etcd-ca | A simple certificate manager written in Go | TLS library

The primary difference between htop and ps aux is that htop shows each individual thread belonging to a process rather than the process only - this is similar to ps auxm. Using the htop interactive command H, you can hide threads to get to a list that more closely corresponds to ps aux.

In terms of memory usage, those additional entries representing individual threads do not affect the actual memory usage total because threads share the address space of the associated process.

RSS (resident set size) in general is problematic because it does not adequately represent shared pages (due to shared memory or copy-on-write) for your purpose - the sum can be higher than expected in those cases. You can use smem -t to get a better picture with the PSS (proportional set size) column. Based on the facts you provided, that is not your issue, though.

In your case, it might make sense to dig deeper via smem -tw to get a memory usage breakdown that includes (non-cache) kernel resources. /proc/meminfo provides further details.

In order to make the --kubelet-certificate-authority flag work you first need to make sure you got Kubelet authentication and Kubelet authorization enabled. After that you can follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelet. And finally, you can edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.

So, to sum up the steps to do are:

1. Kubelet authentication:

• start the kubelet with the --anonymous-auth=false flag

• start the kubelet with the --client-ca-file flag, providing a CA bundle to verify client certificates with

• start the apiserver with --kubelet-client-certificate and --kubelet-client-key flags

• ensure the authentication.k8s.io/v1beta1 API group is enabled in the API server

• start the kubelet with the --authentication-token-webhook and --kubeconfig flags

• the kubelet calls the TokenReview API on the configured API server to determine user information from bearer tokens

1. Kubelet authorization:

• ensure the authorization.k8s.io/v1beta1 API group is enabled in the API server

• start the kubelet with the --authorization-mode=Webhook and the --kubeconfig flags

• the kubelet calls the SubjectAccessReview API on the configured API server to determine whether each request is authorized

1. Use the --kubelet-certificate-authority flag to provide the apiserver with a root certificate bundle to use to verify the kubelet's serving certificate.

More details can be found in the linked documentation.

Actually I had extra space added on two places

--requestheader-username-headers=X-Remote-User \ <-- extra space here --proxy-client-cert-file=/var/lib/kubernetes/kube-proxy.crt \ <-- extra space here

Thanks to the reply here https://github.com/kubernetes/kubernetes/issues/94758 found the issue

This context deadline exceeded generally happens because of

1. Using wrong certificates. You could be using peer certificates instead of client certificates. You need to check the Kubernetes API Server parameters which will tell you where are the client certificates located because Kubernetes API Server is a client to ETCD. Then you can use those same certificates in the etcdctl command from the node.

2. The etcd cluster is not operational anymore because peer members are down.

I edited /etc/systemd/system/kubelet.service.d/10-kubeadm.conf - adding the --node-ip flag to KUBELET_CONFIG_ARGS and restarted kubelet with:

Share systemctl status kube-apiserver -l command output, also check /var/log/messages file and post error here.

Because this node I joined the cluster as a node beforeBecause this node I joined the cluster as a node before.Later I reset this with "kubeadm reset " command.After the reset, I joined it as a master role to the cluster. So I get the error in my question above. The error is because the range of the clusterip before I reset is already recorded in the etcd cluster. And "kubeadm reset" command does not clean up the data in the etcd.So the new definition of clusterip conflicts with the original.So the solution is to clean up the data in the etcd and reset it again. (Since the cluster I built is a test cluster, I cleaned the etcd directly. Please be careful in the production environment)

This error

This problem is due to kubernates tls certificates expiry. Rancher version v2.0.8 does not have auto refresh mechanism for ssl/tls certificates. I have upgraded to v2.2.8, and the issue is fixed now. In v2.2.8 they have provided a solution for refreshing of kubernates certificates from the console.