Kubernetes-Dashboard-尝试访问服务时出错:拨打TCP 10.36.0.1:8443:I/O超时 [英] Kubernetes-dashboard - error trying to reach service: dial tcp 10.36.0.1:8443: i/o timeout
问题描述
我用谷歌搜索并找到了解决自己难题的答案.我能找到的所有答案都不适用,但他们说这已经被讨论了很多次了.
I googled and searched for the answer to my dilemma all answers I could find are not applicable, but they say this has been discussed many times.
以下是我的实际群集设置. 4个工作节点,2个主节点和1个负载均衡器.
Below is my actual cluster setup. 4 worker nodes, two masters, and one load balancer.
我安装了仪表板
XXXX@master01:~$ kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default busybox 1/1 Running 30 30h
kube-system coredns-78cb77577b-lbp87 1/1 Running 0 30h
kube-system coredns-78cb77577b-n7rvg 1/1 Running 0 30h
kube-system weave-net-d9jb6 2/2 Running 7 31h
kube-system weave-net-nsqss 2/2 Running 0 39h
kube-system weave-net-wnbq7 2/2 Running 7 31h
kube-system weave-net-zfsmn 2/2 Running 0 39h
kubernetes-dashboard dashboard-metrics-scraper-7b59f7d4df-dhcpn 1/1 Running 0 28h
kubernetes-dashboard kubernetes-dashboard-665f4c5ff-6qnzp 1/1 Running 7 28h
我安装了我的服务帐户并为其分配了群集管理员角色
I installed my service accounts and assigned them cluster-admin roles
XXXX@master01:~$ kubectl get sa -n kubernetes-dashboard
NAME SECRETS AGE
default 1 28h
kube-apiserver 1 25h
kubernetes-dashboard 1 28h
我正在使用kube-apiserver用户服务帐户,因为将证书加载到我已经拥有的浏览器中很容易.
I am using the kube-apiserver user service account because it was easy to just load the certs in the browser I already have them.
现在,我尝试使用负载平衡器访问仪表板: https://loadbalancer.local:6443/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
Now I try to access the dashboard using the load balancer: https://loadbalancer.local:6443/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
在这一点上,人们会认为我应该获得仪表板,并且我遇到的每个问题都做出了这种假设,但是我遇到了以下错误:
at this point one would think I should get the dashboard and every question I have encountered makes that assumption but I am getting the following error:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "error trying to reach service: dial tcp 10.36.0.1:8443: i/o timeout",
"code": 500
}
所以我决定拉日志:
kubectl logs -n kubernetes-dashboard service/kubernetes-dashboard
Error from server: Get "https://worker04:10250/containerLogs/kubernetes-dashboard/kubernetes-dashboard-665f4c5ff-6qnzp/kubernetes-dashboard": x509: certificate signed by unknown
authority
我所得到的只是这一行,我有一个想法来找出来自此工作程序节点的证书有什么问题: worker04:10250 我使用OpenSSL检查证书,发现了以下内容: 好吧,worker04生成了自己的证书,但同时也生成了自己的CA.
all I get is this one line and I had an idea of finding out what the issue is with the certification from this worker node: worker04:10250 I used OpenSSL to check the certificate and I discovered the following: worker04 has generated its own certificate alright, but it also generated its own CA as well.
这是我不知道如何解决此问题并启动仪表板的地方. 我还在 master01 上尝试过代理:
and this is where I am with no idea how to fix this and bring up a dashboard. I also tried a proxy on master01:
kubectl -v=9 proxy --port=8001 --address=192.168.1.24
我得到的都是403 Forbidden!
and all I got was 403 Forbidden!
推荐答案
对此我取得了一些进展,我发现当节点生成并向集群注册时,它会生成自己的证书CSR,该证书由自己的签名生成的CA,要解决此问题,我为由群集CA签名的所有节点生成了证书,并简单地替换了自动生成的证书并重新启动了节点.
I made some progress with this, I figured out that when a node generate and registers itself to a cluster, it is generating its own certificate CSR signed by its own generated CA, to fix this I generated the certificates for all the nodes signed by the cluster CA and simply replaced the auto generated certificates and restarted the nodes..
这篇关于Kubernetes-Dashboard-尝试访问服务时出错:拨打TCP 10.36.0.1:8443:I/O超时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
