kubernetes部署metrics-server遇到的問題

kubernetes部署metrics-server後執行kubectl top pod或kubectl top node報錯
Error from server (ServiceUnavailable): the server is currently unable to handle the request (get pods.metrics.k8s.io)

一、問題檢查步驟：

1.1、查看metrics-server服務日誌

檢查發現metrics-server服務並沒有什麼異常

1.2、檢查kube-apiserver日誌

檢查發現是由於調用metrics-server無權限，返回了http 403錯誤

1.3、檢查是否配置了以下參數
1.4、問題總結：
metrics-server服務配置是沒有問題的，但服務依然報錯 Error from server (ServiceUnavailable): the server is currently unable to handle the request (get pods.metrics.k8s.io)，有兩種方法可以解決問題
1、授權集羣角色給用戶system:anonymous
kubectl create clusterrolebinding system:anonymous ? --clusterrole=cluster-admin ? --user=system:anonymous
2、創建system:metrics-server角色並授權

二、問題解決(創建system:metrics-server角色並授權)：

2.1、配置metrics-server證書

# vim metrics-server-csr.json
{
  "CN": "system:metrics-server",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "system"
    }
  ]
}
# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem -ca-key=/etc/kubernetes/ssl/ca-key.pem -config=ca-config.json -profile=kubernetes metrics-server-csr.json | cfssljson -bare metrics-server

2.2、配置metrics-server  RBAC授權

cat > auth-metrics-server.yaml << EOF
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: system:auth-metrics-server-reader
  labels:
    rbac.authorization.k8s.io/aggregate-to-view: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["metrics.k8s.io"]
  resources: ["pods", "nodes"]
  verbs: ["get", "list", "watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: metrics-server:system:auth-metrics-server
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-metrics-server-reader
subjects:
- kind: User
  name: system:metrics-server
  namespace: kube-system
EOF

2.3、kube-apiserver添加metrics-server需要的配置

--requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem --requestheader-allowed-names=aggregator,metrics-server --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --proxy-client-cert-file=/etc/kubernetes/ssl/metrics-server.pem --proxy-client-key-file=/etc/kubernetes/ssl/metrics-server-key.pem 

2.4、檢查是否能夠正常獲取到監控信息