kubectl multiple net / http:TLS握手超时

时间:2018-05-30 10:18:23

标签: networking kubernetes cluster-computing

我是kubernetes tech的新人,我尝试建立一个健康的本地集群(在ESXI上)。

我遇到许多我无法解决的错误:

  • 运行DashBoard但无法通过kubectl代理API访问

  • 我无法访问NodePort类型中暴露的任何svc(tcp连接重置)

  • 我无法从广告连播中撤回日志

  • 我无法使用kubeadm升级计划

我认为他们中的大多数都是由于错误的配置/错误而导致但是我能够找到这个破碎的金砖四国的什么/哪里。

如果我忘记了一些信息告诉我,我会将它们添加到帖子中。

我在vm上运行集群。 所有vm都在运行centos7 我已经对所有这些做了这个:

swapoff -a
systemctl disable firewalld
systemctl stop firewalld
setenforce 0
systemctl daemon-reload
systemctl restart docker
systemctl restart kubelet

对于法兰绒

sysctl -w net.bridge.bridge-nf-call-iptables=1
sysctl -w net.bridge.bridge-nf-call-ip6tables=1
  

kubectl version

 Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.2", GitCommit:"81753b10df112992bf51bbc2c2f85208aad78335", GitTreeState:"clean", BuildDate:"2018-04-27T09:22:21Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
    Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.2", GitCommit:"81753b10df112992bf51bbc2c2f85208aad78335", GitTreeState:"clean", BuildDate:"2018-04-27T09:10:24Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
  

kubectl get ep

NAME            ENDPOINTS                          AGE
dark-room-dep   172.17.0.10:8085,172.17.0.9:8085   19h
kubernetes      10.66.222.223:6443                 8d
  

kubectl get svc

NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)          AGE
dark-room-dep   NodePort    10.99.12.214   <none>        8085:30991/TCP   19h
kubernetes      ClusterIP   10.96.0.1      <none>        443/TCP          8d
  

kubectl cluster-info

Kubernetes master is running at https://10.66.222.223:6443
Heapster is running at https://10.66.222.223:6443/api/v1/namespaces/kube-system/services/heapster/proxy
KubeDNS is running at https://10.66.222.223:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
monitoring-grafana is running at https://10.66.222.223:6443/api/v1/namespaces/kube-system/services/monitoring-grafana/proxy
monitoring-influxdb is running at https://10.66.222.223:6443/api/v1/namespaces/kube-system/services/monitoring-influxdb/proxy
  

kubectl获得部署

NAME            DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
dark-room-dep   2         2         2            2           20h
  

kubectl get pods --all-namespaces

NAMESPACE     NAME                                            READY     STATUS    RESTARTS   AGE
default       dark-room-dep-577bf64bb8-9n5p7                  1/1       Running   0          20h
default       dark-room-dep-577bf64bb8-jmppg                  1/1       Running   0          20h
kube-system   etcd-localhost.localdomain                      1/1       Running   6          8d
kube-system   heapster-69b5d4974d-qvtrj                       1/1       Running   0          1d
kube-system   kube-apiserver-localhost.localdomain            1/1       Running   5          8d
kube-system   kube-controller-manager-localhost.localdomain   1/1       Running   4          8d
kube-system   kube-dns-86f4d74b45-njzj9                       3/3       Running   0          1d
kube-system   kube-flannel-ds-h9c2m                           1/1       Running   3          6d
kube-system   kube-flannel-ds-tcbd7                           1/1       Running   5          8d
kube-system   kube-proxy-7v6mf                                1/1       Running   3          6d
kube-system   kube-proxy-hwbwl                                1/1       Running   4          8d
kube-system   kube-scheduler-localhost.localdomain            1/1       Running   6          8d
kube-system   kubernetes-dashboard-7d5dcdb6d9-q42q5           1/1       Running   0          1d
kube-system   monitoring-grafana-69df66f668-zf2kc             1/1       Running   0          1d
kube-system   monitoring-influxdb-78d4c6f5b6-nhdbx            1/1       Running   0          1d
  

