K8S笔记之常见问题

修改dashboard显示语言为中文

• 修改浏览器语言: dashboard的显示语言会根据浏览器的语言自动切换，但需要注意的是chrome需要切换语言为 中文 而不是 中文（简体）

• 设置环境变量(推荐): 修改dashboard的Deployments yaml文件, 添加环境变量

  containers:
    ...
    ports:
      - containerPort: 8443
        ...
        env:
          - name: ACCEPT_LANGUAGE
            value: zh

获取token

获取名为 admin 的账号 token

kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin | awk '{print $1}')
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin | awk '{print $1}')

修改token过期时间

参考: https://blog.csdn.net/u013201439/article/details/80930285

args:
  ....
  - --token-ttl=86400 # 一天

• 重新创建dashboard

  kubectl apply -f dashboard.yaml

• 获取token

  kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin | awk '{print $1}')

自签名证书

多域名

• https://blog.csdn.net/qq_21359467/article/details/102731032

• https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line/91556#91556

cp /etc/pki/tls/openssl.conf ./

openssl req -new -sha256 -key xxx.com.key -out xxx.com.csr -extension v3_req -config openssl.cnf

注意: -extension v3_req 参数

nginx服务DNS解析

https://stackoverflow.com/questions/51090684/nginx-wont-resolve-hostname-in-k8s https://github.com/openresty/openresty/issues/298

resolver相关 https://blog.csdn.net/cjfeii/article/details/77987004

K8S证书过期问题

周末服务不能访问,

[root@k8s-master ~]# kubectl get nodes
Unable to connect to the server: x509: certificate has expired or is not yet valid

首先想到是证书过期了，

[root@k8s-master pki]# ls
apiserver.crt              apiserver.key                 ca.crt  front-proxy-ca.crt      front-proxy-client.key
apiserver-etcd-client.crt  apiserver-kubelet-client.crt  ca.key  front-proxy-ca.key      sa.key
apiserver-etcd-client.key  apiserver-kubelet-client.key  etcd    front-proxy-client.crt  sa.pub

[root@k8s-master pki]# openssl x509 -in apiserver.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3850906911950301514 (0x35712b6ef5e4e94a)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=kubernetes
        Validity
            Not Before: Mar 20 09:24:02 2020 GMT
            Not After : Mar 20 09:24:02 2021 GMT
        Subject: CN=kube-apiserver
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption

查找了一下

https://github.com/kubernetes/kubeadm/issues/581#issuecomment-596097725

可以直接通过

[root@k8s-master backup]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

W0321 15:42:19.113957   11330 validation.go:28] Cannot validate kube-proxy config - no validator is available
W0321 15:42:19.114213   11330 validation.go:28] Cannot validate kubelet config - no validator is available
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 20, 2021 09:24 UTC   <invalid>                               no
apiserver                  Mar 20, 2021 09:24 UTC   <invalid>       ca                      no
apiserver-etcd-client      Mar 20, 2021 09:24 UTC   <invalid>       etcd-ca                 no
apiserver-kubelet-client   Mar 20, 2021 09:24 UTC   <invalid>       ca                      no
controller-manager.conf    Mar 20, 2021 09:24 UTC   <invalid>                               no
etcd-healthcheck-client    Mar 20, 2021 09:24 UTC   <invalid>       etcd-ca                 no
etcd-peer                  Mar 20, 2021 09:24 UTC   <invalid>       etcd-ca                 no
etcd-server                Mar 20, 2021 09:24 UTC   <invalid>       etcd-ca                 no
front-proxy-client         Mar 20, 2021 09:24 UTC   <invalid>       front-proxy-ca          no
scheduler.conf             Mar 20, 2021 09:24 UTC   <invalid>                               no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 18, 2030 09:24 UTC   8y              no
etcd-ca                 Mar 18, 2030 09:24 UTC   8y              no
front-proxy-ca          Mar 18, 2030 09:24 UTC   8y              no

备份

cp -r /etc/kubernetes /backup/

更新

kubeadm alpha certs renew all

继续查看

[root@k8s-master ~]# kubectl get nodes
error: You must be logged in to the server (Unauthorized)

[root@k8s-master backup]# cp /etc/kubernetes/admin.conf ~/.kube/config
cp：是否覆盖"/root/.kube/config"？ y
[root@k8s-master backup]# kubectl get nodes
NAME          STATUS   ROLES    AGE    VERSION
k8s-master    Ready    master   365d   v1.17.4
k8s-node-01   Ready    <none>   365d   v1.17.0
k8s-node-02   Ready    <none>   365d   v1.17.0
k8s-node-03   Ready    <none>   335d   v1.17.4
k8s-node-04   Ready    <none>   335d   v1.17.4
k8s-node-05   Ready    <none>   365d   v1.17.4
k8s-node-06   Ready    <none>   365d   v1.17.4
k8s-node-07   Ready    <none>   363d   v1.17.4
k8s-node-08   Ready    <none>   363d   v1.17.4

登录rancher发现点击重新部署后无反应

重启 apiserver、scheduler、controller

docker restart `docker ps | grep kube-apiserver  | awk '{ print $1 }'`
docker restart `docker ps | grep kube-scheduler  | awk '{ print $1 }'`
docker restart `docker ps | grep kube-controller  | awk '{ print $1 }'`
systemctl restart kubelet