[k8s]kube-dns/dashboard排错历险记(含sa加载用法/集群搭建)

kube-dns原理

参考:

组件架构看这个就够了

http://cizixs.com/2017/04/11/kubernetes-intro-kube-dns

设置细节看这个就够了

http://blog.fleeto.us/translation/configuring-private-dns-zones-and-upstream-nameservers-kubernetes

busybox你的忠实实验伴侣

命令看这里: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-policy

这里教你怎么快速搭建个k8s集群,debug模式.

这里涵盖了kube-dns和dashboard的排错,他们默认是用https链接apiserver的,就需要各自pod里有token.这里我改成了使用8080链接,无非是指定个master的ip+非安全端口即可.

这里还教你怎么为容器加载sa.

我是这样部署集群的

http://www.cnblogs.com/iiiiher/p/7888934.html

安装kube-dns

官网下载yaml:

wget https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dns/kube-dns.yaml.sed mv kube-dns.yaml.sed kube-dns.yaml
sed -i 's#gcr.io/google_containers#lanny#g' kube-dns.yaml
sed -i 's#$DNS_DOMAIN#cluster.local#g'  kube-dns.yaml
sed -i 's#$DNS_SERVER_IP#10.254.0.2#g'  kube-dns.yaml

3个image
lanny/k8s-dns-kube-dns-amd64:1.14.7
lanny/k8s-dns-dnsmasq-nanny-amd64:1.14.7
lanny/k8s-dns-sidecar-amd64:1.14.7

kubectl create -f  kube-dns.yaml

排错1:kube-dns3个容器都起来了,只能查询nslookup kubernetes 和 nslookup kube-dns.自己新建的svc无法查

开始以为是api启动问题,因为我没有加载任何准入控制器,想着把sa加载进去

无奈,sa搞不好

排错2: 为pod加载sa准入器

1.生成证书ca.key

参考:http://www.cnblogs.com/iiiiher/p/7891669.html

2.api指定key(token是这个key签发的)

kube-apiserver \
--service-cluster-ip-range=10.254.0.0/16 \
--etcd-servers=http://127.0.0.1:2379 \
--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,DefaultStorageClass,ResourceQuota,ServiceAccount \
--service-account-key-file=/root/ssl/ca.key \
--insecure-bind-address=0.0.0.0 \
--v=2

3.api指定key(这里controller一定要加载key,否则单独给api加载key,pod是无法生成token的,切记切记,浪费了一天时间,擦)

kube-controller-manager \
--master=http://127.0.0.1:8080 \
--service-account-private-key-file=/root/ssl/ca.key \
--v=2

接着怀疑flannel host-gw模式问题,遂改给vxlan模式.问题依旧

排错2: pod默认以https来连api的(我发现kube-dns和dashboard都是),报token找不到.

默认有sa情况下 启动容器 /var/run/secrets/kubernetes.io/serviceaccount/token会自动生成的. 目前我们没启动sa.

[root@m1 dns]# kk
NAMESPACE     NAME                              READY     STATUS             RESTARTS   AGE       IP          NODE        LABELS
kube-system   kube-dns-2981639038-f41v9         2/3       CrashLoopBackOff   5          2m        10.2.50.2   n2.ma.com   k8s-app=kube-dns,pod-template-hash=2981639038
[root@m1 dns]# kubectl  logs -f kube-dns-2981639038-f41v9 -n kube-system -c kubedns
I1124 16:24:09.294678      86 dns.go:48] version: 1.14.3-4-gee838f6
F1124 16:24:09.294768      86 server.go:57] Failed to create a kubernetes client: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
rpc error: code = 2 desc = Error: No such container: d72e21f48dd0167dc184c1ddb79a0d88242fff03d0d16463f536f2803e2d2eb0[root@m1 dns]#

可以看出启动过程需要token.pod以https的方式连apiserver的时候就需要这个token了.默认我启动api的时候是没有加载ServiceAccount组件的.

解决:

方法1: 直接改deploy,kube-dns的args部分添加 pod查找api的地址.(dashboard也是这个原理)

kubectl -n kube-system edit deployment kube-dns

--kube-master-url=http://192.168.x.x:8080

方法2: 修改yaml args部分添加 --kube-master-url=http://192.168.x.x:8080

那么问题来了: 不同的镜像参数不一样,kube-master-url类似这种连api的参数从哪里找呢?

建议从k8s的github以往的release里yaml里找找.

因为gcr.io里的镜像我发现没dockerfile可以看,至于他们需要什么参数,不太透明

参考他的github可以看下:

https://github.com/denverdino/google-containers

灵感来源: http://jeromeliu.win/2017/04/24/Kubernetes-%E6%90%AD%E5%BB%BAkube-dns/

curl -k -s -X GET https://gcr.io/v2/google_containers/hyperkube-amd64/tags/list | jq -r '.tags[]'
docker search gcr.io/google-containers/hyperkube

提示:这里发现个处理json的小工具,yum install -y jq

贴上kube-dashboard的url

https://github.com/kubernetes/dashboard/blob/master/src/deploy/recommended/kubernetes-dashboard.yaml

我把他精简了下,因为有些东西对于我这个简单的集群没什么用,我还没做多余的认证

官方git下载的,我删改了一些没用的,因为我不需要用证书认证,遵从最小原则,越简单越好.

[root@m1 yaml]# cat kubernetes-dashboard.yaml
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
labels:
app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: kubernetes-dashboard
template:
metadata:
labels:
app: kubernetes-dashboard
# Comment the following annotation if Dashboard must not be deployed on master
annotations:
scheduler.alpha.kubernetes.io/tolerations: |
[
{
"key": "dedicated",
"operator": "Equal",
"value": "master",
"effect": "NoSchedule"
}
]
spec:
containers:
- name: kubernetes-dashboard
image: k8scn/kubernetes-dashboard-amd64:v1.7.1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9090
protocol: TCP
args:
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
- --apiserver-host=http://192.168.x.x:8080
livenessProbe:
httpGet:
path: /
port: 9090
initialDelaySeconds: 30
timeoutSeconds: 30
---
kind: Service
apiVersion: v1
metadata:
labels:
app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort
ports:
- port: 80
targetPort: 9090
nodePort: 30090
selector:
app: kubernetes-dashboard