Tengo un problema por el cual kube-apiserver.service siempre falla en mi Fedora 36 local.
Al obtener los espacios de nombres de un contexto, estaba experimentando problemas con los certificados que me impidieron tener éxito. Estaba usando kubensy me sale el error:
> error: You must be logged in to the server (Unauthorized)
> error getting namespace list
Lo primero que revisé fue mi ~/.kube/config y todo parecía estar bien. Entonces, después de leer un poco y estar convencido de que se trataba de un error de certificado (estábamos experimentando errores de certificado con un clúster de kube en particular), lo instalé kubeadma través de yum ( sudo yum install kubernetes-kubeadm.x86_64). Lo usé para renovar automáticamente todos los certificados que lo necesitaban, con el comando kubeadm certs renew all.
El comando salió con una salida limpia, no se señaló ningún error. Verificar kubens todavía da el mismo error. Así que intenté reiniciar los servicios de Kube y todos se reiniciaron bien, excepto kube-apiserver. Siempre aparece el mismo error: se repiten demasiados comandos de reinicio demasiado rápido. Esta es la salida de sudo systemctl status kube-apiserver -l:
> × kube-apiserver.service - Kubernetes API Server
> Loaded: loaded (/usr/lib/systemd/system/kube-apiserver.service; enabled; vendor preset: disabled)
> Active: failed (Result: exit-code) since Thu 2022-11-17 09:07:44 CET; 12min ago
> Docs: https://kubernetes.io/docs/concepts/overview/components/#kube-apiserver
> https://kubernetes.io/docs/reference/generated/kube-apiserver/
> Process: 1752 ExecStart=/usr/bin/kube-apiserver $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_ETCD_SERVERS $KUBE_API_ADDRESS $KUBE_API_PORT
> $KUBELET_PORT > Main PID: 1752 (code=exited, status=1/FAILURE)
> CPU: 48ms
>
> Nov 17 09:07:44 fedora systemd[1]: kube-apiserver.service: Scheduled
> restart job, restart counter is at 5. Nov 17 09:07:44 fedora
> systemd[1]: Stopped kube-apiserver.service - Kubernetes API Server.
> Nov 17 09:07:44 fedora systemd[1]: kube-apiserver.service: Start
> request repeated too quickly. Nov 17 09:07:44 fedora systemd[1]:
> kube-apiserver.service: Failed with result 'exit-code'. Nov 17
> 09:07:44 fedora systemd[1]: Failed to start kube-apiserver.service -
> Kubernetes API Server.
Entonces miré en journalctl y encontré esta sección de registro:
> Nov 16 16:33:30 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> msg='unit=kube-apiserver comm="systemd" exe="/usr/lib/systemd/systemd"
> hostname=? addr=? terminal=? res=failed'
> Nov 16 16:33:30 fedora systemd[1]: kube-apiserver.service: Scheduled restart job, restart counter is at 5.
> ░░ Automatic restarting of the unit kube-apiserver.service has been scheduled, as the result for
> Nov 16 16:33:30 fedora systemd[1]: Stopped kube-apiserver.service - Kubernetes API Server.
> ░░ Subject: A stop job for unit kube-apiserver.service has finished
> ░░ A stop job for unit kube-apiserver.service has finished.
> Nov 16 16:33:30 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> msg='unit=kube-apiserver comm="systemd" exe="/usr/lib/systemd/systemd"
> hostname=? addr=? terminal=? res=success'
> Nov 16 16:33:30 fedora audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> msg='unit=kube-apiserver comm="systemd" exe="/usr/lib/systemd/systemd"
> hostname=? addr=? terminal=? res=success'
> Nov 16 16:33:30 fedora systemd[1]: kube-apiserver.service: Start request repeated too quickly.
> Nov 16 16:33:30 fedora systemd[1]: kube-apiserver.service: Failed with result 'exit-code'.
> ░░ The unit kube-apiserver.service has entered the 'failed' state with result 'exit-code'.
> Nov 16 16:33:30 fedora systemd[1]: Failed to start kube-apiserver.service - Kubernetes API Server.
> ░░ Subject: A start job for unit kube-apiserver.service has failed
> ░░ A start job for unit kube-apiserver.service has finished with a failure.
> Nov 16 16:33:37 fedora kubelet[8800]: --rotate-certificates <Warning: Beta feature> Auto rotate the kubelet client certificates by
> requesting new certificates from the kube-apiserver when the
> certificate expiration approaches. (DEPRECATED: This parameter should
> be set via the config file specified by the Kubelet's --config flag.
> See
> https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
> for more information.)
> Nov 16 16:33:37 fedora kubelet[8800]: --rotate-server-certificates Auto-request and rotate the kubelet serving certificates by requesting
> new certificates from the kube-apiserver when the certificate
> expiration approaches. Requires the RotateKubeletServerCertificate
> feature gate to be enabled, and approval of the submitted
> CertificateSigningRequest objects. (DEPRECATED: This parameter should
> be set via the config file specified by the Kubelet's --config flag.
> See
> https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
> for more information.)
