Kubernetes Kubelet错误更新节点状态
[英]Kubernetes kubelet error updating node status
问题描述
Running a kubernetes cluster in AWS via EKS. 
通过EKS在AWS中运行kubernetes集群。 Everything appears to be working as expected, but just checking through all logs to verify. 一切似乎都按预期工作,但只是检查所有日志以进行验证。 I hopped on to one of the worker nodes and I noticed a bunch of errors when looking at the kubelet service 我跳到一个工作节点上,并且在查看kubelet服务时注意到一堆错误。
Oct 09 09:42:52 ip-172-26-0-213.ec2.internal kubelet[4226]: E1009 09:42:52.335445 4226 kubelet_node_status.go:377] Error updating node status, will retry: error getting node "ip-172-26-0-213.ec2.internal": Unauthorized
Oct 09 10:03:54 ip-172-26-0-213.ec2.internal kubelet[4226]: E1009 10:03:54.831820 4226 kubelet_node_status.go:377] Error updating node status, will retry: error getting node "ip-172-26-0-213.ec2.internal": Unauthorized
Nodes are all showing as ready, but I'm not sure why those errors are appearing. 节点都显示为就绪,但是我不确定为什么会出现这些错误。 Have 3 worker nodes and all 3 have the same kubelet errors (hostnames are different obviously) 有3个工作节点,所有3个都具有相同的kubelet错误(主机名明显不同)
Additional information. 附加信息。 It would appear that the error is coming from this line in kubelet_node_status.go 看来错误来自kubelet_node_status.go中的此行
node, err := kl.heartbeatClient.CoreV1().Nodes().Get(string(kl.nodeName), opts)
if err != nil {
return fmt.Errorf("error getting node %q: %v", kl.nodeName, err)
}
From the workers I can execute get nodes using kubectl just fine: 从工人那里,我可以使用kubectl执行get节点:
kubectl get --kubeconfig=/var/lib/kubelet/kubeconfig nodes
NAME STATUS ROLES AGE VERSION
ip-172-26-0-58.ec2.internal Ready <none> 1h v1.10.3
ip-172-26-1-193.ec2.internal Ready <none> 1h v1.10.3
1 个解决方案
解决方案1
0 2018-12-04 04:07:57
Turns out this is not an issue. 原来这不是问题。 Official reply from AWS regarding these errors: AWS针对这些错误的官方回复:
The kubelet will regularly report node status to the Kubernetes API. Kubelet将定期向Kubernetes API报告节点状态。 When it does so it needs an authentication token generated by the aws-iam-authenticator. 这样做时,需要aws-iam-authenticator生成的身份验证令牌。 The kubelet will invoke the aws-iam-authenticator and store the token in it's global cache. kubelet将调用aws-iam-authenticator,并将令牌存储在其全局缓存中。 In EKS this authentication token expires after 21 minutes. 在EKS中,此身份验证令牌将在21分钟后过期。
The kubelet doesn't understand token expiry times so it will attempt to reach the API using the token in it's cache. kubelet不了解令牌的到期时间,因此它将尝试使用其缓存中的令牌来访问API。 When the API returns the Unauthorized response, there is a retry mechanism to fetch a new token from aws-iam-authenticator and retry the request. 当API返回未经授权的响应时,将提供一种重试机制,以从aws-iam-authenticator获取新令牌并重试该请求。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.