路线-n

Table de routage IP du noyau
Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
0.0.0.0         10.66.222.1     0.0.0.0         UG    100    0        0 ens192
10.66.222.0     0.0.0.0         255.255.254.0   U     100    0        0 ens192
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.25.1.0      172.25.1.0      255.255.255.0   UG    0      0        0 flannel.1
  

kubectl get nodes --all-namespaces

NAME                    STATUS    ROLES     AGE       VERSION
k8s-01                  Ready     <none>    6d        v1.10.2
localhost.localdomain   Ready     master    8d        v1.10.2

感谢您的帮助。祝你有愉快的一天。

佐科

2 个答案:

答案 0 :(得分:0)

我已经解决的错误:

  

我无法从pod中撤消日志:node disable firewall

     

我无法使用kubeadm升级计划:代理配置错误

我无法解决的错误:

  

DashBoard正在运行,但无法通过kubectl代理API访问:我有   对此进行研究并发现它需要heapster和heapster   其他组件......我可以让它发挥作用。

     

我无法访问NodePort类型中暴露的任何svc(tcp   连接重置):我已经在端口80上成功部署了svc但是它   doesen不在任何其他港口工作。

答案 1 :(得分:0)

要访问 DASHBOARD UI ,这就是我所做的,它可以在具有以下规范的kuebernetes集群上工作:

OS : CentOS 7

Kubernetes组件版本(但v1.10.x也对我有用):

Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.2", GitCommit:"bb9ffb1654d4a729bb4cec18ff088eacc153c239", GitTreeState:"clean", BuildDate:"2018-08-07T23:17:28Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.2", GitCommit:"bb9ffb1654d4a729bb4cec18ff088eacc153c239", GitTreeState:"clean", BuildDate:"2018-08-07T23:08:19Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}

步骤

  1. 安装dahsboard用户界面

kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

  1. 在本地计算机上安装kubectl:这里的方法取决于您使用的是Windows,Linux还是OS X,但是非常简单

  2. 将目录.kube从主节点复制到本地计算机

  3. 创建一个名称为<name>的服务帐户(您可以输入任意名称,但是根据我的经验,如果使用与登录计算机时所用的帐户名称相同的名称,则更好导入.kube目录)在命名空间kube-system中

$ vim my_user.yaml

apiVersion: v1 kind: ServiceAccount metadata: name: <your account user_name> namespace: kube-system

kubectl create -f my_user.yaml

  1. 创建集群角色关联

$ vim cluster-admin-role-association.yml

apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: <your account user_name> roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: <your account user_name> namespace: kube-system

kubectl create -f cluster-admin-role-association.yml

  1. 获取令牌进行登录

$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep <your account user_name> | awk '{print $1}')

  `Name:         <your account user_name>-token-xxxxx
  Namespace:    kube-system
  Labels:       <none>
  Annotations:  kubernetes.io/service-account.name=<your account user_name>
                  kubernetes.io/service-account.uid=xxxxxxxxxxxxxxxxxxxxxx
  Type:  kubernetes.io/service-account-token
  Data
  ====
  namespace:  11 bytes
  token:
  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (your token)`
  1. 现在您可以在本地计算机kubectl proxy中执行,在以下URL上访问de DashboardUI并使用令牌登录:

http://127.0.0.1:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

例如,您可以更改名称空间以将不同的用户影响到不同的项目,并且可以更精确地获得权限

要至少在我的部署中通常要访问 SERVICE ,您需要知道服务在哪个节点上运行(您可以通过将-o wide添加到{ {1}}查询),您应该可以使用kubectl get resource

进行访问

也许有更好的方法来访问服务(DNS名称),但我仍在学习,所以目前这就是我的做法

希望有帮助

欢呼