我已成功设置普通群集,现在我正在尝试按照文档https://kubernetes.io/docs/admin/high-availability/
进行HA设置在/ etc / kubernetes / manifest中复制etcd.yaml文件之后,我在我的集群中看到3个etcd容器
default etcd-server-kuber-poc-app1 1/1 Running 1 2d
default etcd-server-kuber-poc-app2 1/1 Running 72 20h
kube-system etcd-kuber-poc-app1 1/1 Running 4 13d
但是当我检查任何etcd pod的日志时,我看到错误如
2017-11-15 08:53:25.398815 E |发现:错误#0:x509:失败了 加载系统根,没有提供根
2017-11-15 08:53:25.398907我|发现:集群状态检查:错误 连接到https://discovery.etcd.io,在18h12m16s重试
似乎缺少他们的证书
但我不确定要创建哪些证书以及在哪里放置
Yaml内容
apiVersion: v1
kind: Pod
metadata:
name: etcd-server
spec:
hostNetwork: true
containers:
- image: gcr.io/google_containers/etcd:3.0.17
name: etcd-container
command:
- /usr/local/bin/etcd
- --name
- NODE-1
- --initial-advertise-peer-urls
- http://10.127.38.18:2380
- --listen-peer-urls
- http://10.127.38.18:2380
- --advertise-client-urls
- http://10.127.38.18:4001
- --listen-client-urls
- http://127.0.0.1:4001
- --data-dir
- /var/etcd/data
- --discovery
- https://discovery.etcd.io/9458bcd46077d558fd26ced5cb9f2a6a
ports:
- containerPort: 2380
hostPort: 2380
name: serverport
- containerPort: 4001
hostPort: 4001
name: clientport
volumeMounts:
- mountPath: /var/etcd
name: varetcd
- mountPath: /etc/ssl
name: etcssl
readOnly: true
- mountPath: /usr/share/ssl
name: usrsharessl
readOnly: true
- mountPath: /var/ssl
name: varssl
readOnly: true
- mountPath: /usr/ssl
name: usrssl
readOnly: true
- mountPath: /usr/lib/ssl
name: usrlibssl
readOnly: true
- mountPath: /usr/local/openssl
name: usrlocalopenssl
readOnly: true
- mountPath: /etc/openssl
name: etcopenssl
readOnly: true
- mountPath: /etc/pki/tls
name: etcpkitls
readOnly: true
volumes:
- hostPath:
path: /var/etcd/data
name: varetcd
- hostPath:
path: /etc/ssl
name: etcssl
- hostPath:
path: /usr/share/ssl
name: usrsharessl
- hostPath:
path: /var/ssl
name: varssl
- hostPath:
path: /usr/ssl
name: usrssl
- hostPath:
path: /usr/lib/ssl
name: usrlibssl
- hostPath:
path: /usr/local/openssl
name: usrlocalopenssl
- hostPath:
path: /etc/openssl
name: etcopenssl
- hostPath:
path: /etc/pki/tls
name: etcpkitls
所以2问题
1)如何创建Certs?
2)在哪里保留它们?
答案 0 :(得分:0)
我认为我们不能将kubeadm集群作为HA。您可以选择使用kubespray https://github.com/kubespray/kubespray-cli工具重新创建集群,这将创建包含所有节点的证书。
逐步说明遵循Kubernetes The Hard Way https://github.com/kelseyhightower/kubernetes-the-hard-way