如何更改cilium DeamonSet初始容器kube api地址

tag-icon tag-icon kubernetes cilium
如何更改cilium DeamonSet初始容器kube api地址

我使用 cilium 1.14.3 作为 kuberenetes v1.28.3 cni 组件,这是我安装 cilium 的方式:

helm install cilium cilium/cilium --version 1.14.3 \
   --namespace kube-system \
   --set global.nodeinit.enabled=true \
   --set global.kubeProxyReplacement=partial \
   --set global.hostServices.enabled=false \
   --set global.externalIPs.enabled=true \
   --set global.nodePort.enabled=true \
   --set global.hostPort.enabled=true \
   --set global.pullPolicy=IfNotPresent \
   --set config.ipam=kubernetes \
   --set global.hubble.enabled=true \
   --set global.hubble.relay.enabled=true \
   --set global.hubble.ui.enabled=true \
   --set global.hubble.metrics.enabled="{dns,drop,tcp,flow,port-distribution,icmp,http}"

现在我想更改 kubernetes api 服务器地址,我已经编辑了 configmap cilium-config 并添加以下内容:

  k8s-service-host: '172.29.217.209'
  k8s-service-port: '6443'
  k8s-api-server: 'https://172.29.217.209:6443'

这个配置对 cilium-operator 是有效的,但是我发现 cilium DeamonSet 仍然没有使用新的 api server 地址。于是我在 cilium DeamonSet 中添加了如下配置:

initContainers:
        - name: config
          image: >-
            quay.io/cilium/cilium:v1.14.3@sha256:e5ca22526e01469f8d10c14e2339a82a13ad70d9a359b879024715540eef4ace
          command:
            - cilium
            - build-config
          env:
            - name: K8S_API_SERVER
              value: 'https://172.29.217.209:6443'
            - name: K8S_NODE_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: spec.nodeName
            - name: CILIUM_K8S_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
          resources: {}
          volumeMounts:
            - name: tmp
              mountPath: /tmp
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: FallbackToLogsOnError
          imagePullPolicy: IfNotPresent

似乎初始容器没有读取 api 服务器地址。我是不是漏掉了什么?我应该怎么做才能更改 cilium DeamonSet 初始容器的 kube api 服务器地址?我从以下网址找到了配置https://docs.cilium.io/en/v1.12/gettingstarted/kubeproxy-free/#kubeproxy-free我认为它适用于 1.14.3。

这是来自初始容器的错误日志,显示了为什么我需要更改 api 服务器地址:

level=info msg=Invoked duration="810.146µs" function="cmd.glob..func36 (build-config.go:32)" subsys=hive
level=info msg=Starting subsys=hive
level=info msg="Establishing connection to apiserver" host="https://10.96.0.1:443" subsys=k8s-client
level=info msg="Establishing connection to apiserver" host="https://10.96.0.1:443" subsys=k8s-client
level=error msg="Unable to contact k8s api-server" error="Get \"https://10.96.0.1:443/api/v1/namespaces/kube-system\": dial tcp 10.96.0.1:443: i/o timeout" ipAddr="https://10.96.0.1:443" subsys=k8s-client
level=error msg="Start hook failed" error="Get \"https://10.96.0.1:443/api/v1/namespaces/kube-system\": dial tcp 10.96.0.1:443: i/o timeout" function="client.(*compositeClientset).onStart" subsys=hive
level=info msg=Stopping subsys=hive
Error: failed to start: Get "https://10.96.0.1:443/api/v1/namespaces/kube-system": dial tcp 10.96.0.1:443: i/o timeout
Usage:
  cilium build-config --node-name $K8S_NODE_NAME [flags]

Flags:
      --allow-config-keys strings        List of configuration keys that are allowed to be overridden (e.g. set from not the first source. Takes precedence over deny-config-keys
      --deny-config-keys strings         List of configuration keys that are not allowed to be overridden (e.g. set from not the first source. If allow-config-keys is set, this field is ignored
      --dest string                      Destination directory to write the fully-resolved configuration. (default "/tmp/cilium/config-map")
      --enable-k8s                       Enable the k8s clientset (default true)
      --enable-k8s-api-discovery         Enable discovery of Kubernetes API groups and resources with the discovery API
  -h, --help                             help for build-config
      --k8s-api-server string            Kubernetes API server URL
      --k8s-client-burst int             Burst value allowed for the K8s client
      --k8s-client-qps float32           Queries per second limit for the K8s client
      --k8s-heartbeat-timeout duration   Configures the timeout for api-server heartbeat, set to 0 to disable (default 30s)
      --k8s-kubeconfig-path string       Absolute path of the kubernetes kubeconfig file

答案1

Dolphin。由于您使用的是 Helm,因此建议根据文档执行命令(请注意,我指的是 1.14.4 版本)。对 Cilium 运行以下 Helm 升级命令:

helm upgrade cilium cilium/cilium --version 1.14.4 \
--namespace kube-system \
--set k8sServiceHost=YOUR_API_IP \
--set k8sServicePort=6443

您可以在文档中找到所有相关的键这里,并且不再有 k8s-api-server 键。

执行此操作后,您可以使用以下命令检查 Cilium DaemonSet:

kubectl -n kube-system describe ds cilium

执行此操作后,您应该在输出中观察到以下内容:

Init Containers:
 config:
  Image:     quay.io/cilium/cilium:v1.14.4@sha256:4981767b787c69126e190e33aee93d5a076639083c21f0e7c29596a519c64a2e
  Port:       <none>
  Host Port:  <none>
  Command:
   cilium
   build-config
  Environment:
    K8S_NODE_NAME:             (v1:spec.nodeName)
    CILIUM_K8S_NAMESPACE:      (v1:metadata.namespace)
    KUBERNETES_SERVICE_HOST:   YOUR_API_IP
    KUBERNETES_SERVICE_PORT:   6443

请注意,您应该将 YOUR_API_IP 替换为您特定设置中的实际 IP 地址。

相关内容