K8S笔记之常见问题

修改dashboard显示语言为中文

• 修改浏览器语言: dashboard的显示语言会根据浏览器的语言自动切换，但需要注意的是chrome需要切换语言为 中文 而不是 中文（简体）

• 设置环境变量(推荐): 修改dashboard的Deployments yaml文件, 添加环境变量

  1containers:
  2  ...
  3  ports:
  4    - containerPort: 8443
  5      ...
  6      env:
  7        - name: ACCEPT_LANGUAGE
  8          value: zh

获取token

获取名为 admin 的账号 token

1kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin | awk '{print $1}')
2kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin | awk '{print $1}')

修改token过期时间

参考: https://blog.csdn.net/u013201439/article/details/80930285

1args:
2  ....
3  - --token-ttl=86400 # 一天

• 重新创建dashboard

  1kubectl apply -f dashboard.yaml

• 获取token

  1kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin | awk '{print $1}')

自签名证书

多域名

• https://blog.csdn.net/qq_21359467/article/details/102731032

• https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line/91556#91556

1cp /etc/pki/tls/openssl.conf ./

1openssl req -new -sha256 -key xxx.com.key -out xxx.com.csr -extension v3_req -config openssl.cnf

注意: -extension v3_req 参数

nginx服务DNS解析

https://stackoverflow.com/questions/51090684/nginx-wont-resolve-hostname-in-k8s https://github.com/openresty/openresty/issues/298

resolver相关 https://blog.csdn.net/cjfeii/article/details/77987004

K8S证书过期问题

周末服务不能访问,

1[root@k8s-master ~]# kubectl get nodes
2Unable to connect to the server: x509: certificate has expired or is not yet valid

首先想到是证书过期了，

1[root@k8s-master pki]# ls
2apiserver.crt              apiserver.key                 ca.crt  front-proxy-ca.crt      front-proxy-client.key
3apiserver-etcd-client.crt  apiserver-kubelet-client.crt  ca.key  front-proxy-ca.key      sa.key
4apiserver-etcd-client.key  apiserver-kubelet-client.key  etcd    front-proxy-client.crt  sa.pub

 1[root@k8s-master pki]# openssl x509 -in apiserver.crt -text
 2Certificate:
 3    Data:
 4        Version: 3 (0x2)
 5        Serial Number: 3850906911950301514 (0x35712b6ef5e4e94a)
 6    Signature Algorithm: sha256WithRSAEncryption
 7        Issuer: CN=kubernetes
 8        Validity
 9            Not Before: Mar 20 09:24:02 2020 GMT
10            Not After : Mar 20 09:24:02 2021 GMT
11        Subject: CN=kube-apiserver
12        Subject Public Key Info:
13            Public Key Algorithm: rsaEncryption

查找了一下

1https://github.com/kubernetes/kubeadm/issues/581#issuecomment-596097725

可以直接通过

 1[root@k8s-master backup]# kubeadm alpha certs check-expiration
 2[check-expiration] Reading configuration from the cluster...
 3[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
 4[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
 5
 6W0321 15:42:19.113957   11330 validation.go:28] Cannot validate kube-proxy config - no validator is available
 7W0321 15:42:19.114213   11330 validation.go:28] Cannot validate kubelet config - no validator is available
 8CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
 9admin.conf                 Mar 20, 2021 09:24 UTC   <invalid>                               no
10apiserver                  Mar 20, 2021 09:24 UTC   <invalid>       ca                      no
11apiserver-etcd-client      Mar 20, 2021 09:24 UTC   <invalid>       etcd-ca                 no
12apiserver-kubelet-client   Mar 20, 2021 09:24 UTC   <invalid>       ca                      no
13controller-manager.conf    Mar 20, 2021 09:24 UTC   <invalid>                               no
14etcd-healthcheck-client    Mar 20, 2021 09:24 UTC   <invalid>       etcd-ca                 no
15etcd-peer                  Mar 20, 2021 09:24 UTC   <invalid>       etcd-ca                 no
16etcd-server                Mar 20, 2021 09:24 UTC   <invalid>       etcd-ca                 no
17front-proxy-client         Mar 20, 2021 09:24 UTC   <invalid>       front-proxy-ca          no
18scheduler.conf             Mar 20, 2021 09:24 UTC   <invalid>                               no
19
20CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
21ca                      Mar 18, 2030 09:24 UTC   8y              no
22etcd-ca                 Mar 18, 2030 09:24 UTC   8y              no
23front-proxy-ca          Mar 18, 2030 09:24 UTC   8y              no

备份

1cp -r /etc/kubernetes /backup/

更新

1kubeadm alpha certs renew all

继续查看

1[root@k8s-master ~]# kubectl get nodes
2error: You must be logged in to the server (Unauthorized)

 1[root@k8s-master backup]# cp /etc/kubernetes/admin.conf ~/.kube/config
 2cp：是否覆盖"/root/.kube/config"？ y
 3[root@k8s-master backup]# kubectl get nodes
 4NAME          STATUS   ROLES    AGE    VERSION
 5k8s-master    Ready    master   365d   v1.17.4
 6k8s-node-01   Ready    <none>   365d   v1.17.0
 7k8s-node-02   Ready    <none>   365d   v1.17.0
 8k8s-node-03   Ready    <none>   335d   v1.17.4
 9k8s-node-04   Ready    <none>   335d   v1.17.4
10k8s-node-05   Ready    <none>   365d   v1.17.4
11k8s-node-06   Ready    <none>   365d   v1.17.4
12k8s-node-07   Ready    <none>   363d   v1.17.4
13k8s-node-08   Ready    <none>   363d   v1.17.4

登录rancher发现点击重新部署后无反应

重启 apiserver、scheduler、controller

1docker restart `docker ps | grep kube-apiserver  | awk '{ print $1 }'`
2docker restart `docker ps | grep kube-scheduler  | awk '{ print $1 }'`
3docker restart `docker ps | grep kube-controller  | awk '{ print $1 }'`
4systemctl restart kubelet