Kubernets HA SLB
1. 准备环境¶
| ip | 操作系统 | 角色 | 安装软件 | 主机名 |
|---|---|---|---|---|
| 192.168.186.139 | centos7.6_x64 | master1 | docker | k8s-master01 |
| 192.168.186.140 | centos7.6_x64 | master1 | docker | k8s-master02 |
| 192.168.186.141 | centos7.6_x64 | node1 | docker | k8s-node01 |
| 192.168.186.142 | centos7.6_x64 | node2 | docker | k8s-node02 |
| 192.168.186.143 | centos7.6_x64 | lb1 | nginx | k8s-lb01 |
| 192.168.186.144 | centos7.6_x64 | lb2 | nginx | k8s-lb02 |
负载均衡,我们使用keepalived+nginx两台机器,实现高可用。
2. 部署¶
2.1 nginx¶
yum install -y nginx
k8s-lb01,k8s-lb02都要安装
centos7要是没有nginx源,添加nginx的源
cat > /etc/yum.repos.d/nginx.repo << EOF [nginx] name=nginx repo baseurl=http://nginx.org/packages/centos/7/$basearch/ gpgcheck=0 EOF
2.2 配置nginx¶
stream {
log_format main '$remote_addr $upstream_addr - [$time_local] $status $upstream_bytes_sent';
access_log /var/log/nginx/k8s-access.log main;
upstream k8s-apiserver {
server 192.168.186.139:6443;
server 192.168.186.140:6443;
}
server {
listen 6443;
proxy_pass k8s-apiserver;
}
}
nginx 配置文件
[root@k8s-lb02 nginx]# egrep -v '#|^$' /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
stream {
log_format main '$remote_addr $upstream_addr - [$time_local] $status $upstream_bytes_sent';
access_log /var/log/nginx/k8s-access.log main;
upstream k8s-apiserver {
server 192.168.186.139:6443;
server 192.168.186.140:6443;
}
server {
listen 6443;
proxy_pass k8s-apiserver;
}
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
两台nginx的配置文件一样
[root@k8s-lb01 nginx]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@k8s-lb01 nginx]# systemctl start nginx
2.3 keepalived¶
安装keepalived
yum install -y keepalived
k8s-lb01 主keepalived.conf
[root@k8s-lb01 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id NGINX_MASTER
}
vrrp_script check_nginx {
script "/etc/nginx/check_nginx.sh"
}
vrrp_instance VI_1 {
state MASTER
interface ens33 # 网卡名
virtual_router_id 51 # VRRP 路由 ID实例,每个实例是唯一的
priority 100 # 优先级,备服务器设置 90
advert_int 1 # 指定VRRP 心跳包通告间隔时间,默认1秒
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.186.145/24 # vip地址
}
track_script {
check_nginx # 监控脚本
}
}
k8s-lb02 从keepalived.conf
[root@k8s-lb02 nginx]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id NGINX_MASTER
}
vrrp_script check_nginx {
script "/etc/nginx/check_nginx.sh"
}
vrrp_instance VI_1 {
state BACKUP
interface ens33 # 网卡名
virtual_router_id 51 # VRRP 路由 ID实例,每个实例是唯一的
priority 90 # 优先级,备服务器设置 90
advert_int 1 # 指定VRRP 心跳包通告间隔时间,默认1秒
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.186.145/24 # vip地址
}
track_script {
check_nginx # 监控脚本
}
}
check_nginx.sh
count=$(ps -ef |grep nginx |egrep -cv "grep|$$")
if [ "$count" -eq 0 ];then
systemctl stop keepalived
fi
keepalived 主备就优先和state 不一样,主备的check_nginx.sh内容一样。
[root@k8s-lb01 ~]# cat /etc/nginx/check_nginx.sh
count=$(ps -ef |grep nginx |egrep -cv "grep|$$")
if [ "$count" -eq 0 ];then
systemctl stop keepalived
fi
[root@k8s-lb01 ~]# systemctl start keepalived
查看vip
[root@k8s-lb01 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:c6:79:90 brd ff:ff:ff:ff:ff:ff
inet 192.168.186.143/24 brd 192.168.186.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet 192.168.186.145/24 scope global secondary ens33
valid_lft forever preferred_lft forever
inet6 fe80::9d58:5651:daa8:880a/64 scope link noprefixroute
valid_lft forever preferred_lft forever
拷贝配置文件到备keepalived,尽量别自己手写,防止出错
[root@k8s-lb01 ~]# scp /etc/keepalived/keepalived.conf root@192.168.186.144:/etc/keepalived/
The authenticity of host '192.168.186.144 (192.168.186.144)' can't be established.
ECDSA key fingerprint is SHA256:E5Y64HSJxuf2Rp9/Ub2eH+UJxH09K/QJyP8PRYXC9qQ.
ECDSA key fingerprint is MD5:29:15:f3:14:8b:1c:f4:be:d9:a6:a6:9e:be:27:fa:14.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.186.144' (ECDSA) to the list of known hosts.
root@192.168.186.144's password:
keepalived.conf 100% 904 313.9KB/s 00:00
拷贝检查nginx的脚本到备keepalived
[root@k8s-lb01 ~]# scp /etc/nginx/check_nginx.sh root@192.168.186.144:/etc/nginx/
root@192.168.186.144's password:
check_nginx.sh 100% 110 78.0KB/s 00:00
修改从keepalived配置文件。该state为BACKUP ,priority比主100低就行,我写90,接下来启动从keepalived
[root@k8s-lb02 nginx]# systemctl start keepalived
[root@k8s-lb02 nginx]# systemctl status keepalived
● keepalived.service - LVS and VRRP High Availability Monitor
Loaded: loaded (/usr/lib/systemd/system/keepalived.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2019-04-19 17:11:00 CST; 6s ago
Process: 48059 ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 48060 (keepalived)
Tasks: 3
Memory: 5.0M
CGroup: /system.slice/keepalived.service
├─48060 /usr/sbin/keepalived -D
├─48061 /usr/sbin/keepalived -D
└─48062 /usr/sbin/keepalived -D
Apr 19 17:11:00 k8s-lb02 Keepalived_vrrp[48062]: Registering gratuitous ARP shared channel
Apr 19 17:11:00 k8s-lb02 Keepalived_vrrp[48062]: Opening file '/etc/keepalived/keepalived.conf'.
Apr 19 17:11:00 k8s-lb02 Keepalived_vrrp[48062]: WARNING - default user 'keepalived_script' for script execution does not...reate.
Apr 19 17:11:00 k8s-lb02 Keepalived_healthcheckers[48061]: Opening file '/etc/keepalived/keepalived.conf'.
Apr 19 17:11:05 k8s-lb02 Keepalived_vrrp[48062]: WARNING - script '/etc/nginx/check_nginx.sh' is not executable for uid:g...bling.
Apr 19 17:11:05 k8s-lb02 Keepalived_vrrp[48062]: SECURITY VIOLATION - scripts are being executed but script_security not enabled.
Apr 19 17:11:05 k8s-lb02 Keepalived_vrrp[48062]: VRRP_Instance(VI_1) removing protocol VIPs.
Apr 19 17:11:05 k8s-lb02 Keepalived_vrrp[48062]: Using LinkWatch kernel netlink reflector...
Apr 19 17:11:05 k8s-lb02 Keepalived_vrrp[48062]: VRRP_Instance(VI_1) Entering BACKUP STATE
Apr 19 17:11:05 k8s-lb02 Keepalived_vrrp[48062]: VRRP sockpool: [ifindex(2), proto(112), unicast(0), fd(10,11)]
Hint: Some lines were ellipsized, use -l to show in full.
