stackoom
  简体   繁体   中英

Kubernetes kubelet error updating node status

 原文  2018-10-09 13:10:10       kubernetes/ amazon-eks

Question

Running a kubernetes cluster in AWS via EKS. Everything appears to be working as expected, but just checking through all logs to verify. I hopped on to one of the worker nodes and I noticed a bunch of errors when looking at the kubelet service 

Oct 09 09:42:52 ip-172-26-0-213.ec2.internal kubelet[4226]: E1009 09:42:52.335445    4226 kubelet_node_status.go:377] Error updating node status, will retry: error getting node "ip-172-26-0-213.ec2.internal": Unauthorized
Oct 09 10:03:54 ip-172-26-0-213.ec2.internal kubelet[4226]: E1009 10:03:54.831820    4226 kubelet_node_status.go:377] Error updating node status, will retry: error getting node "ip-172-26-0-213.ec2.internal": Unauthorized

Nodes are all showing as ready, but I'm not sure why those errors are appearing. Have 3 worker nodes and all 3 have the same kubelet errors (hostnames are different obviously)

Additional information. It would appear that the error is coming from this line in kubelet_node_status.go 

node, err := kl.heartbeatClient.CoreV1().Nodes().Get(string(kl.nodeName), opts)
if err != nil {
    return fmt.Errorf("error getting node %q: %v", kl.nodeName, err)
}

From the workers I can execute get nodes using kubectl just fine: 

kubectl get --kubeconfig=/var/lib/kubelet/kubeconfig nodes
NAME                           STATUS    ROLES     AGE       VERSION
ip-172-26-0-58.ec2.internal    Ready     <none>    1h        v1.10.3
ip-172-26-1-193.ec2.internal   Ready     <none>    1h        v1.10.3

1 answers

solution1
 0  2018-12-04 04:07:57

Turns out this is not an issue. Official reply from AWS regarding these errors:

The kubelet will regularly report node status to the Kubernetes API. When it does so it needs an authentication token generated by the aws-iam-authenticator. The kubelet will invoke the aws-iam-authenticator and store the token in it's global cache. In EKS this authentication token expires after 21 minutes.

The kubelet doesn't understand token expiry times so it will attempt to reach the API using the token in it's cache. When the API returns the Unauthorized response, there is a retry mechanism to fetch a new token from aws-iam-authenticator and retry the request.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Kubelet stopped posting node status (Kubernetes) Kubelet stopped posting node status 'Kubelet stopped posting node status' and node inaccessible Why kubelet is running on kubernetes master node? Kubernetes on worker node - kubelet.service not starting Kubernetes 1.8 Kubeadm configuration kubelet not starting on node Kubernetes kubelet-certificate-authority on premise with kubespray causes certificate validation error for master node Kubernetes - unable to start kubelet with cloud provider openstack (error fetching current node name from cloud provider) kubelet.service: Unit entered failed state in not ready state node error from kubernetes cluster Error execution phase kubelet-start: a Node with name … and status Ready already exists in the cluster
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM