|
| 1 | +--- |
| 2 | +title: "kubectl 故障排查" |
| 3 | +content_type: task |
| 4 | +weight: 10 |
| 5 | +--- |
| 6 | +<!-- |
| 7 | +title: "Troubleshooting kubectl" |
| 8 | +content_type: task |
| 9 | +weight: 10 |
| 10 | +--> |
| 11 | + |
| 12 | +<!-- overview --> |
| 13 | + |
| 14 | +<!-- |
| 15 | +This documentation is about investigating and diagnosing |
| 16 | +{{<glossary_tooltip text="kubectl" term_id="kubectl">}} related issues. |
| 17 | +If you encounter issues accessing `kubectl` or connecting to your cluster, this |
| 18 | +document outlines various common scenarios and potential solutions to help |
| 19 | +identify and address the likely cause. |
| 20 | +--> |
| 21 | +本文讲述研判和诊断 {{<glossary_tooltip text="kubectl" term_id="kubectl">}} 相关的问题。 |
| 22 | +如果你在访问 `kubectl` 或连接到集群时遇到问题,本文概述了各种常见的情况和可能的解决方案, |
| 23 | +以帮助确定和解决可能的原因。 |
| 24 | + |
| 25 | +<!-- body --> |
| 26 | + |
| 27 | +## {{% heading "prerequisites" %}} |
| 28 | + |
| 29 | +<!-- |
| 30 | +* You need to have a Kubernetes cluster. |
| 31 | +* You also need to have `kubectl` installed - see [install tools](/docs/tasks/tools/#kubectl) |
| 32 | +--> |
| 33 | +* 你需要有一个 Kubernetes 集群。 |
| 34 | +* 你还需要安装好 `kubectl`,参见[安装工具](/zh-cn/docs/tasks/tools/#kubectl)。 |
| 35 | + |
| 36 | +<!-- |
| 37 | +## Verify kubectl setup |
| 38 | +
|
| 39 | +Make sure you have installed and configured `kubectl` correctly on your local machine. |
| 40 | +Check the `kubectl` version to ensure it is up-to-date and compatible with your cluster. |
| 41 | +
|
| 42 | +Check kubectl version: |
| 43 | +--> |
| 44 | +## 验证 kubectl 设置 {#verify-kubectl-setup} |
| 45 | + |
| 46 | +确保你已在本机上正确安装和配置了 `kubectl`。 |
| 47 | +检查 `kubectl` 版本以确保其是最新的,并与你的集群兼容。 |
| 48 | + |
| 49 | +检查 kubectl 版本: |
| 50 | + |
| 51 | +```shell |
| 52 | +kubectl version |
| 53 | +``` |
| 54 | + |
| 55 | +<!-- |
| 56 | +You'll see a similar output: |
| 57 | +--> |
| 58 | +你将看到类似的输出: |
| 59 | + |
| 60 | +```console |
| 61 | +Client Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.4",GitCommit:"fa3d7990104d7c1f16943a67f11b154b71f6a132", GitTreeState:"clean",BuildDate:"2023-07-19T12:20:54Z", GoVersion:"go1.20.6", Compiler:"gc", Platform:"linux/amd64"} |
| 62 | +Kustomize Version: v5.0.1 |
| 63 | +Server Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.3",GitCommit:"25b4e43193bcda6c7328a6d147b1fb73a33f1598", GitTreeState:"clean",BuildDate:"2023-06-14T09:47:40Z", GoVersion:"go1.20.5", Compiler:"gc", Platform:"linux/amd64"} |
| 64 | +``` |
| 65 | + |
| 66 | +<!-- |
| 67 | +If you see `Unable to connect to the server: dial tcp <server-ip>:8443: i/o timeout`, |
| 68 | +instead of `Server Version`, you need to troubleshoot kubectl connectivity with your cluster. |
| 69 | +
|
| 70 | +Make sure you have installed the kubectl by following the |
| 71 | +[official documentation for installing kubectl](/docs/tasks/tools/#kubectl), and you have |