2.4 测试keepalived HA¶
干掉lb01上的nginx,模拟nginx挂了
[root@k8s-lb01 nginx]# ps axf|egrep 'nginx|keepalived'
50204 pts/0 S+ 0:00 | \_ grep -E --color=auto nginx|keepalived
48846 ? Ss 0:00 /usr/sbin/keepalived -D
48847 ? S 0:00 \_ /usr/sbin/keepalived -D
48848 ? S 0:00 \_ /usr/sbin/keepalived -D
48863 ? Ss 0:00 nginx: master process /usr/sbin/nginx
48864 ? S 0:00 \_ nginx: worker process
48865 ? S 0:00 \_ nginx: worker process
48866 ? S 0:00 \_ nginx: worker process
48867 ? S 0:00 \_ nginx: worker process
[root@k8s-lb01 nginx]# ip a|grep 145
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet 192.168.186.145/24 scope global secondary ens33
----------------------------------------------------------------------------------
开始ping 这个vip
C:\Users\cmz>ping -t 192.168.186.145
正在 Ping 192.168.186.145 具有 32 字节的数据:
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间=1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间=1ms TTL=64
请求超时。 <-- 这个地方是我pkill nginx时候vip漂移到backup了
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间=1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间=1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间=1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间=2ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间=2ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间=1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
请求超时。 <-- 这个地方是我启动了keepalived和nginx,vip又漂移到master上了
来自 192.168.186.145 的回复: 字节=32 时间=1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间=2ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.186.145 的回复: 字节=32 时间<1ms TTL=64
192.168.186.145 的 Ping 统计信息:
数据包: 已发送 = 45,已接收 = 43,丢失 = 2 (4% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 2ms,平均 = 0ms
Control-C
^C
---------------------------------------------------------
[root@k8s-lb01 nginx]# pkill nginx
过一会
[root@k8s-lb01 nginx]# ps axf|egrep 'nginx|keepalived'
50268 pts/0 S+ 0:00 | \_ grep -E --color=auto nginx|keepalived
[root@k8s-lb01 nginx]# ip a|grep 145
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
说明keepalived调用那个检查脚本干掉了自己。此时vip漂移到从keepalived了,去检查一下
[root@k8s-lb02 nginx]# ip a|grep 145
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet 192.168.186.145/24 scope global secondary ens33
可以看出vip漂移到从keepalived了。
到目前为止 k8s的前端HA和SLB做准备已经实现,下面开始部署另一个k8s-master,部署完在测试
3.配置slb¶
3.1 配置node¶
我们此时将node节点指向到slb上,不在是指向master上了。此时就是将node节点的指向ip由原来的指向master ip改为slb的vip即可。
——————> node1 [root@k8s-node01 ~]# cd /opt/kubernetes/cfg/ [root@k8s-node01 cfg]# ls bootstrap.kubeconfig flanneld kubelet kubelet.config kubelet.kubeconfig kube-proxy kube-proxy.kubeconfig [root@k8s-node01 cfg]# grep -irn 139 * bootstrap.kubeconfig:5: server: https://192.168.186.139:6443 flanneld:2:FLANNEL_OPTIONS="--etcd-endpoints=https://192.168.186.139:2379,https://192.168.186.141:2379,https://192.168.186.142:237 9 -etcd-cafile=/opt/etcd/ssl/ca.pem -etcd-certfile=/opt/etcd/ssl/server.pem -etcd-keyfile=/opt/etcd/ssl/server-key.pem"kubelet.kubeconfig:5: server: https://192.168.186.139:6443 kube-proxy.kubeconfig:5: server: https://192.168.186.139:6443 期中要修改的 bootstrap.kubeconfig 第五行,kubelet.kubeconfig第五行,kube-proxy.kubeconfig第五行。修改后如下: [root@k8s-node01 cfg]# grep -irn 145 * bootstrap.kubeconfig:5: server: https://192.168.186.145:6443 kubelet.kubeconfig:5: server: https://192.168.186.145:6443 kube-proxy.kubeconfig:5: server: https://192.168.186.145:6443 重启服务 [root@k8s-node01 cfg]# systemctl restart kubelet [root@k8s-node01 cfg]# systemctl restart kube-proxy ——————> node2 [root@k8s-node02 ~]# cd /opt/kubernetes/cfg/ [root@k8s-node02 cfg]# ll total 32 -rw------- 1 root root 2169 Apr 18 17:49 bootstrap.kubeconfig -rw-r--r-- 1 root root 241 Apr 18 17:49 flanneld -rw-r--r-- 1 root root 413 Apr 18 17:55 kubelet -rw-r--r-- 1 root root 269 Apr 18 17:56 kubelet.config -rw------- 1 root root 2298 Apr 18 18:07 kubelet.kubeconfig -rw-r--r-- 1 root root 191 Apr 18 18:01 kube-proxy -rw------- 1 root root 6271 Apr 18 17:49 kube-proxy.kubeconfig [root@k8s-node02 cfg]# grep -irn 