kubernetes部署metrics-server後執行kubectl top pod或kubectl top node報錯
Error from server (ServiceUnavailable): the server is currently unable to handle the request (get pods.metrics.k8s.io)
一、問題檢查步驟:
1.1、查看metrics-server服務日誌
檢查發現metrics-server服務並沒有什麼異常
1.2、檢查kube-apiserver日誌
檢查發現是由於調用metrics-server無權限,返回了http 403錯誤
1.3、檢查是否配置了以下參數
1.4、問題總結:
metrics-server服務配置是沒有問題的,但服務依然報錯 Error from server (ServiceUnavailable): the server is currently unable to handle the request (get pods.metrics.k8s.io),有兩種方法可以解決問題
1、授權集羣角色給用戶system:anonymous
kubectl create clusterrolebinding system:anonymous ? --clusterrole=cluster-admin ? --user=system:anonymous
2、創建system:metrics-server角色並授權
二、問題解決(創建system:metrics-server角色並授權):
2.1、配置metrics-server證書
# vim metrics-server-csr.json
{
"CN": "system:metrics-server",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "system"
}
]
}
# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem -ca-key=/etc/kubernetes/ssl/ca-key.pem -config=ca-config.json -profile=kubernetes metrics-server-csr.json | cfssljson -bare metrics-server
2.2、配置metrics-server RBAC授權
cat > auth-metrics-server.yaml << EOF
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:auth-metrics-server-reader
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: metrics-server:system:auth-metrics-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-metrics-server-reader
subjects:
- kind: User
name: system:metrics-server
namespace: kube-system
EOF
2.3、kube-apiserver添加metrics-server需要的配置
--requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem --requestheader-allowed-names=aggregator,metrics-server --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --proxy-client-cert-file=/etc/kubernetes/ssl/metrics-server.pem --proxy-client-key-file=/etc/kubernetes/ssl/metrics-server-key.pem
2.4、檢查是否能夠正常獲取到監控信息