The official website of kubernetes suggests that the aggregator should be better configured different ca certificate; credential. Therefore, I followed the advice of the official website, regenerated a ca certificate, and signed the certificate to be used by the aggregator with this ca.Then I added the configuration parameter to the startup parameter of kube-apiserver according to the configuration of the official website.Then start api-server, but fail to start.The failure log is as follows:
3月 21 19:03:05 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support:
-- Unit kube-apiserver.service has failed.
-- The result is failed.
3月 21 19:03:05 localhost.localdomain systemd[1]: kube-apiserver.service failed.
3月 21 19:03:05 localhost.localdomain kubelet[4084]: I0321 19:03:05.015767 4084 trace.go:116] Trace[1764576244]: "Reflector ListAndWatch"
3月 21 19:03:05 localhost.localdomain kubelet[4084]: Trace[1764576244]: [14.397574036s] [14.397574036s] END
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.015796 4084 reflector.go:123] Failed t
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.215925 4084 reflector.go:123] object-"kube-system"/"coredns-token-v7xr6": Failed to list *v1
3月 21 19:03:05 localhost.localdomain kubelet[4084]: I0321 19:03:05.215962 4084 trace.go:116] Trace[2021737021]: "Reflector ListAndWatch" name:object-"monitorin
3月 21 19:03:05 localhost.localdomain kubelet[4084]: Trace[2021737021]: [14.597630663s] [14.597630663s] END
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.215984 4084 reflector.go:123] object-"monitoring"/"default-token-wk7d4": Failed to list *v1.
3月 21 19:03:06 localhost.localdomain kubelet[4084]: E0321 19:03:06.000788 4084 kubelet_node_status.go:388] Error updating node status, will retry: error gettin
3月 21 19:03:07 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support:
-- Unit kube-apiserver.service has failed.
-- The result is failed.
3月 21 19:03:07 localhost.localdomain systemd[1]: kube-apiserver.service failed.
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.215825 4084 reflector.go:123] object-"kube-system"/"coredns": Failed to list *v1.ConfigMap:
3月 21 19:03:07 localhost.localdomain kubelet[4084]: I0321 19:03:07.215849 4084 trace.go:116] Trace[1596043133]: "Reflector ListAndWatch" name:object-"kube-syst
3月 21 19:03:07 localhost.localdomain kubelet[4084]: Trace[1596043133]: [16.600026154s] [16.600026154s] END
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.215870 4084 reflector.go:123] object-"kube-system"/"calico-kube-controllers-token-n8wt8": Fa
3月 21 19:03:07 localhost.localdomain kubelet[4084]: I0321 19:03:07.415833 4084 trace.go:116] Trace[1895303640]: "Reflector ListAndWatch" name:object-"kube-syst
3月 21 19:03:07 localhost.localdomain kubelet[4084]: Trace[1895303640]: [19.684820866s] [19.684820866s] END
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.415863 4084 reflector.go:123] object-"kube-system"/"calico-config": Failed to list *v1.Confi
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.418879 4084 reflector.go:123] Failed to list *v1b
3月 21 19:03:05 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support:
-- Unit kube-apiserver.service has failed.
-- The result is failed.
3月 21 19:03:05 localhost.localdomain systemd[1]: kube-apiserver.service failed.
3月 21 19:03:05 localhost.localdomain kubelet[4084]: I0321 19:03:05.015767 4084 trace.go:116] Trace[1764576244]: "Reflector ListAndWatch"
3月 21 19:03:05 localhost.localdomain kubelet[4084]: Trace[1764576244]: [14.397574036s] [14.397574036s] END
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.015796 4084 reflector.go:123] Failed t
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.215925 4084 reflector.go:123] object-"kube-system"/"coredns-token-v7xr6": Failed to list *v1
3月 21 19:03:05 localhost.localdomain kubelet[4084]: I0321 19:03:05.215962 4084 trace.go:116] Trace[2021737021]: "Reflector ListAndWatch" name:object-"monitorin
3月 21 19:03:05 localhost.localdomain kubelet[4084]: Trace[2021737021]: [14.597630663s] [14.597630663s] END
3月 21 19:03:05 localhost.localdomain kubelet[4084]: E0321 19:03:05.215984 4084 reflector.go:123] object-"monitoring"/"default-token-wk7d4": Failed to list *v1.
3月 21 19:03:06 localhost.localdomain kubelet[4084]: E0321 19:03:06.000788 4084 kubelet_node_status.go:388] Error updating node status, will retry: error gettin
3月 21 19:03:07 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support:
-- Unit kube-apiserver.service has failed.
-- The result is failed.
3月 21 19:03:07 localhost.localdomain systemd[1]: kube-apiserver.service failed.
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.215825 4084 reflector.go:123] object-"kube-system"/"coredns": Failed to list *v1.ConfigMap:
3月 21 19:03:07 localhost.localdomain kubelet[4084]: I0321 19:03:07.215849 4084 trace.go:116] Trace[1596043133]: "Reflector ListAndWatch" name:object-"kube-syst
3月 21 19:03:07 localhost.localdomain kubelet[4084]: Trace[1596043133]: [16.600026154s] [16.600026154s] END
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.215870 4084 reflector.go:123] object-"kube-system"/"calico-kube-controllers-token-n8wt8": Fa
3月 21 19:03:07 localhost.localdomain kubelet[4084]: I0321 19:03:07.415833 4084 trace.go:116] Trace[1895303640]: "Reflector ListAndWatch" name:object-"kube-syst
3月 21 19:03:07 localhost.localdomain kubelet[4084]: Trace[1895303640]: [19.684820866s] [19.684820866s] END
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.415863 4084 reflector.go:123] object-"kube-system"/"calico-config": Failed to list *v1.Confi
3月 21 19:03:07 localhost.localdomain kubelet[4084]: E0321 19:03:07.418879 4084 reflector.go:123] Failed to list *v1b
3月 21 19:03:05 localhost.localdomain systemd[1]: Failed to start Kube-apiserver Service.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support:
-- Unit kube-apiserver.service has failed.
-- The result is failed.
All the steps I did are as follows:
step 1: Generate a certificate
mkdir -p /work/deploy/kubernetes/security/aggregatorLayer_tls
cd /work/deploy/kubernetes/security/aggregatorLayer_tls
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.pem -subj "/CN=k8s-aggregator/O=k8s-egg"
openssl genrsa -out aggregator.key 2048
openssl req -new -key aggregator.key -out aggregator.csr -subj "/O=k8s-egg/CN=aggregator"
openssl x509 -req -days 3650 -in aggregator.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out aggregator.pem
step 2:Configuration parameters
vim /etc/kubernetes/apiserver
KUBE_AGGREGATOR_ARGS="--requestheader-client-ca-file=/work/deploy/kubernetes/security/aggregatorLayer_tls/ca.pem --requestheader-allowed-names=aggregator --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --proxy-client-cert-file=/work/deploy/kubernetes/security/aggregatorLayer_tls/aggregator.pem --proxy-client-key-file=aggregator.key"
step 3: Add the boot parameters to the boot file
[root@localhost ~]# cat /usr/lib/systemd/system/kube-apiserver.service
Description=Kube-apiserver Service
step 4: Start the kube - apiserver startup failed, the log like above