大佬教程收集整理的这篇文章主要介绍了GKE 上的 kubectl exec/logs 返回“远程错误:tls:内部错误” 更新 1更新 2更新 3,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
我目前在尝试为 GKE 集群上的 pod 执行或获取日志时遇到错误。
$ kubectl logs <POD-name>
Error from server: Get "https://<NODE-PRIVATE-IP>:10250/containerLogs/default/<POD-name>/<DEPLOymENT-name>": remote error: tls: internal error
$ kubectl exec -it <POD-name> -- sh
Error from server: error dialing BACkend: remote error: tls: internal error
我在故障排除时发现的一个可疑现象是所有 CSR 都被拒绝...
$ kubectl get csr
name AGE SIGNERname requESTOR CONDITION
csr-79zkn 4m16s kubernetes.io/kubelet-serving system:node:<NODE-name> DenIEd
csr-7b5sx 91m kubernetes.io/kubelet-serving system:node:<NODE-name> DenIEd
csr-7fzjh 103m kubernetes.io/kubelet-serving system:node:<NODE-name> DenIEd
csr-7gstl 19m kubernetes.io/kubelet-serving system:node:<NODE-name> DenIEd
csr-7hrvm 11m kubernetes.io/kubelet-serving system:node:<NODE-name> DenIEd
csr-7mn6h 87m kubernetes.io/kubelet-serving system:node:<NODE-name> DenIEd
csr-7nd7h 4m57s kubernetes.io/kubelet-serving system:node:<NODE-name> DenIEd
...
知道为什么会这样吗?也许是防火墙问题?
提前致谢!
这里是带有详细输出 --v=8 的相同命令,没有 goroutInes 堆栈跟踪
$ kubectl logs --v=8 <POD-name>
I0527 09:27:59.624843 10407 loader.go:375] Config loaded from file: /home/kevin/.kube/config
I0527 09:27:59.628621 10407 round_trippers.go:420] GET https://<PUBliC-IP>/API/v1/namespaces/default/pods/<POD-name>
I0527 09:27:59.628635 10407 round_trippers.go:427] request headers:
I0527 09:27:59.628644 10407 round_trippers.go:431] Accept: application/Json,*/*
I0527 09:27:59.628649 10407 round_trippers.go:431] User-Agent: kubectl/v1.19.3 (linux/amd64) kubernetes/1e11e4a
I0527 09:27:59.727411 10407 round_trippers.go:446] Response Status: 200 OK in 98 milliseconds
I0527 09:27:59.727461 10407 round_trippers.go:449] Response headers:
I0527 09:27:59.727480 10407 round_trippers.go:452] Audit-ID: ...
I0527 09:27:59.727496 10407 round_trippers.go:452] Cache-Control: no-cache,private
I0527 09:27:59.727512 10407 round_trippers.go:452] Content-Type: application/Json
I0527 09:27:59.727528 10407 round_trippers.go:452] Date: Thu,27 May 2021 07:27:59 GMT
I0527 09:27:59.727756 10407 request.go:1097] Response Body: {"kind":"Pod","APIVersion":"v1","Metadata":{"name":"<POD-name>","generatename":"<POD-BASE-name>","namespace":"default","selflink":"/API/v1/namespaces/default/pods/<POD-name>","uID":"...","resourceVersion":"6764210","creationtimestamp":"2021-05-19T10:33:28Z","labels":{"app":"<name>","pod-template-hash":"..."},"ownerReferences":[{"APIVersion":"apps/v1","kind":"replicaset","name":"<POD-BASE-name>","controller":true,"blockownerdeletion":truE}],"managedFIElds":[{"manager":"kube-controller-manager","operation":"update","time":"2021-05-19T10:33:28Z","fIEldsType":"FIEldsV1","fIEldsV1":{"f:Metadata":{"f:generatename":{},"f:labels":{".":{},"f:app":{},"f:pod-template-hash":{}},"f:ownerReferences":{".":{},"k:{\"uID\":\"...\"}":{".":{},"f:APIVersion":{},"f:blockownerdeletion":{},"f:controller":{},"f:kind":{},"f:name":{},"f:uID":{}}}},"f:spec":{"f:c [truncated 3250 chars]
I0527 09:27:59.745985 10407 round_trippers.go:420] GET https://<PUBliC-IP>/API/v1/namespaces/default/pods/<POD-name>/log
I0527 09:27:59.746035 10407 round_trippers.go:427] request headers:
I0527 09:27:59.746055 10407 round_trippers.go:431] Accept: application/Json,*/*
I0527 09:27:59.746071 10407 round_trippers.go:431] User-Agent: kubectl/v1.19.3 (linux/amd64) kubernetes/1e11e4a
I0527 09:27:59.800586 10407 round_trippers.go:446] Response Status: 500 Internal Server Error in 54 milliseconds
I0527 09:27:59.800638 10407 round_trippers.go:449] Response headers:
I0527 09:27:59.800654 10407 round_trippers.go:452] Audit-ID: ...
