一个master一个node查看node节点是ip
Posted effortsing
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了一个master一个node查看node节点是ip相关的知识,希望对你有一定的参考价值。
一个master、一个node、查看node节点是ip # 安装顺序:先在test1 上安装完必要组件后,就开始在 test2 上单独安装node组件,实现node功能,再返回来配置test1加入集群,实现node功能 # 本实验 test1 节点不做安装kubelet组件。只有安装启动了kubelet才会生成csr,kube-apiserver通过csr请求后才会成为一个node。所以是node节点单独安装 # 注意:准备了三台,这三台都做了环境准备,但是k8s集群只是使用了 test1、test2这两个节点,如果把test3扩容进来,随时都可以, # 注意:本实验 test2 没有安装etcd,之前安装的etcd给剔除了 # 本实验 kubelet组件的参数中 --hostname-override= 写的ip地址,通过 kubectl get nodes 查看得到的name就是ip,如果填写主机名,得到的name就是主机名 实验架构: # 注意:下面列出来的组件顺序就是本实验的组件安装顺序 test1: 192.168.0.91 etcd、kubectl工具、kube-apiserver、kube-controller-manager、kube-scheduler、kubelet组件、cni、kube-proxy test2: 192.168.0.92 docker、kubectl工具、kubelet组件、cni、kube-proxy、flannel、coredns test3:192.168.0.93 无 1、环境配置 如下操作在所有节点操作 配置hosts解析 [root@bogon ~]# hostnamectl set-hostname test1 [root@bogon~]# hostnamectl set-hostname test2 [root@bogon ~]# hostnamectl set-hostname test3 cat >>/etc/hosts<<EOF 192.168.0.91 test1 192.168.0.92 test2 192.168.0.93 test3 EOF 禁用selinux sed -i \'s/SELINUX=permissive/SELINUX=disabled/\' /etc/sysconfig/selinux sed -i \'s/enforcing/disabled/g\' /etc/selinux/config 关闭swap # 注释/etc/fstab文件里swap相关的行 sed -i \'s/\\/dev\\/mapper\\/centos-swap/#\\/dev\\/mapper\\/centos-swap/g\' /etc/fstab #关掉防火墙 systemctl stop firewalld && systemctl disable firewalld 配置免密登录 退出xshell重新登录,查主机名已改变 开启forward iptables -P FORWARD ACCEPT 配置转发相关参数 cat >> /etc/sysctl.d/k8s.conf <<EOF net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 vm.swappiness=0 EOF sysctl --system 加载ipvs相关内核模块 如果重新开机,需要重新加载 modprobe ip_vs modprobe ip_vs_rr modprobe ip_vs_wrr modprobe ip_vs_sh modprobe nf_conntrack_ipv4 lsmod | grep ip_vs 2、安装etcd etcd安装请参照: https://www.cnblogs.com/effortsing/p/10295261.html 下面开始安装k8s组件,序号从6开始 6、分发二进制组件 # 只在 test1 上操作 # 提前分发k8s所有组件二进制文件、顺便安装kubectl工具 # 安装包解压后包括 kubectl 工具,所以不需要单独使用kubernetes-server-client-amd64.tar.gz 安装包分发 kubectl 工具 下载、解压安装包 cd /server/software/k8s 下载链接:https://pan.baidu.com/s/1DXahqP8nXWP1aw5pIunJrw 提取码:9xfp tar -xf kubernetes-server-linux-amd64.tar.gz 分发所有组件二进制文件, # 后面配置 kube-apiserver 等各个组件启动文件里面需要带上各自二进制文件路径 mkdir -p /usr/local/kubernetes/bin cd /server/software/k8s/kubernetes/server/bin cp kube-apiserver kube-controller-manager kube-scheduler kube-proxy kubectl /usr/local/kubernetes/bin #这一步很关键 安装kubectl工具 # 后面创建 admin kubeconfig等配置文件时候需要用到; # admin.conf = ~/.kube/config,因为是复制过来的 ; # kubectl作用:当kubelet组件通过bootstrap token 认证后,kubectl默认从 ~/.kube/config 文件读取 kube-apiserver 地址、证书、用户名等信息; cp /usr/local/kubernetes/bin/kubectl /usr/local/bin/kubectl 查看 kubectl 版本, # 出现下面的情况就是正确的。did you specify the right host or port? 这个报错忽略,因为还没有安装kubelet服务 kubectl version [root@test1 bin]# kubectl version Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.0", GitCommit:"91e7b4fd31fcd3d5f436da26c980becec37ceefe", GitTreeState:"clean", BuildDate:"2018-06-27T20:17:28Z", GoVersion:"go1.10.2", Compiler:"gc", Platform:"linux/amd64"} The connection to the server localhost:8080 was refused - did you specify the right host or port? cd $HOME 7、生成admin的ca证书和私钥 # 只在 test1 上操作 # kubectl 作为集群的管理工具,需要被授予最高权限。