kubernetes apiserver systemd 服务未激活

tag-icon tag-icon ssl-certificate openssl kubernetes subject-alternative-names
kubernetes apiserver systemd 服务未激活

当 kube-apiserver systemd 服务器启动时,我看到以下错误消息。

无法验证 192.168.101.101 的证书,因为它不包含任何 IP SAN”。正在重新连接...

以下是针对 kube-apiserver 二进制文件给出的参数。

kube_apiserver_params:

  • "--admission-control={{ apiserver_admission_controllers | join(',') }}"
  • “--广告地址=192.168.101.101”
  • “--allow-privileged=true”
  • “--匿名身份验证=false”
  • “--apiserver-count=3”
  • “--审计日志格式=json”
  • “--审计日志最大大小=100”
  • “--audit-log-path=/var/log/audit/kube_apiserver/kube-apiserver-audit.log”
  • “--授权模式=节点,RBAC”
  • “--绑定地址=192.168.101.101”
  • “--客户端 ca 文件 = /etc/openssl/ca.pem”
  • “--启用引导令牌身份验证 = true”
  • “--etcd-cafile=/etc/etcd/ssl/ca.pem”
  • “--etcd-certfile=/etc/etcd/ssl/etcd.pem”
  • “--etcd-keyfile=/etc/etcd/ssl/etcd-key.pem”
  • “--etcd 服务器=https://192.168.101.101:2379
  • “--实验性加密提供程序配置=/etc/kubernetes/ssl/secrets.conf”
  • “--不安全端口=0”
  • “--kubelet-证书颁发机构=/etc/openssl/ca.pem”
  • “--kubelet-客户端证书=/etc/kubernetes/ssl/kubelet-server.pem”
  • “--kubelet-客户端密钥=/etc/kubernetes/ssl/kubelet-服务器密钥.pem”
  • “--kubelet-https = true”
  • “--最大请求数飞行中=1000”
  • “--proxy-client-cert-file=/etc/kubernetes/ssl/metrics.crt”
  • “--proxy-client-key-file=/etc/kubernetes/ssl/metrics.key”
  • “--requestheader-client-ca-file=/etc/openssl/ca.pem”
  • “--requestheader-extra-headers-prefix=X-Remote-Extra-”
  • “--requestheader-group-headers=X-Remote-Group”
  • “--requestheader-用户名-headers=X-Remote-User”
  • “--安全端口=6443”
  • “--service-account-key-file=/etc/kubernetes/ssl/service-account.pem”
  • “--服务帐户查找=true”
  • “--服务集群 IP 范围=10.254.0.0/16”
  • “--tls-cert-file = /etc/kubernetes/ssl/tls-cert.pem”
  • “--tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem”
  • “--token-auth-file=token.csv” 复制代码

所有证书均使用以下 openssl 配置创建。

    # cat /etc/openssl/node.conf
       [req]
       req_extensions = req_ext
       distinguished_name = req_distinguished_name
       [req_distinguished_name]

       [ req_ext ]
       subjectAltName = @alt_names

       [alt_names]
       IP.1 = 192.168.101.101

       [ v3_ext ]
       authorityKeyIdentifier=keyid,issuer:always
       basicConstraints=critical,CA:FALSE
       keyUsage=critical,nonRepudiation,digitalSignature,keyEncipherment
       extendedKeyUsage=clientAuth,serverAuth
       subjectKeyIdentifier=hash