I0527 09:27:59.800668 10407 round_trippers.go:452] Cache-Control: no-cache,private
I0527 09:27:59.800680 10407 round_trippers.go:452] Content-Type: application/Json
I0527 09:27:59.800693 10407 round_trippers.go:452] Content-Length: 217
I0527 09:27:59.800712 10407 round_trippers.go:452] Date: Thu,27 May 2021 07:27:59 GMT
I0527 09:27:59.800772 10407 request.go:1097] Response Body: {"kind":"Status","Metadata":{},"status":"Failure","message":"Get \"https://10.156.0.8:10250/containerLogs/default/<POD-name>/<serviCE-name>\": remote error: tls: internal error","code":500}
I0527 09:27:59.801848 10407 Helpers.go:216] server response object: [{
"Metadata": {},"status": "Failure","message": "Get \"https://10.156.0.8:10250/containerLogs/default/<POD-name>/<serviCE-name>\": remote error: tls: internal error","code": 500
}]
F0527 09:27:59.801944 10407 Helpers.go:115] Error from server: Get "https://10.156.0.8:10250/containerLogs/default/<POD-name>/<serviCE-name>": remote error: tls: internal error
kubectl exec --v=8 -it <POD-name> -- sh
I0527 09:44:48.673774 11157 loader.go:375] Config loaded from file: /home/kevin/.kube/config
I0527 09:44:48.678514 11157 round_trippers.go:420] GET https://<PUBliC-IP>/API/v1/namespaces/default/pods/<POD-name>
I0527 09:44:48.678528 11157 round_trippers.go:427] request headers:
I0527 09:44:48.678535 11157 round_trippers.go:431] Accept: application/Json,*/*
I0527 09:44:48.678543 11157 round_trippers.go:431] User-Agent: kubectl/v1.19.3 (linux/amd64) kubernetes/1e11e4a
I0527 09:44:48.795864 11157 round_trippers.go:446] Response Status: 200 OK in 117 milliseconds
I0527 09:44:48.795920 11157 round_trippers.go:449] Response headers:
I0527 09:44:48.795963 11157 round_trippers.go:452] Audit-ID: ...
I0527 09:44:48.795995 11157 round_trippers.go:452] Cache-Control: no-cache,private
I0527 09:44:48.796019 11157 round_trippers.go:452] Content-Type: application/Json
I0527 09:44:48.796037 11157 round_trippers.go:452] Date: Thu,27 May 2021 07:44:48 GMT
I0527 09:44:48.796644 11157 request.go:1097] Response Body: {"kind":"Pod","generatename":"","uID":"","labels":{"app":"...","f:spec":{"f:c [truncated 3250 chars]
I0527 09:44:48.814315 11157 round_trippers.go:420] POST https://<PUBliC-IP>/API/v1/namespaces/default/pods/<POD-name>/exec?command=sh&container=<serviCE-name>&stdin=true&stdout=true&tty=true
I0527 09:44:48.814372 11157 round_trippers.go:427] request headers:
I0527 09:44:48.814391 11157 round_trippers.go:431] User-Agent: kubectl/v1.19.3 (linux/amd64) kubernetes/1e11e4a
I0527 09:44:48.814406 11157 round_trippers.go:431] X-Stream-Protocol-Version: v4.chAnnel.k8s.io
I0527 09:44:48.814420 11157 round_trippers.go:431] X-Stream-Protocol-Version: v3.chAnnel.k8s.io
I0527 09:44:48.814445 11157 round_trippers.go:431] X-Stream-Protocol-Version: v2.chAnnel.k8s.io
I0527 09:44:48.814471 11157 round_trippers.go:431] X-Stream-Protocol-Version: chAnnel.k8s.io
I0527 09:44:48.913928 11157 round_trippers.go:446] Response Status: 500 Internal Server Error in 99 milliseconds
I0527 09:44:48.913977 11157 round_trippers.go:449] Response headers:
I0527 09:44:48.914005 11157 round_trippers.go:452] Audit-ID: ...
