![](/img/trans.png)
[英]Vault On GKE - x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs
[英]metrics-server:v0.4.2 cannot scrape metrics inside AWS kubernetes cluster environment (cannot validate certificate, doesn't contain any IP SANs)
情况:指标服务器部署图像是:k8s.gcr.io/metrics-server/metrics-server: k8s.gcr.io/metrics-server/metrics-server:v0.4.2
我使用kops
工具将 kube.netes 集群部署到一个 AWS 帐户中。
失败的错误和原因,通过kubectl -n kube-system logs metrics-server-bcc948649-dsnd6
unable to fully scrape metrics: [unable to fully scrape metrics from node ip-10-33-47-106.eu-central-1.compute.internal: unable to fetch metrics from node ip-10-33-47-106.eu-central-1.compute.internal: Get "https://10.33.47.106:10250/stats/summary?only_cpu_and_memory=true": x509: cannot validate certificate for 10.33.47.106 because it doesn't contain any IP SANs, unable to fully scrape metrics from node ip-10-33-50-109.eu-central-1.compute.internal: unable to fetch metrics from node ip-10-33-50-109.eu-central-1.compute.internal: Get "https://10.33.50.109:10250/stats/summary?only_cpu_and_memory=true": x509: cannot validate certificate for 10.33.50.109 because it doesn't contain any IP SANs]
我可以通过修改 metrics-server 部署模板并将参数- --kubelet-insecure-tls
添加到容器参数来轻松解决这个问题,但似乎不是生产解决方案。
我想在这里问和学习的是,如何在不失去安全性的情况下以正确的方式解决这个问题?
kOps 创建的 Kubelet 证书仅包含其 SAN 中的节点主机名,而使用默认清单部署的指标服务器正在尝试使用节点私有 IP 进行抓取。 更改kubelet-preferred-address-types
参数可解决此问题:
- --kubelet-preferred-address-types=Hostname
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.