这里创建具有最高权限的 admin 证书、admin kubeconfig # 注意:后面只有apiserver和kubelet这两个服务启动参数会用到admin的ca证书;kubectl工具和kubelet服务不是一回事 cd $HOME/ssl cat >admin-csr.json<<EOF { "CN": "admin", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "system:masters", "OU": "System" } ] } EOF 生成证书 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json \\ -profile=kubernetes admin-csr.json | cfssljson -bare admin 查看生成的admin ca ls admin*.pem 8、配置 kube-apiserver ca # 只在 test1 上操作 # 10.96.0.1 是 kube-apiserver 指定的 service-cluster-ip-range 网段的第一个IP cd $HOME/ssl cat >kube-apiserver-csr.json<<EOF { "CN": "kube-apiserver", "hosts": [ "127.0.0.1", "192.168.0.91", "192.168.0.92", "192.168.0.93", "10.96.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF 生成 kube-apiserver ca cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json \\ -profile=kubernetes kube-apiserver-csr.json | cfssljson -bare kube-apiserver 查看生成的kube-apiserver ca ls kube-apiserver*.pem 9、配置 kube-controller-manager ca # 只在 test1 上操作 cd $HOME/ssl cat >kube-controller-manager-csr.json<<EOF { "CN": "system:kube-controller-manager", "hosts": [ "127.0.0.1", "192.168.0.91" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "system:kube-controller-manager", "OU": "System" } ] } EOF 生成 kube-controller-manager ca cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json \\ -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager 查看生成的kube-controller-manager ca ls kube-controller-manager*.pem 10、配置 kube-scheduler ca # 只在 test1 上操作 cd $HOME/ssl cat >kube-scheduler-csr.json<<EOF { "CN": "system:kube-scheduler", "hosts": [ "127.0.0.1", "192.168.0.91" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "system:kube-scheduler", "OU": "System" } ] } EOF 生成 kube-scheduler ca cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json \\ -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler 查看生成的kube-scheduler ca ls kube-scheduler*.pem 11、配置 kube-proxy ca # 只在 test1 上操作 # 注意:只是node节点需要用到kube-proxy ca cd $HOME/ssl cat >kube-proxy-csr.json<<EOF { "CN": "system:kube-proxy", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "system:kube-proxy", "OU": "System" } ] } EOF 生成 kube-proxy ca cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json \\ -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy 查看生成的kube-proxy ca ls kube-proxy*.pem 12、复制所有的ca 证书到一个目录里面,方便管理 # 只在 test1 上操作 cd $HOME/ssl mkdir -p /etc/kubernetes/pki cp ca*.pem admin*.pem kube-proxy*.pem kube-scheduler*.pem kube-controller-manager*.pem kube-apiserver*.pem /etc/kubernetes/pki 13、开启 bootstrap token 认证 ,kubelet TLS Boostrap机制 # 只在 test1 上操作 # kube-apiserver、kubelet启动文件需要用到token, # token中包含kubelet-bootstrap用户 # 后面kubelet组件启动参数中需要使用 kubelet-bootstrap.conf 文件向 kube-apiserver 发送 CSR 请求, # 请求通过后,kubectl才会从 ~/.kube/config 文件读取 kube-apiserver 地址、证书、用户名等信息 静态获取token # 还有一种是用 kubeadm 动态获取token,kubeadm token create,这样可以使用 TLS bootstrap 机制自动生成 client 和 server 证书,过期后自动轮转。 # 本实验采用静态获取,一天后过期 export BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d \' \') 创建token.csv文件 # 只有kube-apiserver 启动文件中需要用到 cat > /etc/kubernetes/token.csv <<EOF ${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap" EOF 创建kubelet-bootstrap.conf # 只有kubelet启动文件需要用到 cd /etc/kubernetes export KUBE_APISERVER="https://192.168.0.91:6443" kubectl config set-cluster kubernetes \\ --certificate-authority=/etc/kubernetes/pki/ca.pem \\ --embed-certs=true \\ --server=${KUBE_APISERVER} \\ --kubeconfig=kubelet-bootstrap.conf kubectl config set-credentials kubelet-bootstrap \\ --token=${BOOTSTRAP_TOKEN} \\ --kubeconfig=kubelet-bootstrap.conf kubectl config set-context default \\ --cluster=kubernetes \\ --user=kubelet-bootstrap \\ --kubeconfig=kubelet-bootstrap.conf kubectl config use-context default --kubeconfig=kubelet-bootstrap.conf 给kubelet-bootstrap用户授权 # 创建一个 clusterrolebinding,将 bootstrap token 文件中的 kubelet-bootstrap 用户赋予 system:node-bootstrapper cluster 角色 # 默认情况下,bootstrap这个 user 和 group 没有创建 CSR 的权限,kubelet 会启动失败,所以要给kubelet-bootstrap角色授权 kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap # 如果没有授权会出现下面错误: [root@test2 kubernetes]# journalctl -u kubelet |tail failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User "kubelet-bootstrap" cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope 14、创建 admin kubeconfig 只在 test1 上操作 # 只有kubelet服务启动参数需要用到admin kubeconfig, # admin.conf = ~/.kube/config,因为复制过来的 ;kubectl 默认从 ~/.kube/config 文件读取 kube-apiserver 地址、证书、用户名等信息, cd /etc/kubernetes export KUBE_APISERVER="https://192.168.0.91:6443" 设置集群参数 kubectl config set-cluster kubernetes \\ --certificate-authority=/etc/kubernetes/pki/ca.pem \\ --embed-certs=true \\ --server=${KUBE_APISERVER} \\ --kubeconfig=admin.conf 设置客户端认证参数 kubectl config set-credentials admin \\ --client-certificate=/etc/kubernetes/pki/admin.pem \\ --client-key=/etc/kubernetes/pki/admin-key.pem \\ --embed-certs=true \\ --kubeconfig=admin.conf 设置上下文参数 kubectl config set-context default \\ --cluster=kubernetes \\ --user=admin \\ --kubeconfig=admin.conf 设置默认上下文 kubectl config use-context default --kubeconfig=admin.conf 15、创建 kube-controller-manager kubeconfig 只在 test1 上操作 cd /etc/kubernetes export KUBE_APISERVER="https://192.168.0.91:6443" kubectl config set-cluster kubernetes \\ --certificate-authority=/etc/kubernetes/pki/ca.pem \\ --embed-certs=true \\ --server=${KUBE_APISERVER} \\ --kubeconfig=kube-controller-manager.conf kubectl config set-credentials kube-controller-manager \\ --client-certificate=/etc/kubernetes/pki/kube-controller-manager.pem \\ --client-key=/etc/kubernetes/pki/kube-controller-manager-key.pem \\ --embed-certs=true \\ --kubeconfig=kube-controller-manager.conf kubectl config set-context default \\ --cluster=kubernetes \\ --user=kube-controller-manager \\ --kubeconfig=kube-controller-manager.conf kubectl config use-context default --kubeconfig=kube-controller-manager.conf 16、创建 kube-scheduler kubeconfig # 只在 test1 上操作 cd /etc/kubernetes export KUBE_APISERVER="https://192.168.0.91:6443" kubectl config set-cluster kubernetes \\ --certificate-authority=/etc/kubernetes/pki/ca.pem \\ --embed-certs=true \\ --server=${KUBE_APISERVER} \\ --kubeconfig=kube-scheduler.conf kubectl config set-credentials kube-scheduler \\ --client-certificate=/etc/kubernetes/pki/kube-scheduler.pem \\ --client-key=/etc/kubernetes/pki/kube-scheduler-key.pem \\ --embed-certs=true \\ --kubeconfig=kube-scheduler.conf kubectl config set-context default \\ --cluster=kubernetes \\ --user=kube-scheduler \\ --kubeconfig=kube-scheduler.conf kubectl config use-context default --kubeconfig=kube-scheduler.conf 17、创建 kube-proxy kubeconfig # 只在 test1 上操作 # 注意:只是node节点需要用到kube-proxy kubeconfig cd /etc/kubernetes export KUBE_APISERVER="https://192.168.0.91:6443" kubectl config set-cluster kubernetes \\ --certificate-authority=/etc/kubernetes/pki/ca.pem \\ --embed-certs=true \\ --server=${KUBE_APISERVER} \\ --kubeconfig=kube-proxy.conf kubectl config set-credentials kube-proxy \\ --client-certificate=/etc/kubernetes/pki/kube-proxy.pem \\ --client-key=/etc/kubernetes/pki/kube-proxy-key.pem \\ --embed-certs=true \\ --kubeconfig=kube-proxy.conf kubectl config set-context default \\ --cluster=kubernetes \\ --user=kube-proxy \\ --kubeconfig=kube-proxy.conf kubectl config use-context default --kubeconfig=kube-proxy.conf cd $HOME 18、配置启动kube-apiserver # 只在 test1 上操作 复制 etcd ca mkdir -pv /etc/kubernetes/pki/etcd cd $HOME/ssl cp etcd.pem etcd-key.pem ca-key.pem ca.pem /etc/kubernetes/pki/etcd 生成 service account key cd /etc/kubernetes/pki/ openssl genrsa -out /etc/kubernetes/pki/sa.key 2048 openssl rsa -in /etc/kubernetes/pki/sa.key -pubout -out /etc/kubernetes/pki/sa.pub ls /etc/kubernetes/pki/sa.* cd $HOME 配置启动文件 cat >/etc/systemd/system/kube-apiserver.service<<EOF [Unit] Description=Kubernetes API Service Documentation=https://github.com/kubernetes/kubernetes After=network.target [Service] EnvironmentFile=-/etc/kubernetes/config EnvironmentFile=-/etc/kubernetes/apiserver ExecStart=/usr/local/kubernetes/bin/kube-apiserver \\\\ \\$KUBE_LOGTOSTDERR \\\\ \\$KUBE_LOG_LEVEL \\\\ \\$KUBE_ETCD_ARGS \\\\ \\$KUBE_API_ADDRESS \\\\ \\$KUBE_SERVICE_ADDRESSES \\\\ \\$KUBE_ADMISSION_CONTROL \\\\ \\$KUBE_APISERVER_ARGS Restart=on-failure Type=notify LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF 配置参数变量文件 # 下面 kube-apiserver、kube-controller-manager、kube-scheduler、kube-proxy这些服务 都需要用到,这里只配置一次,以后重复利用,后面的也写了变量文件,只是为了知道怎么回事 cat >/etc/kubernetes/config<<EOF KUBE_LOGTOSTDERR="--logtostderr=true" KUBE_LOG_LEVEL="--v=2" EOF 配置apiserver # 注意参数--token-auth-file=/etc/kubernetes/token.csv 表示在 apiserver 中静态配置bootstrap token,和后面开启 bootstrap token 认证步骤相呼应,不是动态的,所以有过期时间, # 后面kubelet组件启动参数中需要使用 kubelet-bootstrap.conf 文件向 kube-apiserver 发送 CSR 请求,--bootstrap-kubeconfig 文件里面包含token和apiserver里面的token是一样的, cat >/etc/kubernetes/apiserver<<EOF KUBE_API_ADDRESS="--advertise-address=192.168.0.91" KUBE_ETCD_ARGS="--etcd-servers=https://192.168.0.91:2379 --etcd-cafile=/etc/kubernetes/pki/ca.pem --etcd-certfile=/etc/kubernetes/pki/etcd/etcd.pem --etcd-keyfile=/etc/kubernetes/pki/etcd/etcd-key.pem" KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.96.0.0/12" KUBE_ADMISSION_CONTROL="--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota" KUBE_APISERVER_ARGS="--allow-privileged=true --authorization-mode=Node,RBAC --enable-bootstrap-token-auth=true --token-auth-file=/etc/kubernetes/token.csv --service-node-port-range=0-32767 --tls-cert-file=/etc/kubernetes/pki/kube-apiserver.pem --tls-private-key-file=/etc/kubernetes/pki/kube-apiserver-key.pem --client-ca-file=/etc/kubernetes/pki/ca.pem --service-account-key-file=/etc/kubernetes/pki/sa.pub --enable-swagger-ui=true --secure-port=6443 --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --anonymous-auth=false --kubelet-client-certificate=/etc/kubernetes/pki/admin.pem --kubelet-client-key=/etc/kubernetes/pki/admin-key.pem" EOF 启动 systemctl daemon-reload systemctl enable kube-apiserver systemctl start kube-apiserver systemctl status kube-apiserver 通过浏览器访问测试 # 401 报错正常,是因为没有权限,不影响,以后解决 curl https://192.168.0.91:6443/swaggerapi [root@test1 ~]# curl https://192.168.0.91:6443/swaggerapi curl: (60) Peer\'s Certificate issuer is not recognized. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn\'t adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you\'d like to turn off curl\'s verification of the certificate, use the -k (or --insecure) option. 