Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs update on kubelet authn authz #696

Merged
merged 11 commits into from
Jul 20, 2023
Merged

docs update on kubelet authn authz #696

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
d6a09ac
docs update on authentication-webhook
timfeirg Jul 17, 2023
a87b524
more
timfeirg Jul 18, 2023
50a213b
Update docs/zh_cn/administration/going-production.md
timfeirg Jul 18, 2023
6bc0a88
translation
timfeirg Jul 18, 2023
2bc9224
restart kubelet
timfeirg Jul 19, 2023
9a99292
update docs for kubelet authn & authz
zwwhdls Jul 19, 2023
740ba2e
resolve conflict
zwwhdls Jul 19, 2023
213d58e
fix md lint
zwwhdls Jul 19, 2023
344a1db
translation
timfeirg Jul 19, 2023
ed5d01d
lint
timfeirg Jul 19, 2023
089c0d9
minor fix
timfeirg Jul 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions docs/zh_cn/administration/going-production.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -210,3 +210,42 @@ spec:
- --leader-election-lease-duration=15s # Leader 的间隔,默认为 15s
...
```

## 启用 Kubelet authentication webhook {#authentication-webhook}

如果 kubelet 没有启用 Authentication webhook,会导致 CSI Node 获取 Pod 列表时报错(该报错本身已经修复,见后续描述):

```
kubelet_client.go:99] GetNodeRunningPods err: Unauthorized
reconciler.go:70] doReconcile GetNodeRunningPods: invalid character 'U' looking for beginning of value
```

面对这种情况,我们建议[启用 Kubelet authentication webhook](../administration/going-production.md#authentication-webhook)。

```yaml {5,8} title="/var/lib/kubelet/config.yaml"
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
webhook:
cacheTTL: 0s
enabled: true
...
authorization:
mode: Webhook
...
```

在 v0.21.0 及其后版本,就算未启用上方的 Authentication webhook,CSI Node 也不再会出现异常、而是绕过 kubelet,直接访问 APIServer 去获取信息(比如 `ListPod`)。考虑到「节点上有哪些 Pod」这个信息,本身就存在于 kubelet 空间,绕远去访问 APIServer,势必会产生少量额外的性能开销。因此在生产集群,我们仍推荐启用 Authentication webhook。
timfeirg marked this conversation as resolved.
Show resolved Hide resolved

需要注意,就算使用了 v0.21.0 及之后的版本,CSI 驱动需要配置 `podInfoOnMount: true`,上边提到的避免报错的特性才会真正生效。如果你采用 [Helm 安装方式](../getting_started.md#helm),该问题并不存在,因为 `podInfoOnMount` 已经写死安装文件里,随着升级自动启用。而如果你使用 kubectl 直接安装,你需要为 `k8s.yaml` 添加如下配置:
timfeirg marked this conversation as resolved.
Show resolved Hide resolved

```yaml {6} title="k8s.yaml"
...
apiVersion: storage.k8s.io/v1
kind: CSIDriver
...
spec:
podInfoOnMount: true
...
```

这也是为什么在生产环境,我们推荐用 Helm 安装 CSI 驱动,避免手动维护的 `k8s.yaml`,在升级时带来额外的心智负担。
9 changes: 8 additions & 1 deletion docs/zh_cn/administration/troubleshooting-cases.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,14 @@ kubernetes.io/csi: attacher.MountDevice failed to create newCsiDriverClient: dri
/var/lib/kubelet/csi-plugins/csi.juicefs.com/csi.sock: connect: no such file or directory
```

此时需要[检查 CSI Node](./troubleshooting.md#check-csi-node),确认其异常原因,并排查修复。
此时需要[检查 CSI Node](./troubleshooting.md#check-csi-node),确认其异常原因,并排查修复。常见的问题比如 kubelet 没有启用 Authentication webhook,导致获取 Pod 列表时报错:

```
kubelet_client.go:99] GetNodeRunningPods err: Unauthorized
reconciler.go:70] doReconcile GetNodeRunningPods: invalid character 'U' looking for beginning of value
```

面对这种情况,我们建议[启用 Kubelet authentication webhook](../administration/going-production.md#authentication-webhook)。

## Mount Pod 异常 {#mount-pod-error}

Expand Down