
로컬 Fedora 36에서 kube-apiserver.service가 항상 실패하는 문제가 있습니다.
컨텍스트에서 네임스페이스 가져오기 성공을 방해하는 인증서 문제가 발생했습니다. 나는 사용 중이었고 kubens
오류가 발생했습니다.
> error: You must be logged in to the server (Unauthorized)
> error getting namespace list
먼저 ~/.kube/config를 확인했는데 모든 것이 괜찮은 것 같았습니다. 그래서 좀 읽은 후 인증서 오류(특정 kube 클러스터에서 인증서 오류가 발생함)임을 확신하고 kubeadm
yum( sudo yum install kubernetes-kubeadm.x86_64
)을 통해 설치했습니다. 저는 이를 명령을 사용하여 필요한 모든 인증서를 자동으로 갱신하는 데 사용했습니다 kubeadm certs renew all
.
명령은 오류 신호 없이 깨끗한 출력으로 나왔습니다. kubens를 확인하면 여전히 동일한 오류가 발생합니다. 그래서 kube 서비스를 다시 시작해 보았는데 kube-apiserver를 제외하고는 모두 정상적으로 다시 시작되었습니다. 항상 같은 오류가 발생합니다. 너무 많은 재시작 명령이 너무 빨리 반복됩니다. 이것은 다음의 출력입니다 sudo systemctl status kube-apiserver -l
.
> × kube-apiserver.service - Kubernetes API Server
> Loaded: loaded (/usr/lib/systemd/system/kube-apiserver.service; enabled; vendor preset: disabled)
> Active: failed (Result: exit-code) since Thu 2022-11-17 09:07:44 CET; 12min ago
> Docs: https://kubernetes.io/docs/concepts/overview/components/#kube-apiserver
> https://kubernetes.io/docs/reference/generated/kube-apiserver/
> Process: 1752 ExecStart=/usr/bin/kube-apiserver $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_ETCD_SERVERS $KUBE_API_ADDRESS $KUBE_API_PORT
> $KUBELET_PORT > Main PID: 1752 (code=exited, status=1/FAILURE)
> CPU: 48ms
>
> Nov 17 09:07:44 fedora systemd[1]: kube-apiserver.service: Scheduled
> restart job, restart counter is at 5. Nov 17 09:07:44 fedora
> systemd[1]: Stopped kube-apiserver.service - Kubernetes API Server.
> Nov 17 09:07:44 fedora systemd[1]: kube-apiserver.service: Start
> request repeated too quickly. Nov 17 09:07:44 fedora systemd[1]:
> kube-apiserver.service: Failed with result 'exit-code'. Nov 17
> 09:07:44 fedora systemd[1]: Failed to start kube-apiserver.service -
> Kubernetes API Server.
그래서 Journalctl을 조사한 결과 다음 로그 섹션을 찾았습니다.
> Nov 16 16:33:30 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> msg='unit=kube-apiserver comm="systemd" exe="/usr/lib/systemd/systemd"
> hostname=? addr=? terminal=? res=failed'
> Nov 16 16:33:30 fedora systemd[1]: kube-apiserver.service: Scheduled restart job, restart counter is at 5.
> ░░ Automatic restarting of the unit kube-apiserver.service has been scheduled, as the result for
> Nov 16 16:33:30 fedora systemd[1]: Stopped kube-apiserver.service - Kubernetes API Server.
> ░░ Subject: A stop job for unit kube-apiserver.service has finished
> ░░ A stop job for unit kube-apiserver.service has finished.
> Nov 16 16:33:30 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> msg='unit=kube-apiserver comm="systemd" exe="/usr/lib/systemd/systemd"
> hostname=? addr=? terminal=? res=success'
> Nov 16 16:33:30 fedora audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> msg='unit=kube-apiserver comm="systemd" exe="/usr/lib/systemd/systemd"
> hostname=? addr=? terminal=? res=success'
> Nov 16 16:33:30 fedora systemd[1]: kube-apiserver.service: Start request repeated too quickly.
> Nov 16 16:33:30 fedora systemd[1]: kube-apiserver.service: Failed with result 'exit-code'.
> ░░ The unit kube-apiserver.service has entered the 'failed' state with result 'exit-code'.
> Nov 16 16:33:30 fedora systemd[1]: Failed to start kube-apiserver.service - Kubernetes API Server.
> ░░ Subject: A start job for unit kube-apiserver.service has failed
> ░░ A start job for unit kube-apiserver.service has finished with a failure.
> Nov 16 16:33:37 fedora kubelet[8800]: --rotate-certificates <Warning: Beta feature> Auto rotate the kubelet client certificates by
> requesting new certificates from the kube-apiserver when the
> certificate expiration approaches. (DEPRECATED: This parameter should
> be set via the config file specified by the Kubelet's --config flag.
> See
> https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
> for more information.)
> Nov 16 16:33:37 fedora kubelet[8800]: --rotate-server-certificates Auto-request and rotate the kubelet serving certificates by requesting
> new certificates from the kube-apiserver when the certificate
> expiration approaches. Requires the RotateKubeletServerCertificate
> feature gate to be enabled, and approval of the submitted
> CertificateSigningRequest objects. (DEPRECATED: This parameter should
> be set via the config file specified by the Kubelet's --config flag.
> See
> https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
> for more information.)