| 72 | +properly configured the `$PATH` environment variable. |
| 73 | +--> |
| 74 | +如果你看到 `Unable to connect to the server: dial tcp <server-ip>:8443: i/o timeout`, |
| 75 | +而不是 `Server Version`,则需要解决 kubectl 与你集群的连接问题。 |
| 76 | + |
| 77 | +确保按照 [kubectl 官方安装文档](/zh-cn/docs/tasks/tools/#kubectl)安装了 kubectl, |
| 78 | +并正确配置了 `$PATH` 环境变量。 |
| 79 | + |
| 80 | +<!-- |
| 81 | +## Check kubeconfig |
| 82 | +
|
| 83 | +The `kubectl` requires a `kubeconfig` file to connect to a Kubernetes cluster. The |
| 84 | +`kubeconfig` file is usually located under the `~/.kube/config` directory. Make sure |
| 85 | +that you have a valid `kubeconfig` file. If you don't have a `kubeconfig` file, you can |
| 86 | +obtain it from your Kubernetes administrator, or you can copy it from your Kubernetes |
| 87 | +control plane's `/etc/kubernetes/admin.conf` directory. If you have deployed your |
| 88 | +Kubernetes cluster on a cloud platform and lost your `kubeconfig` file, you can |
| 89 | +re-generate it using your cloud provider's tools. Refer the cloud provider's |
| 90 | +documentation for re-generating a `kubeconfig` file. |
| 91 | +--> |
| 92 | +## 检查 kubeconfig {#check-kubeconfig} |
| 93 | + |
| 94 | +`kubectl` 需要一个 `kubeconfig` 文件来连接到 Kubernetes 集群。 |
| 95 | +`kubeconfig` 文件通常位于 `~/.kube/config` 目录下。确保你有一个有效的 `kubeconfig` 文件。 |
| 96 | +如果你没有 `kubeconfig` 文件,可以从 Kubernetes 管理员那里获取,或者可以从 Kubernetes 控制平面的 |
| 97 | +`/etc/kubernetes/admin.conf` 目录复制这个文件。如果你在云平台上部署了 Kubernetes 集群并且丢失了你的 |
| 98 | +`kubeconfig` 文件,则可以使用云厂商的工具重新生成它。参考云厂商的文档以重新生成 `kubeconfig` 文件。 |
| 99 | + |
| 100 | +<!-- |
| 101 | +Check if the `$KUBECONFIG` environment variable is configured correctly. You can set |
| 102 | +`$KUBECONFIG`environment variable or use the `--kubeconfig` parameter with the kubectl |
| 103 | +to specify the directory of a `kubeconfig` file. |
| 104 | +
|
| 105 | +## Check VPN connectivity |
| 106 | +
|
| 107 | +If you are using a Virtual Private Network (VPN) to access your Kubernetes cluster, |
| 108 | +make sure that your VPN connection is active and stable. Sometimes, VPN disconnections |
| 109 | +can lead to connection issues with the cluster. Reconnect to the VPN and try accessing |
| 110 | +the cluster again. |
| 111 | +--> |
| 112 | +检查 `$KUBECONFIG` 环境变量是否配置正确。你可以设置 `$KUBECONFIG` 环境变量,或者在 |
| 113 | +kubectl 中使用 `--kubeconfig` 参数来指定 `kubeconfig` 文件的目录。 |
| 114 | + |
| 115 | +## 检查 VPN 连接 {#check-vpn-connectivity} |
| 116 | + |
| 117 | +如果你正在使用虚拟专用网络(VPN)访问 Kubernetes 集群,请确保你的 VPN 连接是可用且稳定的。 |
| 118 | +有时,VPN 断开连接可能会导致与集群的连接问题。重新连接到 VPN,并尝试再次访问集群。 |
| 119 | + |
| 120 | +<!-- |
| 121 | +## Authentication and authorization |
| 122 | +
|
| 123 | +If you are using the token based authentication and the kubectl is returning an error |
