【问题标题】:Unable to setup kubernetes against tls secured etcd无法针对 tls 安全的 etcd 设置 kubernetes
【发布时间】:2015-12-30 23:46:13
【问题描述】:

我正在尝试使用 etcd 配置启动 kubernetes api 服务器(kubernetes 使用 go-etcd,它具有从配置文件中读取所有参数的方法):

{ 
  "cluster": {
    "machines": [ "https://my-public-hostname:2379" ] 
  }, 
  "config": { 
  "certFile": "/etc/ssl/etcd/client.pem", 
  "keyFile": "/etc/ssl/etcd/client.key.pem", 
  "caCertFiles": [ 
  "/etc/ssl/etcd/ca.pem" 
  ], 
    "timeout": 5, 
    "consistency": "WEAK" 
  } 
}

但在 kube-apiserver 中失败,因为它无法成功访问 etcd。我认为这是因为它尝试同步集群...但我不知道。

我使用内部 ips 创建了一个(etcd)集群,用于广告和客户端地址,但设置为 0.0.0.0/0 的 listen-client-urls 除外。此外,整个集群都位于负载均衡器后面,可通过my-public-hostname 访问。

在容器内部(因为我使用的是hyperkube),除非我设置'--no-sync' 参数,否则etcdctl 将不起作用。如果我在没有该参数的情况下使用 etcdctl,它可能会像 kube-apiserver 一样失败。但是我无法检查 kubernetes 中执行集群同步的代码...

有什么想法吗?

提前致谢。

编辑:

这似乎是与当前 kubernetes 中的 etcd 客户端有关的错误(https://github.com/coreos/go-etcd),它不是最新的(https://github.com/coreos/etcd/client)。我根据经验对此进行了测试,“etcd/client”有效,但“go-etcd”无效,您可以在此处查看此测试:https://github.com/glerchundi/etcd-go-clients-test

值得注意的是,在 kubernetes 中正在将 go-etcd 迁移到 etcd/client:https://github.com/kubernetes/kubernetes/issues/11962

Kubernetes 团队的任何人都可以确认这一点吗?

附录 1

我正在尝试在 CoreOS 中运行 kubernetes,并且:flannel 有效,locksmithd 有效,fleet 有效(他们使用相同的 etcd 客户端凭据访问 etcd)所以这可能与 kubernetes 如何访问有关到 etcd 端点。

附录2(这些命令在hyperkube容器内执行,具体是这个:gcr.io/google_containers/hyperkube:v1.0.6

没有 --no-sync 的 etcdctl 无法输出:

root@98b2524464f1:/# etcdctl --cert-file="/etc/ssl/etcd/client.pem" --key-file="/etc/ssl/etcd/client.key.pem" --ca-file="/etc/ssl/etcd/ca.pem" --peers="http//my-public-hostname:2379" ls / 
Error: 501: All the given peers are not reachable (failed to propose on members [https://10.1.0.1:2379 https://10.1.0.0:2379 https://10.1.0.2:2379] twice [last error: Get https://10.1.0.0:2379/v2/keys/?quorum=false&recursive=false&sorted=false: dial tcp 10.1.0.0:2379: i/o timeout]) [0]

还有 kube-apiserver 和这个:

root@98b2524464f1:/# /hyperkube \ 
apiserver \ 
--bind-address=0.0.0.0 \ 
--etcd_config=/etc/kubernetes/ssl/etcd.json \ 
--allow-privileged=true \ 
--service-cluster-ip-range=10.3.0.0/24 \ 
--secure_port=443 \ 
--advertise-address=10.0.0.2 \ 
--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota \ 
--tls-cert-file=/etc/kubernetes/ssl/apiserver.pem \ 
--tls-private-key-file=/etc/kubernetes/ssl/apiserver.key.pem \ 
--client-ca-file=/etc/kubernetes/ssl/ca.pem \ 
--service-account-key-file=/etc/kubernetes/ssl/apiserver.key.pem

