x509:由未知权威度量服务器签署的证书
[英]x509: certificate signed by unknown authority metrics-server
问题描述
I am new to kubernetes and I finally realized how to launch the metrics-server as documented kubernetes-sigs/metrics-server .
我是 kubernetes 的新手,我终于意识到如何启动 metrics-server 作为记录的 kubernetes-sigs/metrics-server 。 In case that someone else wonders you need to deploy on Master node and also have minimum one worker in the cluster.如果其他人想知道您需要部署在主节点上,并且集群中至少有一个工作人员。
So I get this error:所以我得到这个错误:
E0818 15:25:22.835094 1 manager.go:111] unable to fully collect metrics: [unable to fully scrape metrics from source kubelet_summary:<hostname-master>: unable to fetch metrics from Kubelet <hostname-master> (<hostname-master>): Get https://<hostname-master>:10250/stats/summary?only_cpu_and_memory=true: x509: certificate signed by unknown authority, unable to fully scrape metrics from source kubelet_summary:<hostname-worker>: unable to fetch metrics from Kubelet <hostname-worker> (<hostname-worker>): Get https://<hostname-worker>:10250/stats/summary?only_cpu_and_memory=true: x509: certificate signed by unknown authority]
I am using my own CAs (not self signed) and I have modified the components.yml file (sample):我正在使用我自己的 CA(非自签名)并且我修改了 components.yml 文件(示例):
args:
- --cert-dir=/tmp/metricsServerCas
- --secure-port=4443
- --kubelet-preferred-address-types=Hostname
I know that I can disable the tls by using this flag --kubelet-insecure-tls I have already tried it.我知道我可以通过使用这个标志来禁用 tls --kubelet-insecure-tls我已经尝试过了。 I want to use my own CAs for extra security.我想使用我自己的 CA 来提高安全性。
I have see other many relevant questions (few samples) eg:我看到了其他许多相关问题(样本很少),例如:
x509 certificate signed by unknown authority- Kubernetes and kubectl unable to connect to server: x509: certificate signed by unknown authority x509 证书由未知机构签署 - Kubernetes和kubectl 无法连接到服务器:x509:证书由未知机构签署
Although that I have applied chown already my $HOME/.kube/config still I see this error.虽然我已经应用了 chown 我的$HOME/.kube/config仍然看到这个错误。
Where am I going wrong?我哪里错了?
Update: On the worker I am creating a directory eg /tmp/ca and I add the ca file(s) in the directory.更新:在工作人员上,我正在创建一个目录,例如/tmp/ca并在目录中添加 ca 文件。
I am not really good yet with the mounting points and I assume that I am doing something wrong.我对安装点还不是很好,我认为我做错了什么。 The default syntax of the images can be found here kubernetes-sigs/metrics-server/v0.3.7 (see components.yml file).图像的默认语法可以在这里找到kubernetes-sigs/metrics-server/v0.3.7 (参见 components.yml 文件)。
I tried to create a directory on my worker eg /tmp/ca and I modified the flag --cert-dir=/tmp/ca and mountPath: /tmp/ca我试图在我的工作人员上创建一个目录,例如 /tmp/ca 并修改了标志--cert-dir=/tmp/ca和mountPath: /tmp/ca
When I am deploying the file eg:当我部署文件时,例如:
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.3.7/components.yaml
I keep getting the error from the metrics-server-xxxx:我不断收到来自 metrics-server-xxxx 的错误:
panic: open /tmp/client-ca-file805316981: read-only file system
Although I have given full access to the directory eg:尽管我已授予对目录的完全访问权限,例如:
$ ls -la /tmp/ca
total 8
drwxr-xr-x. 2 user user 20 Aug 19 16:59 .
drwxrwxrwt. 18 root root 4096 Aug 19 17:34 ..