| 124 | +regarding the authentication token or authentication server address, validate the |
| 125 | +Kubernetes authentication token and the authentication server address are configured |
| 126 | +properly. |
| 127 | +
|
| 128 | +If kubectl is returning an error regarding the authorization, make sure that you are |
| 129 | +using the valid user credentials. And you have the permission to access the resource |
| 130 | +that you have requested. |
| 131 | +--> |
| 132 | +## 身份认证和鉴权 {#authentication-and-authorization} |
| 133 | + |
| 134 | +如果你正在使用基于令牌的身份认证,并且 kubectl 返回有关身份认证令牌或身份认证服务器地址的错误, |
| 135 | +校验 Kubernetes 身份认证令牌和身份认证服务器地址是否被配置正确。 |
| 136 | + |
| 137 | +如果 kubectl 返回有关鉴权的错误,确保你正在使用有效的用户凭据,并且你具有访问所请求资源的权限。 |
| 138 | + |
| 139 | +<!-- |
| 140 | +## Verify contexts |
| 141 | +
|
| 142 | +Kubernetes supports [multiple clusters and contexts](/docs/tasks/access-application-cluster/configure-access-multiple-clusters/). |
| 143 | +Ensure that you are using the correct context to interact with your cluster. |
| 144 | +
|
| 145 | +List available contexts: |
| 146 | +--> |
| 147 | +## 验证上下文 {#verify-contexts} |
| 148 | + |
| 149 | +Kubernetes 支持[多个集群和上下文](/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)。 |
| 150 | +确保你正在使用正确的上下文与集群进行交互。 |
| 151 | + |
| 152 | +列出可用的上下文: |
| 153 | + |
| 154 | +```shell |
| 155 | +kubectl config get-contexts |
| 156 | +``` |
| 157 | + |
| 158 | +<!-- |
| 159 | +Switch to the appropriate context: |
| 160 | +--> |
| 161 | +切换到合适的上下文: |
| 162 | + |
| 163 | +```shell |
| 164 | +kubectl config use-context <context-name> |
| 165 | +``` |
| 166 | + |
| 167 | +<!-- |
| 168 | +## API server and load balancer |
| 169 | +
|
| 170 | +The {{<glossary_tooltip text="kube-apiserver" term_id="kube-apiserver">}} server is the |
| 171 | +central component of a Kubernetes cluster. If the API server or the load balancer that |
| 172 | +runs in front of your API servers is not reachable or not responding, you won't be able |
| 173 | +to interact with the cluster. |
| 174 | +--> |
| 175 | +## API 服务器和负载均衡器 {#api-server-and-load-balancer} |
| 176 | + |
| 177 | +{{<glossary_tooltip text="kube-apiserver" term_id="kube-apiserver">}} 服务器是 Kubernetes |
| 178 | +集群的核心组件。如果 API 服务器或运行在 API 服务器前面的负载均衡器不可达或没有响应,你将无法与集群进行交互。 |
| 179 | + |
| 180 | +<!-- |
| 181 | +Check the if the API server's host is reachable by using `ping` command. Check cluster's |
| 182 | +network connectivity and firewall. If your are using a cloud provider for deploying |
| 183 | +the cluster, check your cloud provider's health check status for the cluster's |
| 184 | +API server. |
| 185 | +
|
| 186 | +Verify the status of the load balancer (if used) to ensure it is healthy and forwarding |
| 187 | +traffic to the API server. |
| 188 | +--> |
| 189 | +通过使用 `ping` 命令检查 API 服务器的主机是否可达。检查集群的网络连接和防火墙。 |
| 190 | +如果你使用云厂商部署集群,请检查云厂商对集群的 API 服务器的健康检查状态。 |