19、配置启动kube-controller-manager # 只在 tes1 上操作 配置启动文件 cat >/etc/systemd/system/kube-controller-manager.service<<EOF Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes After=network.target [Service] EnvironmentFile=-/etc/kubernetes/config EnvironmentFile=-/etc/kubernetes/controller-manager ExecStart=/usr/local/kubernetes/bin/kube-controller-manager \\\\ \\$KUBE_LOGTOSTDERR \\\\ \\$KUBE_LOG_LEVEL \\\\ \\$KUBECONFIG \\\\ \\$KUBE_CONTROLLER_MANAGER_ARGS Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF 配置参数变量文件 # 配置kube-apiserver启动文件时已经配置过参数变量文件,这里就不需要再做,写在这里只是为了知道下面配置文件里的参数怎么回事 cat >/etc/kubernetes/config<<EOF KUBE_LOGTOSTDERR="--logtostderr=true" KUBE_LOG_LEVEL="--v=2" EOF 配置controller-manager文件 # 特别注意:这里的cluster-cidr地址要和 Kube-proxy里面的cluster-cidr、flannel 里面的Network 地址保持一致,这有这三个组件里面有 10.244.0.0 cat >/etc/kubernetes/controller-manager<<EOF KUBECONFIG="--kubeconfig=/etc/kubernetes/kube-controller-manager.conf" KUBE_CONTROLLER_MANAGER_ARGS="--address=127.0.0.1 --cluster-cidr=10.244.0.0/16 --cluster-name=kubernetes --cluster-signing-cert-file=/etc/kubernetes/pki/ca.pem --cluster-signing-key-file=/etc/kubernetes/pki/ca-key.pem --service-account-private-key-file=/etc/kubernetes/pki/sa.key --root-ca-file=/etc/kubernetes/pki/ca.pem --leader-elect=true --use-service-account-credentials=true --node-monitor-grace-period=10s --pod-eviction-timeout=10s --allocate-node-cidrs=true --controllers=*,bootstrapsigner,tokencleaner" EOF 启动 systemctl daemon-reload systemctl enable kube-controller-manager systemctl start kube-controller-manager systemctl status kube-controller-manager 20、配置启动kube-scheduler # 只在 test1 上操作 配置启动文件 cat >/etc/systemd/system/kube-scheduler.service<<EOF [Unit] Description=Kubernetes Scheduler Plugin Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/etc/kubernetes/config EnvironmentFile=-/etc/kubernetes/scheduler ExecStart=/usr/local/kubernetes/bin/kube-scheduler \\\\ \\$KUBE_LOGTOSTDERR \\\\ \\$KUBE_LOG_LEVEL \\\\ \\$KUBECONFIG \\\\ \\$KUBE_SCHEDULER_ARGS Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF 配置参数变量文件 # 配置kube-apiserver启动文件时已经配置过参数变量文件,这里就不需要再做,写在这里只是为了知道下面配置文件里的参数怎么回事 cat >/etc/kubernetes/config<<EOF KUBE_LOGTOSTDERR="--logtostderr=true" KUBE_LOG_LEVEL="--v=2" EOF 配置scheduler文件 cat >/etc/kubernetes/scheduler<<EOF KUBECONFIG="--kubeconfig=/etc/kubernetes/kube-scheduler.conf" KUBE_SCHEDULER_ARGS="--leader-elect=true --address=127.0.0.1" EOF 启动 systemctl daemon-reload systemctl enable kube-scheduler systemctl start kube-scheduler systemctl status kube-scheduler 给kubelet-bootstrap用户授权 # 创建一个 clusterrolebinding,将 bootstrap token 文件中的 kubelet-bootstrap 用户赋予 system:node-bootstrapper cluster 角色 # 默认情况下,bootstrap这个 user 和 group 没有创建 CSR 的权限,kubelet 会启动失败,所以要给kubelet-bootstrap角色授权 kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap # 如果没有授权会出现下面错误: [root@test2 kubernetes]# journalctl -u kubelet |tail failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User "kubelet-bootstrap" cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope 查看组件状态 kubectl get componentstatuses [root@test2 ~]# kubectl get componentstatuses Unable to connect to the server: x509: certificate signed by unknown authority # 报错原因:经过排查后发现前面操作的几个步骤中 ${KUBE_APISERVER} 这个变量写成了 ${KUBE_ 又重做了一遍,正确的结果是下面 [root@test2 ~]# kubectl get componentstatuses NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-0 Healthy {"health": kubeadm增加master或node节点