一、安装部署
获取最新更新以及文章用到的软件包,请移步点击:查看更新
1、介绍
heapster已经被metrics-server取代,如果使用kubernetes的自动扩容功能的话,那首先得有一个插件,然后该插件将收集到的信息(cpu、memory…)与自动扩容的设置的值进行比对,自动调整pod数量。关于该插件,在kubernetes的早些版本中采用的是heapster,1.13版本正式发布后,丢弃了heapster,官方推荐采用metrics-sever。
2、下载相关yaml文件
https://github.com/kubernetes-incubator/metrics-server mkdir metrics-server cd metrics-server/ wget https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.4.2/components.yaml
3、修改安装脚本
vim components.yaml apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: metrics-server name: metrics-server namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: k8s-app: metrics-server rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-view: "true" name: system:aggregated-metrics-reader rules: - apiGroups: - metrics.k8s.io resources: - pods - nodes verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: k8s-app: metrics-server name: system:metrics-server rules: - apiGroups: - "" resources: - pods - nodes - nodes/stats - namespaces - configmaps verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: k8s-app: metrics-server name: metrics-server-auth-reader namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: extension-apiserver-authentication-reader subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: k8s-app: metrics-server name: metrics-server:system:auth-delegator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: k8s-app: metrics-server name: system:metrics-server roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:metrics-server subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system --- apiVersion: v1 kind: Service metadata: labels: k8s-app: metrics-server name: metrics-server namespace: kube-system spec: ports: - name: https port: 443 protocol: TCP targetPort: https selector: k8s-app: metrics-server --- apiVersion: apps/v1 kind: Deployment metadata: labels: k8s-app: metrics-server name: metrics-server namespace: kube-system spec: selector: matchLabels: k8s-app: metrics-server strategy: rollingUpdate: maxUnavailable: 0 template: metadata: labels: k8s-app: metrics-server spec: containers: - args: - --cert-dir=/tmp - --secure-port=4443 - --kubelet-insecure-tls #需要在配置文件中添加这一条,不验证客户端证书 - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --kubelet-use-node-status-port image: bitnami/metrics-server:0.4.1 #镜像需要修改一下 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /livez port: https scheme: HTTPS periodSeconds: 10 name: metrics-server ports: - containerPort: 4443 name: https protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /readyz port: https scheme: HTTPS periodSeconds: 10 securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 volumeMounts: - mountPath: /tmp name: tmp-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-cluster-critical serviceAccountName: metrics-server volumes: - emptyDir: {} name: tmp-dir --- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: labels: k8s-app: metrics-server name: v1beta1.metrics.k8s.io spec: group: metrics.k8s.io groupPriorityMinimum: 100 insecureSkipTLSVerify: true service: name: metrics-server namespace: kube-system version: v1beta1 versionPriority: 100
4、执行安装脚本并产看结果
kubectl create -f components.yaml
5、查看结果
kubectl top nodes NAME CPU(cores) CPU% MEMORY(bytes) MEMORY% k8s-node1 106m 5% 396Mi 21% k8s-node2 64m 3% 357Mi 19% kubernetes 289m 14% 919Mi 48%
二、解决报错
1、问题描述
通过二进制方式部署完成 kubernetes 后,部署 Metrics Server 后,查看日志出现下面错误信息:
E1231 10:33:31.978715 1 configmap_cafile_content.go:243] key failed with: missing content for CA bundle "client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" E1231 10:34:22.710836 1 configmap_cafile_content.go:243] kube-system/extension-apiserver-authentication failed with: missing content for CA bundle "client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" E1231 10:34:31.978769 1 configmap_cafile_content.go:243] key failed with: missing content for CA bundle "client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"
根据错误日志信息,可以知道是缺少认证的证书文件,导致不能访问 kube-apiserver 而出现的问题。
2、问题分析
查找资料分析原因
经过网上查找搜寻,之所以出现这个错误是因为 kube-apiserver 没有开启 API 聚合功能。所以需要配置 kube-apiserver 参数,开启聚合功能即可。
什么是 API 聚合
这里的 API 聚合机制 是 Kubernetes 1.7 版本引入的特性,能够将用户扩展的 API 注册到 kube-apiserver 上,仍然通过 API Server 的 HTTP URL 对新的 API 进行访问和操作。为了实现这个机制,Kubernetes 在 kube-apiserver 服务中引入了一个 API 聚合层(API Aggregation Layer),用于将 扩展 API 的访问请求转发到用户服务的功能。
为了能够将用户自定义的 API 注册到 Master 的 API Server 中,首先需要在 Master 节点所在服务器,配置 kube-apiserver 应用的启动参数来启用 API 聚合 功能,参数如下:
--runtime-config=api/all=true --requestheader-allowed-names=aggregator --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem --proxy-client-cert-file=/opt/kubernetes/ssl/proxy-client.pem --proxy-client-key-file=/opt/kubernetes/ssl/proxy-client-key.pem
如果 kube-apiserver 所在的主机上没有运行 kube-proxy,即无法通过服务的 ClusterIP 进行访问,那么还需要设置以下启动参数:
--enable-aggregator-routing=true
在设置完成重启 kube-apiserver 服务,就启用 API 聚合 功能了。
systemctl daemon-reload && systemctl restart kube-apiserver
3、解决问题
按照上面的解决问题思路,我们可以开启 API 聚合功能,然后重启 Metrics Server 服务,步骤如下:
#创建 proxy-client-csr.json 配置文件 { "CN": "aggregator", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "system:masters", "OU": "System" } ] } #生成证书和秘钥 cfssl gencert -profile=kubernetes -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json proxy-client-csr.json | cfssljson -bare proxy-client #将证书访问指定的目录下,这里我将其放到 /opt/kubernetes/ssl下 cp proxy-client*.pem /opt/kubernetes/ssl/ #修改 kube-apiserver 参数 vim /etc/kubernetes/manifests/kube-apiserver.yaml --runtime-config=api/all=true --requestheader-allowed-names=aggregator --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem --proxy-client-cert-file=/opt/kubernetes/ssl/proxy-client.pem --proxy-client-key-file=/opt/kubernetes/ssl/proxy-client-key.pem
参数说明:
-
–requestheader-client-ca-file: 客户端 CA 证书。
-
–requestheader-allowed-names: 允许访问的客户端 common names 列表,通过 header 中 –requestheader-username-headers 参数指定的字段获取。客户端 common names 的名称需要在 client-ca-file 中进行设置,将其设置为空值时,表示任意客户端都可访问。
-
–requestheader-username-headers: 参数指定的字段获取。
-
–requestheader-extra-headers-prefix: 请求头中需要检查的前缀名。
-
–requestheader-group-headers 请求头中需要检查的组名。
-
–requestheader-username-headers 请求头中需要检查的用户名。
-
–proxy-client-cert-file: 在请求期间验证 Aggregator 的客户端 CA 证书。
-
–proxy-client-key-file: 在请求期间验证 Aggregator 的客户端私钥。
-
–requestheader-allowed-names: 允许访问的客户端 common names 列表,通过 header 中 –requestheader-username-headers 参数指定的字段获取。客户端 common names 的名称需要在 client-ca-file 中进行设置,将其设置为空值时,表示任意客户端都可访问。
4、重启 kube-apiserver 组件
重启三个 Master 服务器中全部 kube-apiserver 组件:
systemctl daemon-reload && systemctl restart kube-apiserver
5、重启 Metrics Server 应用
查看已有的 metrics server 的 pod,相当于更新pod
kubectl get pods -n kube-system | grep metrics-server kubectl delete pods metrics-server-7455879dcc-w9dw7 -n kube-system