Node CSR(kubernetes.io/kubelet-serving)何时到来?
Node CSR(kubernetes.io/kubelet-serving)何时到来?
提问于 2022-06-14 22:24:18
向kubernetes集群提供Ansible类的这。
我为启用已签署的kubelet服务证书添加了电码 (用于使用度量-服务器)。
以上注释代码无法工作,因为期望的CSR(来自每个节点和签名者是kubernetes.io/kubelet-serving )只有在Ansible剧本通过之后才到达。
- 我试着在重新启动kubelet和列出CSR之间暂停,但是它没有起作用:
# In controlplane
$ k get csr --sort-by=.metadata.creationTimestamp
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
csr-xkfrl 77s kubernetes.io/kube-apiserver-client-kubelet system:node:cluster1-master1 <none> Approved,Issued
csr-4j72q 58s kubernetes.io/kube-apiserver-client-kubelet system:bootstrap:asn18v <none> Approved,Issued
csr-n84d7 58s kubernetes.io/kube-apiserver-client-kubelet system:bootstrap:auwd4d <none> Approved,Issued
csr-rrt46 57s kubernetes.io/kube-apiserver-client-kubelet system:bootstrap:m9ozid <none> Approved,Issued
csr-j54mz 40s kubernetes.io/kubelet-serving system:node:cluster1-worker2 <none> Pending <- Expected CSR created after playbook over
csr-tc2fr 40s kubernetes.io/kubelet-serving system:node:cluster1-worker1 <none> Pending
csr-xfsj5 40s kubernetes.io/kubelet-serving system:node:cluster1-master1 <none> Pending
csr-8dhkd 40s kubernetes.io/kubelet-serving system:node:cluster1-worker3 <none> Pending
# The latency between the bootstrap join and the exepected CSRs creation is about 18s(58 - 40)
# With pause 90s after notify restart kubelet
$ k get csr --sort-by=.metadata.creationTimestamp
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
csr-dppzq 3m5s kubernetes.io/kube-apiserver-client-kubelet system:node:cluster1-master1 <none> Approved,Issued
csr-tckhh 2m46s kubernetes.io/kube-apiserver-client-kubelet system:bootstrap:5rgz1f <none> Approved,Issued
csr-fqbk6 2m46s kubernetes.io/kube-apiserver-client-kubelet system:bootstrap:u90j5e <none> Approved,Issued
csr-gdg6l 2m46s kubernetes.io/kube-apiserver-client-kubelet system:bootstrap:nnzo29 <none> Approved,Issued
csr-j2bll 58s kubernetes.io/kubelet-serving system:node:cluster1-worker1 <none> Pending <- Expected CSR
csr-s8kqf 58s kubernetes.io/kubelet-serving system:node:cluster1-master1 <none> Pending
csr-9zqfn 58s kubernetes.io/kubelet-serving system:node:cluster1-worker3 <none> Pending
csr-zp5qt 58s kubernetes.io/kubelet-serving system:node:cluster1-worker2 <none> Pending
# It shows the latency is increased by paused seconds 90s (108s = 166 - 58)- 没有办法等待过滤的对象,因为现在签署者是
kubernetes.io/kubelet-serving的CSR(选项选择器用于从结果列表中过滤)。
问题:
- 创建CSR时,签名者为
kubernetes.io/kubelet-serving,请求者为system:node:<node>。 - 因为Ansible延迟了吗?(似乎如此)
回答 1
Stack Overflow用户
回答已采纳
发布于 2022-06-15 01:33:31
是关于Ansible的。
因此,立即运行它,并进行一些优美的处理,使问题得到解决(我的承诺):
- name: Flush handlers for restarting kubelets
meta: flush_handlers
- name: Wait graceful period for restarting kubelets and creating CSRs
pause:
seconds: 30页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/72626736
复制相关文章
相似问题
腾讯云开发者
