Question about etcd cluster with kubeadm in 1.11


#1

I’m trying to deploy an etcd cluster using this procedure:

https://kubernetes.io/docs/tasks/administer-cluster/setup-ha-etcd-with-kubeadm/

The procedure appears to work, however, I notice that all the etcd nodes are only listening on localhost.

The procedure says to verify cluster health using the IP address of HOST0, which fails because it’s not listening on the public address. If I replace HOST0 with localhost the health check completes and shows the cluster is healthy.

So is this procedure bugged? How would a kubernetes cluster communicate with this etcd cluster only listening on localhost?


#2

Same problem here, And since I’ve implemented the described procedure, the page: https://kubernetes.io/docs/tasks/administer-cluster/setup-ha-etcd-with-kubeadm/ is gone missing(404 :frowning: )

Could it be because we should use a config file using “–enpoints” instead of “–advertise-client-urls”, “–listen-peer-urls”, etc, like in folowing exaple ?

apiVersion: kubeadm.k8s.io/v1alpha1
kind: MasterConfiguration
api:
advertiseAddress: 10.10.40.90
etcd:
endpoints:


#3

Later edit: if you check the etcd.yaml file generated in /etc/kubernetes/manifests/ using the command: root@HOST0 kubeadm alpha phase etcd local --config=/tmp/{HOST0}/kubeadmcfg.yaml, it says nothing about ${HOST0} (a.k.a. 192.168.1.16 in my case :wink: ). I am trying: editing the file and test it rebooting the machine (or deleting the etcd pod/docker containers (there are 2).

yup, it partially works if you add external IP everywhere in etcd.yaml except line 39
result:

myname@etcd1:/etc/kubernetes/manifests$ sudo docker run --rm -it --net host -v /etc/kubernetes:/etc/kubernetes quay.io/coreos/etcd:v3.2.18 etcdctl --cert-file /etc/kubernetes/pki/etcd/peer.crt --key-file /etc/kubernetes/pki/etcd/peer.key --ca-file /etc/kubernetes/pki/etcd/ca.crt --endpoints https://192.168.1.16:2379 cluster-health

cluster may be unhealthy: failed to list members
Error: client: etcd cluster is unavailable or misconfigured; error #0: x509: certificate is valid for 127.0.0.1, ::1, not 192.168.1.16

error #0: x509: certificate is valid for 127.0.0.1, ::1, not 192.168.1.16