> Nov 16 16:33:47 fedora kubelet[8818]: --rotate-certificates <Warning: Beta feature> Auto rotate the kubelet client certificates by
> requesting new certificates from the kube-apiserver when the
> certificate expiration approaches. (DEPRECATED: This parameter should
> be set via the config file specified by the Kubelet's --config flag.
> See
> https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
> for more information.)
> Nov 16 16:33:47 fedora kubelet[8818]: --rotate-server-certificates Auto-request and rotate the kubelet serving certificates by requesting
> new certificates from the kube-apiserver when the certificate
> expiration approaches. Requires the RotateKubeletServerCertificate
> feature gate to be enabled, and approval of the submitted
> CertificateSigningRequest objects. (DEPRECATED: This parameter should
> be set via the config file specified by the Kubelet's --config flag.
> See
> https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
> for more information.)
> Nov 16 16:33:57 fedora kubelet[8834]: --rotate-certificates <Warning: Beta feature> Auto rotate the kubelet client certificates by
> requesting new certificates from the kube-apiserver when the
> certificate expiration approaches. (DEPRECATED: This parameter should
> be set via the config file specified by the Kubelet's --config flag.
> See
> https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
> for more information.)
> Nov 16 16:33:57 fedora kubelet[8834]: --rotate-server-certificates Auto-request and rotate the kubelet serving certificates by requesting
> new certificates from the kube-apiserver when the certificate
> expiration approaches. Requires the RotateKubeletServerCertificate
> feature gate to be enabled, and approval of the submitted
> CertificateSigningRequest objects. (DEPRECATED: This parameter should
> be set via the config file specified by the Kubelet's --config flag.
> See
> https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
> for more information.)
La salida de kubectl versiones:
> Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.7",
> GitCommit:"e6f35974b08862a23e7f4aad8e5d7f7f2de26c15",
> GitTreeState:"archive", BuildDate:"2022-10-14T00:00:00Z",
> GoVersion:"go1.18.7", Compiler:"gc", Platform:"linux/amd64"}
> Kustomize Version: v4.5.4
> error: You must be logged in to the server (the server has asked for the client to provide credentials)
(sí, tiene un mensaje de error).
Realmente no sé adónde ir desde aquí. ¿Qué intentarías para que kube-apiserver.service vuelva a funcionar?
Intenté desinstalar todos y cada uno de los paquetes de Kubernetes que pude encontrar en mi sistema:
sudo rpm -e kubernetes-client-1.24.7-1.fc36.x86_64 kubernetes-1.24.7-1.fc36.x86_64 kubernetes-master-1.24.7-1.fc36.x86_64
kubernetes-node-1.24.7-1.fc36.x86_64
después de haber eliminado todos los complementos de kubectl a través de krew. Luego hice una copia de seguridad de mi .kube/config y cambié el nombre a toda la carpeta ~/.kube. Reinstalé Kubernetes, en este punto kubectl versionestaba devolviendo el error del puerto 8080 y pensé que esto debía deberse a que aún no tengo un .kube/config. Reinstalé krew y mis complementos de kubectl favoritos (ctx, ns, cm) y reconstruí la configuración para todos los clústeres de kubernetes a los que necesito acceder (con comandos aws eks update-kubeconfigy kubecm add -f <file>). Ahora la versión de kubectl tiene una salida más normal:
> Client Version: version.Info{Major:"1", Minor:"24",
> GitVersion:"v1.24.7",
> GitCommit:"e6f35974b08862a23e7f4aad8e5d7f7f2de26c15",
> GitTreeState:"archive", BuildDate:"2022-10-14T00:00:00Z",
> GoVersion:"go1.18.7", Compiler:"gc", Platform:"linux/amd64"} Kustomize
> Version: v4.5.4 Server Version: version.Info{Major:"1", Minor:"21+",
> GitVersion:"v1.21.14-eks-fb459a0",
> GitCommit:"b07006b2e59857b13fe5057a956e86225f0e82b7",
> GitTreeState:"clean", BuildDate:"2022-10-24T20:32:54Z",
> GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"} WARNING:
> version difference between client (1.24) and server (1.21) exceeds the
> supported minor version skew of +/-1
ejecutar solo sudo kube-apiserverda la salida:
> W1117 10:13:55.819927 16008 services.go:37] No CIDR for service
> cluster IPs specified. Default value which was 10.0.0.0/24 is
> deprecated and will be removed in future releases. Please specify it
> using --service-cluster-ip-range on kube-apiserver. I1117
> 10:13:56.031051 16008 serving.go:342] Generated self-signed cert
> (/var/run/kubernetes/apiserver.crt, /var/run/kubernetes/apiserver.key)
> I1117 10:13:56.031063 16008 server.go:558] external host was not
> specified, using 192.168.XX.XX W1117 10:13:56.031069 16008
> authentication.go:526] AnonymousAuth is not allowed with the
> AlwaysAllow authorizer. Resetting AnonymousAuth to false. You should
> use a different authorizer E1117 10:13:56.031184 16008 run.go:74]
> "command failed" err="[--etcd-servers must be specified,
> service-account-issuer is a required flag,
> --service-account-signing-key-file and --service-account-issuer are required flags]"
sudo systemctl status kube-apiserver todavía muestra un estado fallido y sudo systemctl restart kube-apiserver todavía genera un error