为什么我的工作节点 kubelet 服务无法启动?kubelet[8094]:不安全的值:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

为什么我的工作节点 kubelet 服务无法启动?kubelet[8094]:不安全的值:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

按照 Kelsey Hightower 在 AWS EC2 实例上的 KTHW 操作,并开始引导工作节点,但不知何故 kubelet 似乎出了问题。
未使用 KUBEADM 或 DOCKER。

现在出现以下错误。

kubelet.service - Kubernetes Kubelet
     Loaded: loaded (/etc/systemd/system/kubelet.service; enabled; vendor preset: enabled)
     Active: activating (auto-restart) (Result: exit-code) since Sun 2024-01-14 18:54:09 UTC; 86ms ago
       Docs: https://github.com/kubernetes/kubernetes
    Process: 8094 ExecStart=/usr/local/bin/kubelet --config=/var/lib/kubelet/kubelet-config.yaml --container-runtime=remote --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock --image-pull-progress-deadline=2m --kube>
   Main PID: 8094 (code=exited, status=1/FAILURE)
        CPU: 171ms

Jan 14 18:54:09 CKATRAINWK2 kubelet[8094]:                 Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_A>
Jan 14 18:54:09 CKATRAINWK2 kubelet[8094]:       --tls-min-version string                                   Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 (DEPRECATED: This paramet>
Jan 14 18:54:09 CKATRAINWK2 kubelet[8094]:       --tls-private-key-file string                              File containing x509 private key matching --tls-cert-file. (DEPRECATED: This parameter should be set via the config file specifi>
Jan 14 18:54:09 CKATRAINWK2 kubelet[8094]:       --topology-manager-policy string                           Topology Manager policy to use. Possible values: 'none', 'best-effort', 'restricted', 'single-numa-node'. (default "none") (DEPR>
Jan 14 18:54:09 CKATRAINWK2 kubelet[8094]:       --topology-manager-scope string                            Scope to which topology hints applied. Topology Manager collects hints from Hint Providers and applies them to defined scope to >
Jan 14 18:54:09 CKATRAINWK2 kubelet[8094]:   -v, --v Level                                                  number for the log level verbosity (default 0)
Jan 14 18:54:09 CKATRAINWK2 kubelet[8094]:       --version version[=true]                                   Print version information and quit
Jan 14 18:54:09 CKATRAINWK2 kubelet[8094]:       --vmodule moduleSpec                                       comma-separated list of pattern=N settings for file-filtered logging
Jan 14 18:54:09 CKATRAINWK2 kubelet[8094]:       --volume-plugin-dir string                                 The full path of the directory in which to search for additional third party volume plugins (default "/usr/libexec/kubernetes/ku>
Jan 14 18:54:09 CKATRAINWK2 kubelet[8094]:       --volume-stats-agg-period duration                         Specifies interval for kubelet to calculate and cache the volume disk usage for all pods and volumes.  To disable volume calcula
sudo journalctl -xeu kubelet
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --seccomp-profile-root string                              <Warning: Alpha feature> Directory path for seccomp profiles. (default "/var/lib/kubelet/seccomp") (DEPRECATED: will be removed in 1.23, in favor of using the `<root-dir>/seccomp` directory)
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --serialize-image-pulls                                    Pull images one at a time. We recommend *not* changing the default value on nodes that run docker daemon with version < 1.9 or an Aufs storage backend. Issue #10959 has more details. (default true) (DEPRECATED: This parameter should be set>
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --skip-headers                                             If true, avoid header prefixes in the log messages
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --skip-log-headers                                         If true, avoid headers when opening log files
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --stderrthreshold severity                                 logs at or above this threshold go to stderr (default 2)
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --storage-driver-buffer-duration duration                  Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction (default 1m0s) (DEPRECATED: This is a cadvisor flag that was mistakenly registered with the Kubelet. Due to l>
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --storage-driver-db string                                 database name (default "cadvisor") (DEPRECATED: This is a cadvisor flag that was mistakenly registered with the Kubelet. Due to legacy concerns, it will follow the standard CLI deprecation timeline before being removed.)
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --storage-driver-host string                               database host:port (default "localhost:8086") (DEPRECATED: This is a cadvisor flag that was mistakenly registered with the Kubelet. Due to legacy concerns, it will follow the standard CLI deprecation timeline before being removed.)
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --storage-driver-password string                           database password (default "root") (DEPRECATED: This is a cadvisor flag that was mistakenly registered with the Kubelet. Due to legacy concerns, it will follow the standard CLI deprecation timeline before being removed.)
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --storage-driver-secure                                    use secure connection with database (DEPRECATED: This is a cadvisor flag that was mistakenly registered with the Kubelet. Due to legacy concerns, it will follow the standard CLI deprecation timeline before being removed.)
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --storage-driver-table string                              table name (default "stats") (DEPRECATED: This is a cadvisor flag that was mistakenly registered with the Kubelet. Due to legacy concerns, it will follow the standard CLI deprecation timeline before being removed.)
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --storage-driver-user string                               database username (default "root") (DEPRECATED: This is a cadvisor flag that was mistakenly registered with the Kubelet. Due to legacy concerns, it will follow the standard CLI deprecation timeline before being removed.)
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --streaming-connection-idle-timeout duration               Maximum time a streaming connection can be idle before the connection is automatically closed. 0 indicates no timeout. Example: '5m' (default 4h0m0s) (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's >
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --sync-frequency duration                                  Max period between synchronizing running containers and config (default 1m0s) (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/k>
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --system-cgroups string                                    Optional absolute name of cgroups in which to place all non-kernel processes that are not already inside a cgroup under '/'. Empty for no container. Rolling back the flag requires a reboot. (DEPRECATED: This parameter should be set via the>
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --system-reserved mapStringString                          A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=500Mi,ephemeral-storage=1Gi) pairs that describe resources reserved for non-kubernetes components. Currently only cpu and memory are supported. See http://kubernetes.io/docs/user>
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --system-reserved-cgroup string                            Absolute name of the top level cgroup that is used to manage non-kubernetes components for which compute resources were reserved via '--system-reserved' flag. Ex. '/system-reserved'. [default=''] (DEPRECATED: This parameter should be set v>
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --tls-cert-file string                                     File containing x509 Certificate used for serving HTTPS (with intermediate certs, if any, concatenated after server cert). If --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for >
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --tls-cipher-suites strings                                Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:                 Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY>
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:                 Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA. (DEPRECATED: This parameter should be set via the config file spec>
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --tls-min-version string                                   Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/t>
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --tls-private-key-file string                              File containing x509 private key matching --tls-cert-file. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/>
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --topology-manager-policy string                           Topology Manager policy to use. Possible values: 'none', 'best-effort', 'restricted', 'single-numa-node'. (default "none") (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://>
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:       --topology-manager-scope string                            Scope to which topology hints applied. Topology Manager collects hints from Hint Providers and applies them to defined scope to ensure the pod admission. Possible values: 'container', 'pod'. (default "container") (DEPRECATED: This paramete>
Jan 14 19:06:13 CKATRAINWK2 kubelet[9116]:   -v, --v Level                                                  number for the log level verbosity (default 0)

尝试了很多东西,包括

  • 在 kubelet-config.yaml 中将 cgroups 指定为 systemd
  • 按照指南重新回顾我的步骤以确保我没有错过任何东西。
  • 将 containerd 等组件升级至 1.4.4、runc 1.1.7、cni-plugins 1.1.0

(旁注) crictl 也遇到了问题。

只需要故障排除方面的指导。

相关内容