1、watch后的命令不能使用别名alias
# watch k get pod -n kube-system -owide
sh: k: 未找到命令
# watch kubectl get pods --all-namespaces
2、 k8s-master02状态:NotReady,提示node_authorizer授权问题:NODE DENY: 'k8s-master02'
[root@k8s-master01 ssl]# k get node
NAME STATUS ROLES AGE VERSION
k8s-master01 Ready <none> 122d v1.24.0
k8s-master02 NotReady <none> 122d v1.24.0
[root@k8s-master01]# systemctl status kube-apiserver
10月 09 10:58:42 k8s-master01 kube-apiserver[2349]: I1009 10:58:42.531917 2349 available_controller.go:474] "changing APIService availability" name="v1beta1.metrics.k8s.io" oldStatus=False newStatus=True message="all checks passed" reason="Passed"
10月 09 10:58:43 k8s-master01 kube-apiserver[2349]: I1009 10:58:43.338159 2349 node_authorizer.go:285] NODE DENY: 'k8s-master02' &authorizer.AttributesRecord{User:(*user.DefaultInfo)(0xc00e9dcb80), Verb:"get", Namespace:"", APIGroup:"storage.k8s.io", APIVersion:"v1", Resource:"csinodes", Subresource:"", Name:"k8s-master-lb", ResourceRequest:true, Path:"/apis/storage.k8s.io/v1/csinodes/k8s-master-lb"}...
[root@k8s-master03]# systemctl status kube-controller-manager -l
10月 09 12:03:21 k8s-master03 kube-controller-manager[1328]: I1009 12:03:21.232905 1328 node_lifecycle_controller.go:1093] node k8s-master02 hasn't been updated for 2h22m27.228655782s. Last PIDPressure is: &NodeCondition{Type:PIDPressure,Status:Unknown,LastHeartbeatTime:2022-09-30 08:32:19 +0800 CST,LastTransitionTime:2022-10-09 09:41:34 +0800 CST,Reason:NodeStatusUnknown,Message:Kubelet stopped posting node status.,}
重新从k8s-master01拷贝etcd-ca-key.pem到k8s-master02后OK,该节点状态为Ready。
# pwd
/etc/etcd/ssl
# ll
-rw------- 1 root root 1675 10月 9 15:56 etcd-ca-key.pem
-rw-r--r-- 1 root root 1367 10月 9 15:56 etcd-ca.pem
-rw------- 1 root root 1679 10月 9 15:56 etcd-key.pem
-rw-r--r-- 1 root root 1509 10月 9 15:56 etcd.pem
# openssl x509 -in etcd-ca-key.pem -noout -text //查看证书