apiserver.pem 文件的输出。

  # openssl x509 -noout -text -in apiserver.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f0:64:2c:27:6e:24:b1:15
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = IN, ST = KA, L = Bangalore, O = NA, OU = MN, CN = ABCD
        Validity
            Not Before: May  6 21:48:04 2019 GMT
            Not After : May  4 21:48:04 2024 GMT
        Subject: CN = system:apiserver
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bd:4f:a9:ca:b4:0e:5c:99:d0:9e:8d:94:aa:85:
                    3b:ea:4b:74:2a:41:f1:ea:37:87:a4:1a:6b:89:00:
                    aa:c8:03:c8:cf:34:15:de:21:f6:26:6c:92:b2:5f:
                    5b:d9:0d:4f:f9:1f:67:1d:4b:6e:3d:84:76:60:28:
                    be:0d:33:64:92:3c:0b:ee:bd:4d:bd:3b:9a:1e:3d:
                    87:a8:3d:87:ae:d3:ea:ab:24:dc:46:6c:1d:99:72:
                    fc:4c:ca:89:fb:9d:68:9d:0a:2e:81:4e:b0:d4:c9:
                    47:96:60:22:e4:46:47:5f:f5:78:e0:34:15:b6:9e:
                    cd:b5:e1:4a:fc:5d:1d:2d:0b:b9:c2:cb:5c:71:50:
                    2b:9c:48:53:65:5b:70:af:04:c6:b7:ca:80:f7:f7:
                    b1:ee:ce:dc:ae:c4:28:d9:45:b0:87:2f:aa:92:84:
                    1c:5a:4e:e7:e8:23:c1:b0:63:a0:89:70:67:45:bc:
                    20:1a:8b:8b:8f:81:54:95:ae:8e:b1:4c:95:1c:15:
                    a1:52:c7:d1:a1:63:4a:8c:8e:c3:8d:ea:b6:40:e1:
                    cf:c8:13:90:ca:40:fc:60:f1:20:9e:85:b9:1a:45:
                    f7:08:eb:1a:f9:a6:f4:f9:1c:b3:a5:b3:09:7f:72:
                    73:87:fa:93:03:e3:d2:5d:ec:76:75:d2:95:af:76:
                    95:c1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:27:77:CC:16:D1:C3:40:D3:E8:29:49:59:34:30:30:EE:F3:7E:3B:8E
                DirName:/C=IN/ST=KA/L=Bangalore/O=NA/OU=MN/CN=ABCD
                serial:3A:1E:45:AB:A4:0E:B9:C0:28:81:AA:77:44:FF:4C:27:3D:63:0E:4F

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Key Identifier:
                4C:8E:91:B4:1F:A2:88:F8:4D:D5:F9:CE:2B:AA:07:7F:5D:95:F9:18
    Signature Algorithm: sha256WithRSAEncryption
         84:86:82:78:53:a7:f2:6a:a1:21:2b:d5:53:26:2d:c7:33:17:
         7a:d4:33:70:be:36:50:42:aa:a0:52:5a:91:1d:0c:c2:31:72:
         11:0b:56:31:27:c5:fa:dc:99:de:9d:db:02:69:5a:37:7c:0c:
         8d:b9:7d:3d:75:c8:69:18:32:db:3a:f4:82:c1:3e:7e:e6:b5:
         fc:0f:3b:bd:e3:0f:1c:b0:e2:33:fe:e4:99:e7:df:9a:1e:68:
         41:8e:b0:16:56:18:8b:7c:14:50:d5:08:ec:96:61:03:55:19:
         51:48:8d:17:a0:b9:90:6e:e3:ca:c7:de:75:b5:22:84:f2:4d:
         0e:e4:c6:fa:4e:25:f5:20:68:03:ae:5c:43:a8:ce:9e:0e:fe:
         e0:c7:ab:16:f1:87:fc:a9:d3:4a:f6:41:90:51:f7:57:01:34:
         6f:aa:8f:a4:5d:9c:4c:1e:8d:97:8f:e7:66:5c:3e:dd:b3:83:
         f0:84:74:26:37:8b:c4:e2:a6:66:89:ef:db:30:8e:1f:4b:85:
         ee:0a:52:46:0c:50:6f:8e:97:68:89:63:60:0e:cc:e6:f2:73:
         e8:f4:16:34:37:c3:3e:63:d2:7d:c7:cb:2d:1f:ae:05:e0:30:
         0d:ea:af:6a:0f:89:35:cc:1f:6a:af:2b:19:5a:eb:45:1b:24:
         b2:ad:fc:71

我对证书生成没有太多了解,这是我第一次配置,有人可以澄清一下我遗漏了什么吗?

答案1

实际上,您的证书没有 subjectAltName 扩展名(在“X509v3 扩展名”下)。您引用的是部分alt_names中的部分,该部分可能有效也可能无效,具体取决于您生成证书的方式。我建议找到有关如何生成包含 subjectAltName 扩展名的证书的更好的说明来源。v3_reqopenssl.cnf

相关内容