8s01 yaml]# kubectl get pod -n kube-system | grep metrics-server
metrics-server-6bdf677949-dpscp 0/1 ImagePullBackOff 0 30s
查看日志
kubectl describe pod metrics-server-6bdf677949-dpscp -n kube-system
Failed to pull image "k8s.gcr.io/metrics-server/metrics-server:v0.6.2"
修改镜像地址
image: registry.aliyuncs.com/google_containers/metrics-server:v0.6.2
[root@k8s01 yaml]# kubectl delete -f components.yaml
[root@k8s01 yaml]# kubectl apply -f components.yaml
重新稍等片刻看是否启动:
[root@k8s01 yaml]# kubectl get pod -n kube-system | grep metrics-server
metrics-server-787dd9d855-m8c7q 1/1 Running 0 93s
验证一下,查看 service 信息
[root@k8s01 yaml]# kubectl describe svc metrics-server -n kube-system
Name: metrics-server
Namespace: kube-system
Labels: k8s-app=metrics-server
Annotations: <none>
Selector: k8s-app=metrics-server
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.110.109.41
IPs: 10.110.109.41
Port: https 443/TCP
TargetPort: https/TCP
Endpoints: 10.244.209.30:4443
Session Affinity: None
Events: <none>
# ping 一下这个 IP 地址 10.244.209.30
[root@k8s01 yaml]# ping 10.244.209.30
PING 10.244.209.30 (10.244.209.30) 56(84) bytes of data.
64 bytes from 10.244.209.30: icmp_seq=1 ttl=63 time=0.338 ms
64 bytes from 10.244.209.30: icmp_seq=2 ttl=63 time=0.294 ms
简单验证一下基本使用。
[root@k8s01 yaml]# kubectl top nodes
NAME CPU(cores) CPU% MEMORY(bytes) MEMORY%
k8s01.fengyue.com 226m 5% 2927Mi 37%
k8s02.fengyue.com 121m 3% 2359Mi 30%
k8s03.fengyue.com 96m 2% 2639Mi 34%
k8s04.fengyue.com 107m 2% 1721Mi 22%
k8s05.fengyue.com 92m 2% 3787Mi 49%
[root@k8s01 yaml]# kubectl top pods -n kube-system
NAME CPU(cores) MEMORY(bytes)
calico-kube-controllers-846d7f49d8-5ndh5 4m 52Mi
calico-node-6zslk 25m 138Mi
calico-node-l9xgd 25m 151Mi
calico-node-mdwwz 25m 140Mi
calico-node-mkw6x 24m 109Mi
calico-node-xvntv 27m 144Mi
coredns-7f6cbbb7b8-29jnv 2m 16Mi
coredns-7f6cbbb7b8-c86hc 2m 16Mi
etcd-k8s01.fengyue.com 23m 333Mi
kube-apiserver-k8s01.fengyue.com 77m 347Mi
kube-controller-manager-k8s01.fengyue.com 19m 49Mi
kube-proxy-2lq92 1m 15Mi
kube-proxy-7h27b 1m 16Mi
kube-proxy-7w6rh 1m 16Mi
kube-proxy-gmhqs 1m 25Mi
kube-proxy-w4q6p 1m 16Mi
kube-scheduler-k8s01.fengyue.com 5m 17Mi
metrics-server-787dd9d855-m8c7q 4m 14Mi
标签:kubernetes,
etc,
部署,
server,
metrics,
--,
client,
pki
From: https://blog.51cto.com/nowsafe/6026448