下载yaml文件
wget https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/high-availability.yaml
改名:mv high-availability.yaml metrics-server.yaml
查看镜像地址
查看镜像地址
grep -rn image high-availability.yaml
150: image: k8s.gcr.io/metrics-server/metrics-server:v0.6.1
151: imagePullPolicy: IfNotPresent
设置镜像地址为阿里云
sed -i "s#k8s.gcr.io/metrics-server#registry.cn-hangzhou.aliyuncs.com/chenby#g" high-availability.yaml
查看镜像地址已更新
grep -rn image high-availability.yaml
150: image: registry.cn-hangzhou.aliyuncs.com/chenby/metrics-server:v0.6.1
151: imagePullPolicy: IfNotPresent
vim high-availability.yaml
添加"- --kubelet-insecure-tls"
执行配置
kubectl apply -f high-availability.yaml
[root@k8s-master-1 cfg]# kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
metrics-server-6f6c655778-ds596 1/1 Running 0 28m
metrics-server-6f6c655778-m6r7g 1/1 Running 0 28m
#启动正常,查看top 报错如下图
?查看API-server日志报错如下
是因为缺少认证的证书文件,创建文件
[root@k8s-master-1 ssl]#
[root@k8s-master-1 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -profile=kubernetes -config=ca-config.json proxy-client-csr.json | cfssljson -bare proxy-client
2023/05/04 14:53:56 [INFO] generate received request
2023/05/04 14:53:56 [INFO] received CSR
2023/05/04 14:53:56 [INFO] generating key: rsa-2048
2023/05/04 14:53:56 [INFO] encoded CSR
2023/05/04 14:53:56 [INFO] signed certificate with serial number 469318432138754596153118826805525884889293204022
2023/05/04 14:53:56 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-master-1 ssl]#
[root@k8s-master-1 ssl]#
[root@k8s-master-1 ssl]# ls
ca-config.json ca-csr.json ca.pem kube-proxy-csr.json kube-proxy.pem kubernetes-csr.json kubernetes.pem proxy-client-csr.json proxy-client.pem
ca.csr ca-key.pem kube-proxy.csr kube-proxy-key.pem kubernetes.csr kubernetes-key.pem proxy-client.csr proxy-client-key.pem
[root@k8s-master-1 ssl]#
[root@k8s-master-1 ssl]#
?修改kube-apiserver.conf,添加如下内容
--runtime-config=api/all=true \
--requestheader-allowed-names=aggregator \
--requestheader-group-headers=X-Remote-Group \
--requestheader-username-headers=X-Remote-User \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-client-ca-file=/k8s/kubernetes/ssl/ca.pem \
--proxy-client-cert-file=/k8s/kubernetes/ssl/proxy-client.pem \
--proxy-client-key-file=/k8s/kubernetes/ssl/proxy-client-key.pem \
参数说明:
–requestheader-client-ca-file: 客户端 CA 证书。
–requestheader-allowed-names: 允许访问的客户端 common names 列表,通过header中–requestheader-username-headers 参数指定的字段获取。
客户端 common names 的名称需要在 client-ca-file 中进行设置,将其设置为空值时,表示任意客户端都可访问。
–requestheader-username-headers: 参数指定的字段获取。
–requestheader-extra-headers-prefix: 请求头中需要检查的前缀名。
–requestheader-group-headers 请求头中需要检查的组名。
–requestheader-username-headers 请求头中需要检查的用户名。
–proxy-client-cert-file: 在请求期间验证 Aggregator 的客户端 CA 证书。
–proxy-client-key-file: 在请求期间验证 Aggregator 的客户端私钥。
#重启kube-apiserver
[root@k8s-master-1 cfg]# systemctl daemon-reload && systemctl restart kube-apiserver
#验证
[root@k8s-master-1 cfg]# kubectl top node
NAME CPU(cores) CPU% MEMORY(bytes) MEMORY%
k8s-node-1 80m 4% 812Mi 22%
k8s-node-2 81m 4% 775Mi 21%
[root@k8s-master-1 cfg]#
[root@k8s-master-1 cfg]# kubectl top pod
NAME CPU(cores) MEMORY(bytes)
busybox 0m 0Mi
web-96d5df5c8-sw784 0m 1Mi