I0527 09:44:48.914029 11157 round_trippers.go:452] Cache-Control: no-cache,private
I0527 09:44:48.914054 11157 round_trippers.go:452] Content-Type: application/Json
I0527 09:44:48.914077 11157 round_trippers.go:452] Date: Thu,27 May 2021 07:44:48 GMT
I0527 09:44:48.914099 11157 round_trippers.go:452] Content-Length: 149
I0527 09:44:48.915741 11157 Helpers.go:216] server response object: [{
"Metadata": {},"message": "error dialing BACkend: remote error: tls: internal error","code": 500
}]
F0527 09:44:48.915837 11157 Helpers.go:115] Error from server: error dialing BACkend: remote error: tls: internal error
在连接到 GKE 工作程序节点之一并检查 kubelet 日志后,我发现了这些有线线路
@H_282_5@may 27 09:30:11 gke-<CLUSTER-name>-default-pool-<NODE-UID> kubelet[1272]: I0527 09:30:11.271022 1272 log.go:181] http: TLS handshake error from 10.156.0.9:54672: no serving certificate available for the kubelet May 27 09:30:11 gke-<CLUSTER-name>-default-pool-<NODE-UID> kubelet[1272]: I0527 09:30:11.305628 1272 log.go:181] http: TLS handshake error from 10.156.0.9:54674: no serving certificate available for the kubelet May 27 09:30:12 gke-<CLUSTER-name>-default-pool-<NODE-UID> kubelet[1272]: I0527 09:30:12.067998 1272 log.go:181] http: TLS handshake error from 10.156.0.11:57610: no serving certificate available for the kubelet May 27 09:30:14 gke-<CLUSTER-name>-default-pool-<NODE-UID> kubelet[1272]: I0527 09:30:14.144826 1272 certificate_manager.go:412] RotaTing certificates May 27 09:30:14 gke-<CLUSTER-name>-default-pool-<NODE-UID> kubelet[1272]: I0527 09:30:14.154322 1272 reflector.go:207] StarTing reflector *v1.CertificateSigningrequest (0s) from k8s.io/clIEnt-go/tools/watch/informerwatcher.go:146 May 27 09:30:14 gke-<CLUSTER-name>-default-pool-<NODE-UID> kubelet[1272]: I0527 09:30:14.448976 1272 reflector.go:213] StopPing reflector *v1.CertificateSigningrequest (0s) from k8s.io/clIEnt-go/tools/watch/informerwatcher.go:146 May 27 09:30:14 gke-<CLUSTER-name>-default-pool-<NODE-UID> kubelet[1272]: E0527 09:30:14.449045 1272 certificate_manager.go:454] certificate request was not signed: cAnnot watch on the certificate signing request: certificate signing request is denIEd,reason: autoDenIEd,message:
我已将集群版本从 1.19.9-gke.1400 更新为 1.19.9-gke.1900。没有解决问题...
在集群上做了一个 Credentials Rotation。但也没有解决...
在集群中尝试了很多更改之后:
即使创建一个新集群(在同一个项目上,使用同一个 VPC 等)也没有解决问题...
此问题可能与对防火墙规则所做的更改有关。
找到唯一的解决方案,在新的 GCP 项目中创建新的 GKE 集群并使用 Velero 迁移工作流。
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)
以上是大佬教程为你收集整理的GKE 上的 kubectl exec/logs 返回“远程错误:tls:内部错误” 更新 1更新 2更新 3全部内容,希望文章能够帮你解决GKE 上的 kubectl exec/logs 返回“远程错误:tls:内部错误” 更新 1更新 2更新 3所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。