-rwxr-xr-x. 1 user user 1025 Aug 19 16:59 ca.crt
I am not sure where I am going wrong.我不确定我哪里出错了。
How is meant to be configured so someone can use non self signed certificates?如何配置以便有人可以使用非自签名证书? I can see that most people are using non SSL which I would like to avoid.我可以看到大多数人都在使用我想避免的非 SSL。
Sample of my args in the image:图像中我的参数示例:
spec:
selector:
matchLabels:
k8s-app: metrics-server
template:
metadata:
name: metrics-server
labels:
k8s-app: metrics-server
spec:
serviceAccountName: metrics-server
volumes:
# mount in tmp so we can safely use from-scratch images and/or read-only containers
- name: tmp-dir
emptyDir: {}
containers:
- name: metrics-server
image: k8s.gcr.io/metrics-server/metrics-server:v0.3.7
imagePullPolicy: IfNotPresent
args:
- --cert-dir=/tmp/ca
- --secure-port=4443
- --kubelet-preferred-address-types=Hostname
ports:
- name: main-port
containerPort: 4443
protocol: TCP
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- name: tmp-dir
mountPath: /tmp/ca
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: "amd64"
Update 2: Adding curl command from Master to Worker including error output:更新 2:将 curl 命令从 Master 添加到 Worker,包括错误 output:
$ curl --cacert /etc/kubernetes/pki/ca.crt https://node_hostname:10250/stats/summary?only_cpu_and_memory=true
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
2 个解决方案
解决方案1
1 已采纳
Posting this answer as a community wiki to give better visibility as the solution was posted in the comments.将此答案发布为社区 wiki,以便在评论中发布解决方案时提供更好的可见性。
The version that I used before was 1.18.2 and metrics server v0.3.6.
The issue was resolved by upgrading:该问题已通过升级解决:
-
Kubernetes:1.18.2->1.19.0Kubernetes:1.18.2->1.19.0 -
Metrics-server:0.3.6->0.3.7Metrics-server:0.3.6->0.3.7
This upgrade allowed to run metrics-server with tls enabled (self-signed certificates).此升级允许在启用tls的情况下运行metrics-server (自签名证书)。
Additional resources that could help when deploying metrics-server with tls :使用tls部署metrics-server时可以提供帮助的其他资源:
- Github.com: Kubernetes-sigs: Metrics-server: FAQ: How to run metrics-server-securely Github.com: Kubernetes-sigs: Metrics-server: FAQ: How to run metrics-server-securely
How to run metrics-server securely?
- Cluster with RBAC enabled
- Kubelet read-only port port disabled
- Validate kubelet certificate by mounting CA file and providing --kubelet-certificate-authority flag to metrics server
- Avoid passing insecure flags to metrics server (--deprecated-kubelet-completely-insecure, --kubelet-insecure-tls)
- Consider using your own certificates (--tls-cert-file, --tls-private-key-file)
解决方案2
0 2020-08-20 09:32:53
Create a configmap to store the ca certificate which was used to generate kubelet serving certificate.创建一个 configmap 来存储用于生成 kubelet 服务证书的 ca 证书。
kubectl -n kube-system create configmap ca --from-file=ca.crt=/etc/kubernetes/pki/ca.crt -o yaml
Then use volumeMounts to use it in metrics server pod然后使用volumeMounts在metrics server pod中使用
spec:
volumes:
- emptyDir: {}
name: tmp-dir
- configMap:
defaultMode: 420
name: ca
name: ca-dir
containers:
args:
- --cert-dir=/tmp
- --secure-port=4443
- --kubelet-certificate-authority=/ca/ca.crt
- --kubelet-preferred-address-types=Hostname
volumeMounts:
- mountPath: /tmp
name: tmp-dir
- mountPath: /ca
name: ca-dir
You can follow the same approach and use --tls-cert-file and --tls-private-key-file for using your own certificate instead of self signed certificate.您可以遵循相同的方法并使用--tls-cert-file和--tls-private-key-file来使用您自己的证书而不是自签名证书。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.