kOps创建的Kubelet证书在其SAN中仅包含节点主机名,而使用默认清单部署的度量服务器正试图使用节点专用IP进行抓取。更改
情况:度量服务器部署映像为:k8s.gcr.io/metrics-server/metrics-server:v0.4.2我已经使用kops工具将一个kubernetes集群部署到一个AWS帐户中。
错误及其失败原因,由获取kubectl -n kube-system logs metrics-server-bcc948649-dsnd6
unable to fully scrape metrics: [unable to fully scrape metrics from node ip-10-33-47-106.eu-central-1.compute.internal: unable to fetch metrics from node ip-10-33-47-106.eu-central-1.compute.internal: Get "https://10.33.47.106:10250/stats/summary?only_cpu_and_memory=true": x509: cannot validate certificate for 10.33.47.106 because it doesn't contain any IP SANs, unable to fully scrape metrics from node ip-10-33-50-109.eu-central-1.compute.internal: unable to fetch metrics from node ip-10-33-50-109.eu-central-1.compute.internal: Get "https://10.33.50.109:10250/stats/summary?only_cpu_and_memory=true": x509: cannot validate certificate for 10.33.50.109 because it doesn't contain any IP SANs]
我可以通过修改度量服务器部署模板并添加参数来轻松解决此问题- --kubelet-insecure-tls到容器args,但似乎不是生产解决方案。
我想问和学习的是,如何在不失去安全感的情况下以正确的方式解决这个问题?
kubelet-preferred-address-types参数可以解决此问题:
- --kubelet-preferred-address-types=Hostname