metrics-server启动提示tls: failed to verify certificate: x509
Metrics Server 是 Kubernetes 中的一个核心组件,用于收集和聚合集群中的资源使用数据,如 CPU 和内存。这些数据通常用于 Horizontal Pod Autoscaler (HPA) 和 Vertical Pod Autoscaler (VPA) 等自动扩展机制。
env
- centos8-stream
- kubernetes-v1.19.16
- metrics-server-v0.7.2
部署metrics-server版本
kubectl apply -f components.yaml
kubectl get deployment metrics-server -n kube-system
问题
metrics-server pod启动异常日志
E0216 10:06:12.161854 1 scraper.go:149] "Failed to scrape node" err="Get \"https://172.24.20.41:10250/metrics/resource\": tls: failed to verify certificate: x509: cannot validate certificate for 172.24.20.41 because it doesn't contain any IP SANs" node="centos8-1"
I0216 10:06:12.175762 1 server.go:191] "Failed probe" probe="metric-storage-ready" err="no metrics to serve"
解决
支持非tls认证,解决x509问题
1.修改components.yaml
args:
- --kubelet-insecure-tls
- --kubelet-preferred-address-types=InternalIP
or
args:
- --kubelet-insecure-tls
或者在线编辑
kubectl -n kube-system edit deploy metrics-server
2.test
kubectl get --raw /apis/metrics.k8s.io/v1beta1/nodes
[root@centos8-1 ~]# kubectl get --raw /apis/metrics.k8s.io/v1beta1/nodes |python3 -m json.tool
{
"kind": "NodeMetricsList",
"apiVersion": "metrics.k8s.io/v1beta1",
"metadata": {},
"items": [
{
"metadata": {
"name": "centos8-1",
"creationTimestamp": "2025-02-16T12:24:20Z",
"labels": {
"beta.kubernetes.io/arch": "amd64",
"beta.kubernetes.io/os": "linux",
"kubernetes.io/arch": "amd64",
"kubernetes.io/hostname": "centos8-1",
"kubernetes.io/os": "linux",
"node-role.kubernetes.io/master": ""
}
},
"timestamp": "2025-02-16T12:24:07Z",
"window": "10.052s",
"usage": {
"cpu": "480083758n",
"memory": "1486524Ki"
}
}
]
}
metrics-server正常启动日志
[root@centos8-1 ~]# kubectl logs -f pods/metrics-server-65444cbd94-gzk75 -n kube-system
I0216 11:38:46.648228 1 serving.go:374] Generated self-signed cert (/tmp/apiserver.crt, /tmp/apiserver.key)
I0216 11:38:46.843834 1 handler.go:275] Adding GroupVersion metrics.k8s.io v1beta1 to ResourceManager
I0216 11:38:46.963357 1 secure_serving.go:213] Serving securely on [::]:10250
I0216 11:38:46.963519 1 requestheader_controller.go:169] Starting RequestHeaderAuthRequestController
I0216 11:38:46.963524 1 dynamic_serving_content.go:132] "Starting controller" name="serving-cert::/tmp/apiserver.crt::/tmp/apiserver.key"
I0216 11:38:46.963538 1 shared_informer.go:311] Waiting for caches to sync for RequestHeaderAuthRequestController
I0216 11:38:46.963562 1 configmap_cafile_content.go:202] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::client-ca-file"
I0216 11:38:46.963572 1 shared_informer.go:311] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0216 11:38:46.963597 1 configmap_cafile_content.go:202] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"
I0216 11:38:46.963605 1 shared_informer.go:311] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0216 11:38:46.967802 1 tlsconfig.go:240] "Starting DynamicServingCertificateController"
I0216 11:38:47.064174 1 shared_informer.go:318] Caches are synced for RequestHeaderAuthRequestController
I0216 11:38:47.064334 1 shared_informer.go:318] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0216 11:38:47.064102 1 shared_informer.go:318] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file