| 191 | + |
| 192 | +验证负载均衡器(如果使用)的状态,确保其健康且转发流量到 API 服务器。 |
| 193 | + |
| 194 | +<!-- |
| 195 | +## TLS problems |
| 196 | +
|
| 197 | +The Kubernetes API server only serves HTTPS requests by default. In that case TLS problems |
| 198 | +may occur due to various reasons, such as certificate expiry or chain of trust validity. |
| 199 | +--> |
| 200 | +## TLS 问题 {#tls-problems} |
| 201 | + |
| 202 | +Kubernetes API 服务器默认只为 HTTPS 请求提供服务。在这种情况下, |
| 203 | +TLS 问题可能会因各种原因而出现,例如证书过期或信任链有效性。 |
| 204 | + |
| 205 | +<!-- |
| 206 | +You can find the TLS certificate in the kubeconfig file, located in the `~/.kube/config` |
| 207 | +directory. The `certificate-authority` attribute contains the CA certificate and the |
| 208 | +`client-certificate` attribute contains the client certificate. |
| 209 | +
|
| 210 | +Verify the expiry of these certificates: |
| 211 | +--> |
| 212 | +你可以在 kubeconfig 文件中找到 TLS 证书,此文件位于 `~/.kube/config` 目录下。 |
| 213 | +`certificate-authority` 属性包含 CA 证书,而 `client-certificate` 属性则包含客户端证书。 |
| 214 | + |
| 215 | +验证这些证书的到期时间: |
| 216 | + |
| 217 | +```shell |
| 218 | +openssl x509 -noout -dates -in $(kubectl config view --minify --output 'jsonpath={.clusters[0].cluster.certificate-authority}') |
| 219 | +``` |
| 220 | + |
| 221 | +<!-- |
| 222 | +output: |
| 223 | +--> |
| 224 | +输出为: |
| 225 | + |
| 226 | +```console |
| 227 | +notBefore=Sep 2 08:34:12 2023 GMT |
| 228 | +notAfter=Aug 31 08:34:12 2033 GMT |
| 229 | +``` |
| 230 | + |
| 231 | +```shell |
| 232 | +openssl x509 -noout -dates -in $(kubectl config view --minify --output 'jsonpath={.users[0].user.client-certificate}') |
| 233 | +``` |
| 234 | + |
| 235 | +<!-- |
| 236 | +output: |
| 237 | +--> |
| 238 | +输出为: |
| 239 | + |
| 240 | +```console |
| 241 | +notBefore=Sep 2 08:34:12 2023 GMT |
| 242 | +notAfter=Sep 2 08:34:12 2026 GMT |
| 243 | +``` |
| 244 | + |
| 245 | +<!-- |
| 246 | +## Verify kubectl helpers |
| 247 | +
|
| 248 | +Some kubectl authentication helpers provide easy access to Kubernetes clusters. If you |
| 249 | +have used such helpers and are facing connectivity issues, ensure that the necessary |
| 250 | +configurations are still present. |
| 251 | +
|
| 252 | +Check kubectl configuration for authentication details: |
| 253 | +--> |
| 254 | +## 验证 kubectl 助手 {#verify-kubectl-helpers} |
| 255 | + |
| 256 | +某些 kubectl 身份认证助手提供了便捷访问 Kubernetes 集群的方式。 |
| 257 | +如果你使用了这些助手并且遇到连接问题,确保必要的配置仍然存在。 |
| 258 | + |
| 259 | +查看 kubectl 配置以了解身份认证细节: |
| 260 | + |
| 261 | +```shell |
| 262 | +kubectl config view |
| 263 | +``` |
| 264 | + |
| 265 | +<!-- |
| 266 | +If you previously used a helper tool (for example, `kubectl-oidc-login`), ensure that it is still |
| 267 | +installed and configured correctly. |
| 268 | +--> |
| 269 | +如果你之前使用了辅助工具(例如 `kubectl-oidc-login`),确保它仍然安装和配置正确。 |
0 commit comments