metrics-server 部署报错

胜似代码仔2025-11-27 10:59

问题表现

swift 复制代码 
E1126 07:37:20.876269       1 scraper.go:149] "Failed to scrape node" err="Get \"https://192.168.174.135:10250/metrics/resource\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.174.135 because it doesn't contain any IP SANs" node="server-06"
E1126 07:37:20.881132       1 scraper.go:149] "Failed to scrape node" err="Get \"https://192.168.174.136:10250/metrics/resource\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.174.136 because it doesn't contain any IP SANs" node="server-07"
E1126 07:37:20.886884       1 scraper.go:149] "Failed to scrape node" err="Get \"https://192.168.174.133:10250/metrics/resource\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.174.133 because it doesn't contain any IP SANs" node="server-04"
E1126 07:37:20.891583       1 scraper.go:149] "Failed to scrape node" err="Get \"https://192.168.174.134:10250/metrics/resource\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.174.134 because it doesn't contain any IP SANs" node="server-05"
I1126 07:37:24.595189       1 server.go:192] "Failed probe" probe="metric-storage-ready" err="no metrics to serve"
I1126 07:37:34.596509       1 server.go:192] "Failed probe" probe="metric-storage-ready" err="no metrics to serve"
E1126 07:37:35.842888       1 scraper.go:149] "Failed to scrape node" err="Get \"https://192.168.174.131:10250/metrics/resource\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.174.131 because it doesn't contain any IP SANs" node="server-03"
E1126 07:37:35.843603       1 scraper.go:149] "Failed to scrape node" err="Get \"https://192.168.174.136:10250/metrics/resource\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.174.136 because it doesn't contain any IP SANs" node="server-07"
E1126 07:37:35.865009       1 scraper.go:149] "Failed to scrape node" err="Get \"https://192.168.174.137:10250/metrics/resource\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.174.137 because it doesn't contain any IP SANs" node="server-08"
E1126 07:37:35.869804       1 scraper.go:149] "Failed to scrape node" err="Get \"https://192.168.174.135:10250/metrics/resource\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.174.135 because it doesn't contain any IP SANs" node="server-06"
E1126 07:37:35.875473       1 scraper.go:149] "Failed to scrape node" err="Get \"https://192.168.174.133:10250/metrics/resource\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.174.133 because it doesn't contain any IP SANs" node="server-04"
E1126 07:37:35.880808       1 scraper.go:149] "Failed to scrape node" err="Get \"https://192.168.174.134:10250/metrics/resource\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.174.134 because it doesn't contain any IP SANs" node="server-05"

问题解释

控制平面节点初始化或者 join 以及工作节点 join 都是自签 kubelet server 端的证书,第三方组件请求 kubelet 获取信息时 TLS 握手校验 kubelet server 证书时,发现请求的 ip 不在证书的 sans 中,则无法通过证书校验,TLS 握手失败。有个配置可以将 kubelet server 证书改为请求 Kubernetes CA 签发

ini 复制代码 
# 默认行为(没有 serverTLSBootstrap)
kubelet 启动
  ↓
自己生成证书(自签名)
  ↓
Issuer: CN = server-03-ca@1764041318  # ❌ 自己签发自己
Subject: CN = server-03@1764041318
  ↓
其他组件不信任这个证书
  ↓
需要 --kubelet-insecure-tls 跳过验证

配置 serverTLSBootstrap 为 true 后

ini 复制代码 
kubelet 启动
  ↓
不再自己生成证书
  ↓
而是请求 Kubernetes CA 签发
  ↓
Issuer: CN = kubernetes  # ✅ 由可信 CA 签发
Subject: CN = system:node:server-03, O = system:nodes
  ↓
所有组件都信任这个证书
  ↓
不需要 --kubelet-insecure-tls

解决方案

编辑每个节点的 kubelet 配置:

bash 复制代码 
# 编辑 kubelet 配置
vim /var/lib/kubelet/config.yaml

添加或修改:

vbnet 复制代码 
serverTLSBootstrap: true

重启 kubelet

复制代码 
systemctl restart kubelet

在主节点批准 CSR 请求

csharp 复制代码 
# 查看待批准的 CSR
kubectl get csr

# 批准所有待处理的 CSR
kubectl get csr | grep Pending | awk '{print $1}' | xargs kubectl certificate approve

问题解决

metrics-server 能正常获取到节点指标

vbscript 复制代码 
root@server-03:~# kubectl top nodes
NAME        CPU(cores)   CPU(%)   MEMORY(bytes)   MEMORY(%)   
server-03   108m         5%       1054Mi          27%         
server-04   110m         5%       828Mi           21%         
server-05   98m          4%       907Mi           24%         
server-06   26m          1%       392Mi           10%         
server-07   18m          0%       369Mi           9%          
server-08   20m          1%       367Mi           9%
相关推荐
鹤落晴春1 天前
RH124问答3:从命令行管理文件
linux·运维·服务器
guslegend1 天前
大模型驱动大数据SRE智能运维
大数据·运维
遇见火星1 天前
Docker Compose 完全入门:一键启动所有容器
运维·docker·容器·docker compose
小啊曼1 天前
CIO实战方法论_11_组织变革打破部门墙
运维
❀搜不到1 天前
远程服务器codex使用本地cc-switch的deepseek api
运维·服务器
虾壳云官方1 天前
OpenClaw 2.7.9 Windows 一键部署教程:零基础也能搭建 AI 自动化助手
运维·人工智能·windows·自动化·openclaw·openclaw一键部署
江南风月1 天前
WGCLOUD保姆级教程最新版整理
运维·zabbix·运维开发·prometheus·日志审计
志栋智能1 天前
超自动化巡检:知识沉淀与团队协作的新载体
大数据·运维·网络·数据库·人工智能·自动化
vsropy1 天前
Ubuntu网络图标消失问题/有网络问号
linux·运维·ubuntu
fofantasy1 天前
NSK LH12AN 微型导轨技术手册
运维·网络·数据库·经验分享·规格说明书
热门推荐
01HTTP 与 HTTPS 的区别:从原理到实战详解022026年6月AI行业全景:从百模大战到Agent元年,这30天发生了什么?032026 AI 编程工具终极实战指南:Cursor vs Claude Code vs Copilot,开发者该怎么选?04【AI】2026 年具身智能模型和世界模型总结05GitHub 镜像站点062026 年 AI 编程工具终极横评:Cursor vs Claude Code vs Copilot vs Windsurf07AI科技热点日报 | 2026年6月1日08上线仅72小时被强制下架:Claude Fable 5 的短命09《置身钉内》原文-可播放阅读10Claude Code、Codex、Cursor三分天下:2026年AI编程Agent生态全景剖析