1、创建 metrics-server 使用的证书
vim metrics-server-csr.json { "CN": "aggregator", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] }
cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \ -ca-key=/etc/kubernetes/ssl/ca-key.pem \ -config=/opt/ssl/config.json \ -profile=kubernetes metrics-server-csr.json | cfssljson -bare metrics-server
将生成的证书拷贝到所有node和master节点
cp metrics-server*.pem /etc/kubernetess/ssl/
scp metrics-server*.pem 192.168.1.8:/etc/kubernetess/ssl/
2、修改 kubernetes 控制平面组件的配置以支持 metrics-server
kube-apiserver
添加如下配置参数:
--requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem \ --requestheader-extra-headers-prefix=X-Remote-Extra- \ --requestheader-group-headers=X-Remote-Group \ --requestheader-username-headers=X-Remote-User \ --proxy-client-cert-file=/etc/kubernetes/ssl/metrics-server.pem \ --proxy-client-key-file=/etc/kubernetes/ssl/metrics-server-key.pem \ --runtime-config=api/all=true \
- --requestheader-XXX、--proxy-client-XXX 是 kube-apiserver 的 aggregator layer 相关的配置参数,metrics-server & HPA 需要使用;
- --requestheader-client-ca-file:用于签名 --proxy-client-cert-file 和 --proxy-client-key-file 指定的证书;在启用了 metric aggregator 时使用;
- 如果 kube-apiserver 机器没有运行 kube-proxy,则还需要添加 --enable-aggregator-routing=true 参数
注意:requestheader-client-ca-file 指定的 CA 证书,必须具有 client auth and server auth
kube-controller-manager
添加如下配置参数:
--horizontal-pod-autoscaler-use-rest-clients=true
用于配置 HPA 控制器使用 REST 客户端获取 metrics 数据
3、修改插件配置文件
# git clone https://github.com/kubernetes-incubator/metrics-server
# cd metrics-server/deploy/1.8+
# vim metrics-server-deployment.yaml
apiVersion: v1 kind: ServiceAccount metadata: name: metrics-server namespace: kube-system --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: metrics-server namespace: kube-system labels: k8s-app: metrics-server spec: selector: matchLabels: k8s-app: metrics-server template: metadata: name: metrics-server labels: k8s-app: metrics-server spec: serviceAccountName: metrics-server volumes: # mount in tmp so we can safely use from-scratch images and/or read-only containers - name: tmp-dir emptyDir: {} containers: - name: metrics-server image: anjia0532/google-containers.metrics-server-amd64:v0.3.1 imagePullPolicy: Always command: - /metrics-server - --kubelet-insecure-tls - --kubelet-preferred-address-types=InternalIP volumeMounts: - name: tmp-dir mountPath: /tmp
注释:1、metrics默认使用hostname来通信的,而且coredns中已经添加了宿主机的/etc/resolv.conf,
所以只需要添加一个内部的dns服务器或者在pod的deployment的yaml手动添加主机解析记录,再或者改变参数为InternalIP,直接用ip来连接
2、kubelet-insecure-tls: 跳过验证kubelet的ca证书,暂时开启。(不推荐用于生产环境)
4、修改完成之后开始部署
# kubectl apply .
# kubectl get pods -n kube-system | grep metrics
# kubectl get apiservice v1beta1.metrics.k8s.io -o yaml
5、验证是否成功
# kubectl top nodes
NAME CPU(cores) CPU% MEMORY(bytes) MEMORY% es-60 377m 18% 5915Mi 76% es-61 267m 13% 5479Mi 70%
参考资料: https://github.com/kubernetes-incubator/metrics-server/issues/97