F1002 09:47:29.348527 384 controller.go:80] Unable to perform initial IP allocation check: unable to refresh the service IP block: 501: All the given peers are not reachable (failed to propose on members [https://my-public-hostname:2379] twice [last error: Get https://my-public-hostname:2379/v2/keys/registry/ranges/serviceips?quorum=false&recursive=false&sorted=false: dial tcp: i/o timeout]) [0]

附录 3

etcd #0:
  etcd2:
    name: etcd0
    initial-cluster-state: new
    initial-cluster: etcd0=http://10.1.0.0:2380,etcd1=http://10.1.0.1:2380,etcd2=http://10.1.0.2:2380
    data-dir: /var/lib/etcd2
    advertise-client-urls: https://10.1.0.0:2379
    initial-advertise-peer-urls: http://10.1.0.0:2380
    listen-client-urls: https://0.0.0.0:2379
    listen-peer-urls: http://10.1.0.0:2380
    client-cert-auth: true
    trusted-ca-file: /etc/ssl/etcd/certs/ca-chain.cert.pem
    cert-file: /etc/ssl/etcd/certs/etcd-server.cert.pem
    key-file: /etc/ssl/etcd/private/etcd-server.key.pem

etcd #1:
  etcd2:
    name: etcd1
    initial-cluster-state: new
    initial-cluster: etcd0=http://10.1.0.0:2380,etcd1=http://10.1.0.1:2380,etcd2=http://10.1.0.2:2380
    data-dir: /var/lib/etcd2
    advertise-client-urls: https://10.1.0.1:2379
    initial-advertise-peer-urls: http://10.1.0.1:2380
    listen-client-urls: https://0.0.0.0:2379
    listen-peer-urls: http://10.1.0.1:2380
    client-cert-auth: true
    trusted-ca-file: /etc/ssl/etcd/certs/ca-chain.cert.pem
    cert-file: /etc/ssl/etcd/certs/etcd-server.cert.pem
    key-file: /etc/ssl/etcd/private/etcd-server.key.pem

etcd #2:
  etcd2:
    name: etcd2
    initial-cluster-state: new
    initial-cluster: etcd0=http://10.1.0.0:2380,etcd1=http://10.1.0.1:2380,etcd2=http://10.1.0.2:2380
    data-dir: /var/lib/etcd2
    advertise-client-urls: https://10.1.0.2:2379
    initial-advertise-peer-urls: http://10.1.0.2:2380
    listen-client-urls: https://0.0.0.0:2379
    listen-peer-urls: http://10.1.0.2:2380
    client-cert-auth: true
    trusted-ca-file: /etc/ssl/etcd/certs/ca-chain.cert.pem
    cert-file: /etc/ssl/etcd/certs/etcd-server.cert.pem
    key-file: /etc/ssl/etcd/private/etcd-server.key.pem

【问题讨论】:

    标签: ssl https kubernetes etcd


    【解决方案1】:

    最后我找出了导致这个问题的原因。超时未正确定义,因为go-etcd 将 json 超时值解组为 time.Duration,它使用纳秒作为基本单位。因此对于 1s 的值,应该写入 1000000000。

    按照上面的例子:

    { 
      "cluster": {
        "machines": [ "https://my-public-hostname:2379" ] 
      }, 
      "config": { 
        "certFile": "/etc/ssl/etcd/client.pem", 
        "keyFile": "/etc/ssl/etcd/client.key.pem", 
        "caCertFiles": [ 
          "/etc/ssl/etcd/ca.pem" 
        ], 
        "timeout": 5000000000, 
        "consistency": "WEAK" 
      } 
    }
    

    【讨论】:

    猜你喜欢
    • 2015-12-23
    • 2016-08-13
    • 2020-10-14
    • 2019-11-16
    • 1970-01-01
    • 2019-10-11
    • 2018-04-06
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多