簡介
本文檔介紹用於恢復kube-apiserver pod連續重啟的解決方案。
必要條件
需求
思科建議您瞭解以下主題:
- 多克和庫伯內特
- 思科使用者微服務基礎架構(SMI)Ultra雲核心通用執行環境(CEE)
採用元件
本檔案中的資訊是根據Kubernetes v1.21.0版本。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
什麼是kube-apiserver?
a.驗證使用者
b.驗證請求
c.檢索資料
d.更新ETCD
e.排程器
f.庫貝萊
- 其他元件(如排程程式、kube-controller-manager和kubelet)使用API伺服器在各自區域的集群中執行更新。
問題
連續觀察kube-apiserver-smf-data-master-3重新啟動。在這種情況下,執行kubectl CLI kubectl get pod -A -o wide | grep apiserver確定問題:
cloud-user@smf-data-master-1:~$ kubectl get pods -A -o wide | grep apiserver
kube-system kube-apiserver-smf-data-master-1 1/1 Running 4 68d 10.192.1.22 smf-data-master-1 <none> <none>
kube-system kube-apiserver-smf-data-master-2 1/1 Running 4 68d 10.192.1.23 smf-data-master-2 <none> <none>
kube-system kube-apiserver-smf-data-master-3 0/1 Running 2 68d 10.192.1.24 smf-data-master-3 <none> <none>
cloud-user@smf-data-master-1:~$
在kubettl logs <kube-apiserver_pod_name> -n kube-system中觀察到以下錯誤:
cloud-user@smf-data-master-1:~$ kubectl logs kube-apiserver-smf-data-master-3 -n kube-system
E1116 20:09:52.635602 1 cacher.go:419] cacher (*core.Secret): unexpected ListAndWatch error: failed to list *core.Secret: unable to transform key "/registry/secrets/cee-dnceed21/alert-logger-sa-token-dzhkb": invalid padding on input; reinitializing...
E1116 20:09:53.691253 1 cacher.go:419] cacher (*core.Secret): unexpected ListAndWatch error: failed to list *core.Secret: unable to transform key "/registry/secrets/cee-dnceed21/alert-logger-sa-token-dzhkb": invalid padding on input; reinitializing...
E1116 20:09:54.751145 1 cacher.go:419] cacher (*core.Secret): unexpected ListAndWatch error: failed to list *core.Secret: unable to transform key "/registry/secrets/cee-dnceed21/alert-logger-sa-token-dzhkb": invalid padding on input; reinitializing...
E1116 20:09:55.808782 1 cacher.go:419] cacher (*core.Secret): unexpected ListAndWatch error: failed to list *core.Secret: unable to transform key "/registry/secrets/cee-dnceed21/alert-logger-sa-token-dzhkb": invalid padding on input; reinitializing...
E1116 20:09:56.865492 1 cacher.go:419] cacher (*core.Secret): unexpected ListAndWatch error: failed to list *core.Secret: unable to transform key "/registry/secrets/cee-dnceed21/alert-logger-sa-token-dzhkb": invalid padding on input; reinitializing...
E1116 20:09:57.906426 1 cacher.go:419] cacher (*core.Secret): unexpected ListAndWatch error: failed to list *core.Secret: unable to transform key "/registry/secrets/cee-dnceed21/alert-logger-sa-token-dzhkb": invalid padding on input; reinitializing...
E1116 20:09:58.963801 1 cacher.go:419] cacher (*core.Secret): unexpected ListAndWatch error: failed to list *core.Secret: unable to transform key "/registry/secrets/cee-dnceed21/alert-logger-sa-token-dzhkb": invalid padding on input; reinitializing...
E1116 20:10:00.027583 1 cacher.go:419] cacher (*core.Secret): unexpected ListAndWatch error: failed to list *core.Secret: unable to transform key "/registry/secrets/cee-dnceed21/alert-logger-sa-token-dzhkb": invalid padding on input; reinitializing...
E1116 20:10:01.084615 1 cacher.go:419] cacher (*core.Secret): unexpected ListAndWatch error: failed to list *core.Secret: unable to transform key "/registry/secrets/cee-dnceed21/alert-logger-sa-token-dzhkb": invalid padding on input; reinitializing...
E1116 20:10:02.206947 1 cacher.go:419] cacher (*core.Secret): unexpected ListAndWatch error: failed to list *core.Secret: unable to transform key "/registry/secrets/cee-dnceed21/alert-logger-sa-token-dzhkb": invalid padding on input; reinitializing...
E1116 20:10:03.256261 1 cacher.go:419] cacher (*core.Secret): unexpected ListAndWatch error: failed to list *core.Secret: unable to transform key "/registry/secrets/cee-dnceed21/alert-logger-sa-token-dzhkb": invalid padding on input; reinitializing...
E1116 20:10:04.313860 1 cacher.go:419] cacher (*core.Secret): unexpected ListAndWatch error: failed to list *core.Secret: unable to transform key "/registry/secrets/cee-dnceed21/alert-logger-sa-token-dzhkb": invalid padding on input; reinitializing...
E1116 20:10:05.363353 1 cacher.go:419] cacher (*core.Secret): unexpected ListAndWatch error: failed to list *core.Secret: unable to transform key "/registry/secrets/cee-dnceed21/alert-logger-sa-token-dzhkb": invalid padding on input; reinitializing...
要恢復,您必須嘗試使用CLI kubettl delete pod <kube-apiserver_pod_name> -n kube-system重新啟動kube-apiserver pod,但無幫助。
根本原因分析
進一步分析發現,kube-apiserver不斷重新啟動的master-3與其他主節點之間的secret值差異導致了此問題。
From Master-1:
cloud-user@smf-data-master-1:~$ cat /data/kubernetes/secrets.conf
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: BG5hleucjlD5ZDkFYUxoGLHHhBA/AeoNruHM0i70/ZI= <<<<<<<<<<
- identity: {}
cloud-user@smf-data-master-1:~$
From Master-3:
cloud-user@smf-data-master-3:~$ cat /data/kubernetes/secrets.conf
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: XK+7mbh3YEnMdqswtySQ1d6QRehg+K6/J1d2e3EnMvI= <<<<<<<<
- identity: {}
cloud-user@smf-data-master-3:~$
恢復步驟
- 作為恢復的一部分,請將master-3的當前機密複製到備份檔案:
cloud-user@smf-data-master-3:~$ sudo cp /data/kubernetes/secrets.conf /data/kubernetes/secrets.conf-bkp
2.編輯金鑰,在Master-3中配置金鑰,並將secret的值更改為其他主節點中看到的值。
cloud-user@smf-data-master-3:~$ sudo vim /data/kubernetes/secrets.conf
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: XK+7mbh3YEnMdqswtySQ1d6QRehg+K6/J1d2e3EnMvI= <---- Change this value to “BG5hleucjlD5ZDkFYUxoGLHHhBA/AeoNruHM0i70/ZI=“ as in other Master nodes
- identity: {}
3.重新啟動Master-3上的kube-apiserver容器:
cloud-user@smf-data-master-3:~$ sudo docker ps -f "name=k8s_kube-apiserver" -q | xargs sudo docker restart
過帳支票
從主節點驗證Kubernetes:
cloud-user@pod-name-smf-master-1:~$ kubectl get pods -A -o wide | grep kube-apiserver
現在,所有Pod必須均已啟動且必須運行無任何重新啟動。
意見