139 * bootstrap.kubeconfig:5: server: https://192.168.186.139:6443 flanneld:2:FLANNEL_OPTIONS="--etcd-endpoints=https://192.168.186.139:2379,https://192.168.186.141:2379,https://192.168.186.142:237 9 -etcd-cafile=/opt/etcd/ssl/ca.pem -etcd-certfile=/opt/etcd/ssl/server.pem -etcd-keyfile=/opt/etcd/ssl/server-key.pem"kubelet.kubeconfig:5: server: https://192.168.186.139:6443 kube-proxy.kubeconfig:5: server: https://192.168.186.139:6443 [root@k8s-node02 cfg]# vim bootstrap.kubeconfig +5 [root@k8s-node02 cfg]# vim kubelet.kubeconfig +5 [root@k8s-node02 cfg]# vim kube-proxy.kubeconfig +5 [root@k8s-node02 cfg]# grep -irn 100 * bootstrap.kubeconfig:5: server: https://192.168.186.145:6443 kubelet.kubeconfig:5: server: https://192.168.186.145:6443 kube-proxy.kubeconfig:5: server: https://192.168.186.145:6443 [root@k8s-node02 cfg]# systemctl restart kubelet [root@k8s-node02 cfg]# systemctl restart kube-proxy
3.2 生成证书¶
在master01上操作
kubectl.sh
[root@k8s-master01 k8s-cert]# cat kubectl.sh kubectl config set-cluster kubernetes \ --server=https://192.168.186.145:6443 \ --embed-certs=true \ --certificate-authority=ca.pem \ --kubeconfig=config kubectl config set-credentials cluster-admin \ --certificate-authority=ca.pem \ --embed-certs=true \ --client-key=admin-key.pem \ --client-certificate=admin.pem \ --kubeconfig=config kubectl config set-context default --cluster=kubernetes --user=cluster-admin --kubeconfig=config kubectl config use-context default --kubeconfig=config
[root@k8s-master01 k8s-cert]# pwd /root/k8s/k8s-cert [root@k8s-master01 k8s-cert]# bash kubectl.sh Cluster "kubernetes" set. User "cluster-admin" set. Context "default" created. Switched to context "default". [root@k8s-master01 k8s-cert]# ls config config [root@k8s-master01 k8s-cert]# ls admin.csr bootstrap.kubeconfig ca-key.pem kubeconfig.sh kube-proxy-key.pem server-csr.json admin-csr.json ca-config.json ca.pem kubectl.sh kube-proxy.kubeconfig server-key.pem admin-key.pem ca.csr config kube-proxy.csr kube-proxy.pem server.pem admin.pem ca-csr.json k8s-cert.sh kube-proxy-csr.json server.csr [root@k8s-master01 k8s-cert]# scp /usr/bin/kubectl root@192.168.186.141:/usr/bin/ root@192.168.186.141's password: kubectl 100% 37MB 68.2MB/s 00:00 [root@k8s-master01 k8s-cert]# scp config root@192.168.186.141:/root root@192.168.186.141's password: config 100% 6273 3.7MB/s 00:00
[root@k8s-node01 ~]# pwd /root [root@k8s-node01 ~]# ls anaconda-ks.cfg config flannel.sh flannel-v0.10.0-linux-amd64.tar.gz kubelet.sh node.zip proxy.sh README.md [root@k8s-node01 ~]# kubectl --kubeconfig=./config get nodes NAME STATUS ROLES AGE VERSION 192.168.186.141 Ready <none> 3d18h v1.13.4 192.168.186.142 Ready <none> 3d17h v1.13.4 [root@k8s-node01 ~]# [root@k8s-node01 ~]# kubectl --kubeconfig=./config get nodes -o wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME 192.168.186.141 Ready <none> 3d18h v1.13.4 192.168.186.141 <none> CentOS Linux 7 (Core) 3.10.0-957.el7.x86_64 docker://18.9.5 192.168.186.142 Ready <none> 3d17h v1.13.4 192.168.186.142 <none> CentOS Linux 7 (Core) 3.10.0-957.10.1.el7.x86_64 docker://18.9.5
可以看出,我们从其他非master的机器通过证书和命令链接到机器中[其实就是通过加载证书,链接apiserver,我没有其他闲置机器。我使用了node1节点,你找其他机器都可以,但是保证你的apiserver的证书中允许该ip]
在k8s-cert.sh中指定了api server允许链接的ip
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.186.139",
"192.168.186.140",
"192.168.186.141",
"192.168.186.142",
"192.168.186.143",
"192.168.186.144",
"192.168.186.145",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
具体参考安装master时候,给apiserver 制作的证书
常见问题
我在做master+nginx slb的时候把证书和启动文件拷贝到node1上 启动的时候加载了证书,显示显示如下: [root@k8s-node01 ~]# kubectl --kubeconfig=./config get node # 其实就是去链接apiserver[apiserver中ip限制]. Unable to connect to the server: x509: certificate is valid for 10.0.0.1, 127.0.0.1, 192.168.186.139, 192.168.186.140, 192.168.186 .141, 192.168.186.142, 192.168.186.143, 192.168.186.144, 192.168.186.145, not 192.168.186.100 后面发现我的vip 192.168.186.100不在apiserver 信任里面。解决办法: 1. 修改我制作apiserver的时候预留的ip 2. 重新制作spiserver证书,分发到其他机器上。 我选择了第一种