我已经清楚地知道了--net=container:NAME_or_IDdocker 选项的用法,我也读过kubernetes的源代码,关于如何配置容器以使用网络InfraContainer,所以我认为容器gcr.io/google_containers/pause:0.8.0中进程的唯一工作就是"暂停",它永远不会做任何复杂的工作,如"接收","发送"或"路由".
但我不知道这件事,因为我无法找到Dockerfile的gcr.io/google_containers/pause:0.8.0,所以我需要有人清楚地知道它告诉我真相,谢谢!
我使用我的自签名证书运行kube-apiserver:
/opt/bin/kube-apiserver \
--etcd_servers=http://master:2379,http://slave1:2379,http://slave2:2379 \
--logtostderr=false \
--v=4 \
--client-ca-file=/home/kubernetes/ssl/ca.crt \
--service-cluster-ip-range=192.168.3.0/24 \
--tls-cert-file=/home/kubernetes/ssl/server.crt \
--tls-private-key-file=/home/kubernetes/ssl/server.key
然后,我使用kubeconfig运行kubelet:
/opt/bin/kubelet \
--address=0.0.0.0 \
--port=10250 \
--api_servers=https://master:6443 \
--kubeconfig=/home/kubernetes/ssl/config.yaml \
--logtostderr=false \
--v=4
config.yaml的内容如下:
apiVersion: v1
kind: Config
clusters:
- name: ubuntu
cluster:
insecure-skip-tls-verify: true
server: https://master:6443
contexts:
- context:
cluster: "ubuntu"
user: "ubuntu"
name: development
current-context: development
users:
- name: ubuntu
user:
client-certificate: /home/kubernetes/ssl/ca.crt
client-key: /home/kubernetes/ssl/ca.key
因此,我认为kubelet不会验证apiserver的自签名证书,但是日志显示:
E1009 16:48:51.919749 100724 reflector.go:136] Failed to list *api.Pod: Get https://master:6443/api/v1/pods?fieldSelector=spec.nodeName%3Dslave1: x509: certificate signed by unknown …