我正试图在AWS上用几个ubuntu实例建立一个k8s集群。
我已成功安装
- 码头工人
- kubelet
- kubeadm
- kubectl等
机器IP是这样的。他们都在同一个网络中。防火墙已完全启用。我可以telnet端口6443等
IP和主机名
10.0.0.100 (ip-10-0-0-100.ca-central-1.compute.internal)
10.0.0.101 (ip-10-0-0-101.ca-central-1.compute.internal)
10.0.0.102 (ip-10-0-0-102.ca-central-1.compute.internal)
10.0.0.100:
我运行了这个命令
kubeadm init --apiserver-advertise-address=10.0.0.100 --pod-network-cidr=192.168.0.0/16
它发出了一个带有join命令的令牌。
1.0.0.101:
我在10.0.0.101上运行了命令join命令,但它超时了。(新鲜代币和尚未过期(
Failed to request cluster-info, will try again: Get "https://10.0.0.100:6443/api/v1/namespaces/kube-public/configmaps/cluster-info?timeout=10s": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
10.0.0.100:
所以我试图访问主节点。api服务器甚至无法在同一节点上访问。即使通过localhost:6443也不起作用。
curl https://10.0.0.100:6443/api/v1/namespaces/kube-public/configmaps/cluster-info
获取以下错误。
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
有趣的是,这是有效的。
curl -k https://10.0.0.100:6443/api/v1/namespaces/kube-public/configmaps/cluster-info
原因可能是什么?
nslookup ip显示了类似的内容。
nslookup 10.0.0.101
101.0.0.10.in-addr.arpa name = ip-10-0-0-101.ca-central-1.compute.internal.
Authoritative answers can be found from:
我们需要验证两件事:
- apiserver是否可以从主节点使用curl:
sudo curl --cacert /etc/kubernetes/pki/ca.crt --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt --key /etc/kubernetes/pki/apiserver-kubelet-client.key https://10.0.0.100:6443/v1/namespaces/kube-public/configmaps/cluster-info
- 节点之间的名称解析是否正常工作:
- 需要在所有节点上运行以下命令进行验证:
nslookup 10.0.0.101
nslookup 10.0.0.100
nslookup 10.0.0.102
- 如果nslookup正在解析这些ip地址,则需要在所有节点的
/etc/hosts文件中添加以下条目:
10.0.0.100 ip-10-0-0-100.ca-central-1.compute.internal
10.0.0.101 ip-10-0-0-101.ca-central-1.compute.internal
10.0.0.102 ip-10-0-0-102.ca-central-1.compute.internal
- 更新/etc/hosts文件后,使用nslookup命令重新验证:
nslookup 10.0.0.101
nslookup 10.0.0.100
nslookup 10.0.0.102
- 尝试使用join命令重新添加节点