具有匿名的Kubernetes间歇网络故障-auth=false

Question

我们有一个kubernetes集群(v1.10.2)，当我们设置为"anonymous-auth"标志false时，它的行为非常奇怪。我们使用法兰绒网络插件，与此问题相关的法兰绒码头日志如下：

E0515 09:59:13.396856       1 streamwatcher.go:109] Unable to decode an event from the watch stream: http2: server sent GOAWAY and closed the connection; LastStreamID=5, ErrCode=NO_ERROR, debug=""
E0515 09:59:13.397503       1 reflector.go:304] github.com/coreos/flannel/subnet/kube/kube.go:295: Failed to watch *v1.Node: Get https://10.96.0.1:443/api/v1/nodes?resourceVersion=167760&timeoutSeconds=469&watch=true: dial tcp 10.96.0.1:443: getsockopt: connection refused
E0515 09:59:14.398383       1 reflector.go:201] github.com/coreos/flannel/subnet/kube/kube.go:295: Failed to list *v1.Node: Get https://10.96.0.1:443/api/v1/nodes?resourceVersion=0: dial tcp 10.96.0.1:443: getsockopt: connection refused
E0515 09:59:15.419773       1 reflector.go:201] github.com/coreos/flannel/subnet/kube/kube.go:295: Failed to list *v1.Node: Get https://10.96.0.1:443/api/v1/nodes?resourceVersion=0: dial tcp 10.96.0.1:443: getsockopt: connection refused
E0515 09:59:16.420411       1 reflector.go:201] github.com/coreos/flannel/subnet/kube/kube.go:295: Failed to list *v1.Node: Get https://10.96.0.1:443/api/v1/nodes?resourceVersion=0: dial tcp 10.96.0.1:443: getsockopt: connection refused

此外，与此问题相关的事件(kubectl get events)似乎是：

kube-system ........ kube-apiserver-{hash} Pod spec.containers{kube-apiserver} Warning Unhealthy kubelet, {...} Liveness probe failed: HTTP probe failed with statuscode: 401

这个问题似乎是随机发生的，每隔几分钟，kubernetes集群就会在这段时间内(The connection to the server xx.xx.xx.xx was refused - did you specify the right host or port?)有几分钟(随机)没有响应，并自行恢复。

Answer 1

你是把apiserver当作静态吊舱运行吗？它是否定义了一个活性检查来调用/healthz端点？如果是这样的话，它很可能以匿名用户的身份运行，并且在禁用匿名请求时失败，导致apiserver荚重新启动。