【kubernetes VPA】记录一次安装 VPA 相关组件的报错解决过程-编程知识

文章目录

- 1. 问题描述
- 2. 问题原因
- 3. 解决办法
- 4. 参考链接

1. 问题描述

在执行 ./hack/vpa-up.sh脚本命令时，提示有报错。名为vpa-admission-controller的容器状态一直停留在ContainerCreating，从该Pod详细描述中得知，volume "tls-certs" : secret "vpa-tls-certs" not found，没有找到这两个密钥，无法进行挂载。

[root@k8s-master openssl-1.1.1h]# kubectl get pods -n kube-system |grep vpa
vpa-admission-controller-64cb9cfb4b-xvzpf   0/1     ContainerCreating   0                3m30s
vpa-recommender-6fdd69df6c-rj725            1/1     Running             0                25m
vpa-updater-8567bff646-z28v9                1/1     Running             0                25m
[root@k8s-master openssl-1.1.1h]# kubectl describe pod vpa-admission-controller-64cb9cfb4b-xvzpf -n kube-system
Name:             vpa-admission-controller-64cb9cfb4b-xvzpf
Namespace:        kube-system
Priority:         0
Service Account:  vpa-admission-controller
Node:             k8s-node01/192.168.20.32
Start Time:       Fri, 01 Mar 2024 15:54:35 +0800
Labels:           app=vpa-admission-controllerpod-template-hash=64cb9cfb4b
Annotations:      <none>
Status:           Pending
IP:
IPs:              <none>
Controlled By:    ReplicaSet/vpa-admission-controller-64cb9cfb4b
Containers:admission-controller:Container ID:Image:          k8s.gcr.io/autoscaling/vpa-admission-controller:0.12.0Image ID:Ports:          8000/TCP, 8944/TCPHost Ports:     0/TCP, 0/TCPState:          WaitingReason:       ContainerCreatingReady:          FalseRestart Count:  0Limits:cpu:     200mmemory:  500MiRequests:cpu:     50mmemory:  200MiEnvironment:NAMESPACE:  kube-system (v1:metadata.namespace)Mounts:/etc/tls-certs from tls-certs (ro)/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-ncfnk (ro)
Conditions:Type              StatusInitialized       TrueReady             FalseContainersReady   FalsePodScheduled      True
Volumes:tls-certs:Type:        Secret (a volume populated by a Secret)SecretName:  vpa-tls-certsOptional:    falsekube-api-access-ncfnk:Type:                    Projected (a volume that contains injected data from multiple sources)TokenExpirationSeconds:  3607ConfigMapName:           kube-root-ca.crtConfigMapOptional:       <nil>DownwardAPI:             true
QoS Class:                   Burstable
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300snode.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:Type     Reason       Age                  From               Message----     ------       ----                 ----               -------Normal   Scheduled    3m42s                default-scheduler  Successfully assigned kube-system/vpa-admission-controller-64cb9cfb4b-xvzpf to k8s-node01Warning  FailedMount  99s                  kubelet            Unable to attach or mount volumes: unmounted volumes=[tls-certs], unattached volumes=[tls-certs kube-api-access-ncfnk]: timed out waiting for the conditionWarning  FailedMount  95s (x9 over 3m42s)  kubelet            MountVolume.SetUp failed for volume "tls-certs" : secret "vpa-tls-certs" not found

2. 问题原因

openssl版本低。

3. 解决办法

升级openssl版本。

[root@k8s-master openssl-1.1.1h]# openssl version -a
OpenSSL 1.0.2k-fips  26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  rdrand dynamic

下载并解压openssl-1.1.1h.tar.gz

wget https://www.openssl.org/source/openssl-1.1.1h.tar.gztar zxvf openssl-1.1.1h.tar.gzcd openssl-1.1.1h./config

opessl编译安装完成

make & make install

显示如下结果，表示安装完成。

[root@k8s-master openssl-1.1.1h]# mv /usr/bin/openssl /usr/bin/openssl.bak[root@k8s-master openssl-1.1.1h]# ln -s /usr/local/bin/openssl /usr/bin/openssl
[root@k8s-master openssl-1.1.1h]# ln -s /usr/local/include/openssl/ /usr/include/openssl[root@k8s-master openssl-1.1.1h]# echo "/usr/local/lib64" >> /etc/ld.so.conf
[root@k8s-master openssl-1.1.1h]# ldconfig -v

完成openssl版本的升级。

[root@k8s-master openssl-1.1.1h]# openssl version -a
OpenSSL 1.1.1h  22 Sep 2020
built on: Fri Mar  1 07:46:58 2024 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib64/engines-1.1"
Seeding source: os-specific

重新执行 ./hack/vpa-up.sh脚本，顺利通过，无报错。

[root@k8s-master vertical-pod-autoscaler]# ./hack/vpa-up.sh
customresourcedefinition.apiextensions.k8s.io/verticalpodautoscalercheckpoints.autoscaling.k8s.io created
customresourcedefinition.apiextensions.k8s.io/verticalpodautoscalers.autoscaling.k8s.io created
clusterrole.rbac.authorization.k8s.io/system:metrics-reader created
clusterrole.rbac.authorization.k8s.io/system:vpa-actor created
clusterrole.rbac.authorization.k8s.io/system:vpa-checkpoint-actor created
clusterrole.rbac.authorization.k8s.io/system:evictioner created
clusterrolebinding.rbac.authorization.k8s.io/system:metrics-reader created
clusterrolebinding.rbac.authorization.k8s.io/system:vpa-actor created
clusterrolebinding.rbac.authorization.k8s.io/system:vpa-checkpoint-actor created
clusterrole.rbac.authorization.k8s.io/system:vpa-target-reader created
clusterrolebinding.rbac.authorization.k8s.io/system:vpa-target-reader-binding created
clusterrolebinding.rbac.authorization.k8s.io/system:vpa-evictionter-binding created
serviceaccount/vpa-admission-controller created
clusterrole.rbac.authorization.k8s.io/system:vpa-admission-controller created
clusterrolebinding.rbac.authorization.k8s.io/system:vpa-admission-controller created
clusterrole.rbac.authorization.k8s.io/system:vpa-status-reader created
clusterrolebinding.rbac.authorization.k8s.io/system:vpa-status-reader-binding created
serviceaccount/vpa-updater created
deployment.apps/vpa-updater created
serviceaccount/vpa-recommender created
deployment.apps/vpa-recommender created
Generating certs for the VPA Admission Controller in /tmp/vpa-certs.
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................................................+++++
........................................................................................................+++++
e is 65537 (0x010001)
Generating RSA private key, 2048 bit long modulus (2 primes)
................................................................................+++++
.........................................................................................................................................................................................................+++++
e is 65537 (0x010001)
Signature ok
subject=CN = vpa-webhook.kube-system.svc
Getting CA Private Key
Uploading certs to the cluster.
secret/vpa-tls-certs created
Deleting /tmp/vpa-certs.
deployment.apps/vpa-admission-controller created
service/vpa-webhook created

最终vpa-admission-controller的Pod正常运行~

[root@k8s-master vertical-pod-autoscaler]# kubectl get pods -n kube-system |grep vpa
vpa-admission-controller-64cb9cfb4b-m76n5   1/1     Running   0                25m
vpa-recommender-6fdd69df6c-q7z7t            1/1     Running   0                25m
vpa-updater-8567bff646-5dbk4                1/1     Running   0                25m