> Nov 16 16:33:47 fedora kubelet[8818]: --rotate-certificates <Warning: Beta feature> Auto rotate the kubelet client certificates by
> requesting new certificates from the kube-apiserver when the
> certificate expiration approaches. (DEPRECATED: This parameter should
> be set via the config file specified by the Kubelet's --config flag.
> See
> https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
> for more information.)
> Nov 16 16:33:47 fedora kubelet[8818]: --rotate-server-certificates Auto-request and rotate the kubelet serving certificates by requesting
> new certificates from the kube-apiserver when the certificate
> expiration approaches. Requires the RotateKubeletServerCertificate
> feature gate to be enabled, and approval of the submitted
> CertificateSigningRequest objects. (DEPRECATED: This parameter should
> be set via the config file specified by the Kubelet's --config flag.
> See
> https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
> for more information.)
> Nov 16 16:33:57 fedora kubelet[8834]: --rotate-certificates <Warning: Beta feature> Auto rotate the kubelet client certificates by
> requesting new certificates from the kube-apiserver when the
> certificate expiration approaches. (DEPRECATED: This parameter should
> be set via the config file specified by the Kubelet's --config flag.
> See
> https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
> for more information.)
> Nov 16 16:33:57 fedora kubelet[8834]: --rotate-server-certificates Auto-request and rotate the kubelet serving certificates by requesting
> new certificates from the kube-apiserver when the certificate
> expiration approaches. Requires the RotateKubeletServerCertificate
> feature gate to be enabled, and approval of the submitted
> CertificateSigningRequest objects. (DEPRECATED: This parameter should
> be set via the config file specified by the Kubelet's --config flag.
> See
> https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
> for more information.)
출력은 다음과 kubectl version
같습니다.
> Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.7",
> GitCommit:"e6f35974b08862a23e7f4aad8e5d7f7f2de26c15",
> GitTreeState:"archive", BuildDate:"2022-10-14T00:00:00Z",
> GoVersion:"go1.18.7", Compiler:"gc", Platform:"linux/amd64"}
> Kustomize Version: v4.5.4
> error: You must be logged in to the server (the server has asked for the client to provide credentials)
(예, 오류 메시지가 있습니다).
여기서 어디로 가야할지 정말 모르겠습니다. kube-apiserver.service를 다시 정상화하려면 어떻게 하시겠습니까?
내 시스템에서 찾을 수 있는 모든 kubernetes 패키지를 제거해 보았습니다.
sudo rpm -e kubernetes-client-1.24.7-1.fc36.x86_64 kubernetes-1.24.7-1.fc36.x86_64 kubernetes-master-1.24.7-1.fc36.x86_64
kubernetes-node-1.24.7-1.fc36.x86_64
krew를 통해 모든 kubectl 플러그인을 제거한 후. 그런 다음 .kube/config를 백업하고 이름을 전체 ~/.kube 폴더로 변경했습니다. kubernetes를 다시 설치했는데 이 시점에서 kubectl version
포트 8080 오류가 반환되었습니다. 이는 아직 .kube/config가 없기 때문일 것이라고 생각했습니다. krew와 내가 가장 좋아하는 kubectl 플러그인(ctx, ns, cm)을 다시 설치하고 액세스해야 하는 모든 kubernetes 클러스터에 대한 구성을 다시 빌드했습니다(및 aws eks update-kubeconfig
명령 kubecm add -f <file>
사용). 이제 kubectl 버전은 더 일반적인 출력을 갖습니다.
> Client Version: version.Info{Major:"1", Minor:"24",
> GitVersion:"v1.24.7",
> GitCommit:"e6f35974b08862a23e7f4aad8e5d7f7f2de26c15",
> GitTreeState:"archive", BuildDate:"2022-10-14T00:00:00Z",
> GoVersion:"go1.18.7", Compiler:"gc", Platform:"linux/amd64"} Kustomize
> Version: v4.5.4 Server Version: version.Info{Major:"1", Minor:"21+",
> GitVersion:"v1.21.14-eks-fb459a0",
> GitCommit:"b07006b2e59857b13fe5057a956e86225f0e82b7",
> GitTreeState:"clean", BuildDate:"2022-10-24T20:32:54Z",
> GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"} WARNING:
> version difference between client (1.24) and server (1.21) exceeds the
> supported minor version skew of +/-1
실행하면 sudo kube-apiserver
출력이 제공됩니다.
> W1117 10:13:55.819927 16008 services.go:37] No CIDR for service
> cluster IPs specified. Default value which was 10.0.0.0/24 is
> deprecated and will be removed in future releases. Please specify it
> using --service-cluster-ip-range on kube-apiserver. I1117
> 10:13:56.031051 16008 serving.go:342] Generated self-signed cert
> (/var/run/kubernetes/apiserver.crt, /var/run/kubernetes/apiserver.key)
> I1117 10:13:56.031063 16008 server.go:558] external host was not
> specified, using 192.168.XX.XX W1117 10:13:56.031069 16008
> authentication.go:526] AnonymousAuth is not allowed with the
> AlwaysAllow authorizer. Resetting AnonymousAuth to false. You should
> use a different authorizer E1117 10:13:56.031184 16008 run.go:74]
> "command failed" err="[--etcd-servers must be specified,
> service-account-issuer is a required flag,
> --service-account-signing-key-file and --service-account-issuer are required flags]"
sudo systemctl status kube-apiserver는 여전히 실패 상태를 표시하고 sudo systemctl restart kube-apiserver는 여전히 실패를 초래합니다