当 kube-apiserver systemd 服务器启动时,我看到以下错误消息。
无法验证 192.168.101.101 的证书,因为它不包含任何 IP SAN”。正在重新连接...
以下是针对 kube-apiserver 二进制文件给出的参数。
kube_apiserver_params:
- "--admission-control={{ apiserver_admission_controllers | join(',') }}"
- “--广告地址=192.168.101.101”
- “--allow-privileged=true”
- “--匿名身份验证=false”
- “--apiserver-count=3”
- “--审计日志格式=json”
- “--审计日志最大大小=100”
- “--audit-log-path=/var/log/audit/kube_apiserver/kube-apiserver-audit.log”
- “--授权模式=节点,RBAC”
- “--绑定地址=192.168.101.101”
- “--客户端 ca 文件 = /etc/openssl/ca.pem”
- “--启用引导令牌身份验证 = true”
- “--etcd-cafile=/etc/etcd/ssl/ca.pem”
- “--etcd-certfile=/etc/etcd/ssl/etcd.pem”
- “--etcd-keyfile=/etc/etcd/ssl/etcd-key.pem”
- “--etcd 服务器=https://192.168.101.101:2379“
- “--实验性加密提供程序配置=/etc/kubernetes/ssl/secrets.conf”
- “--不安全端口=0”
- “--kubelet-证书颁发机构=/etc/openssl/ca.pem”
- “--kubelet-客户端证书=/etc/kubernetes/ssl/kubelet-server.pem”
- “--kubelet-客户端密钥=/etc/kubernetes/ssl/kubelet-服务器密钥.pem”
- “--kubelet-https = true”
- “--最大请求数飞行中=1000”
- “--proxy-client-cert-file=/etc/kubernetes/ssl/metrics.crt”
- “--proxy-client-key-file=/etc/kubernetes/ssl/metrics.key”
- “--requestheader-client-ca-file=/etc/openssl/ca.pem”
- “--requestheader-extra-headers-prefix=X-Remote-Extra-”
- “--requestheader-group-headers=X-Remote-Group”
- “--requestheader-用户名-headers=X-Remote-User”
- “--安全端口=6443”
- “--service-account-key-file=/etc/kubernetes/ssl/service-account.pem”
- “--服务帐户查找=true”
- “--服务集群 IP 范围=10.254.0.0/16”
- “--tls-cert-file = /etc/kubernetes/ssl/tls-cert.pem”
- “--tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem”
- “--token-auth-file=token.csv” 复制代码
所有证书均使用以下 openssl 配置创建。
# cat /etc/openssl/node.conf
[req]
req_extensions = req_ext
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.101.101
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=critical,CA:FALSE
keyUsage=critical,nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage=clientAuth,serverAuth
subjectKeyIdentifier=hash
apiserver.pem 文件的输出。
# openssl x509 -noout -text -in apiserver.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f0:64:2c:27:6e:24:b1:15
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IN, ST = KA, L = Bangalore, O = NA, OU = MN, CN = ABCD
Validity
Not Before: May 6 21:48:04 2019 GMT
Not After : May 4 21:48:04 2024 GMT
Subject: CN = system:apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:4f:a9:ca:b4:0e:5c:99:d0:9e:8d:94:aa:85:
3b:ea:4b:74:2a:41:f1:ea:37:87:a4:1a:6b:89:00:
aa:c8:03:c8:cf:34:15:de:21:f6:26:6c:92:b2:5f:
5b:d9:0d:4f:f9:1f:67:1d:4b:6e:3d:84:76:60:28:
be:0d:33:64:92:3c:0b:ee:bd:4d:bd:3b:9a:1e:3d:
87:a8:3d:87:ae:d3:ea:ab:24:dc:46:6c:1d:99:72:
fc:4c:ca:89:fb:9d:68:9d:0a:2e:81:4e:b0:d4:c9:
47:96:60:22:e4:46:47:5f:f5:78:e0:34:15:b6:9e:
cd:b5:e1:4a:fc:5d:1d:2d:0b:b9:c2:cb:5c:71:50:
2b:9c:48:53:65:5b:70:af:04:c6:b7:ca:80:f7:f7:
b1:ee:ce:dc:ae:c4:28:d9:45:b0:87:2f:aa:92:84:
1c:5a:4e:e7:e8:23:c1:b0:63:a0:89:70:67:45:bc:
20:1a:8b:8b:8f:81:54:95:ae:8e:b1:4c:95:1c:15:
a1:52:c7:d1:a1:63:4a:8c:8e:c3:8d:ea:b6:40:e1:
cf:c8:13:90:ca:40:fc:60:f1:20:9e:85:b9:1a:45:
f7:08:eb:1a:f9:a6:f4:f9:1c:b3:a5:b3:09:7f:72:
73:87:fa:93:03:e3:d2:5d:ec:76:75:d2:95:af:76:
95:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:27:77:CC:16:D1:C3:40:D3:E8:29:49:59:34:30:30:EE:F3:7E:3B:8E
DirName:/C=IN/ST=KA/L=Bangalore/O=NA/OU=MN/CN=ABCD
serial:3A:1E:45:AB:A4:0E:B9:C0:28:81:AA:77:44:FF:4C:27:3D:63:0E:4F
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
4C:8E:91:B4:1F:A2:88:F8:4D:D5:F9:CE:2B:AA:07:7F:5D:95:F9:18
Signature Algorithm: sha256WithRSAEncryption
84:86:82:78:53:a7:f2:6a:a1:21:2b:d5:53:26:2d:c7:33:17:
7a:d4:33:70:be:36:50:42:aa:a0:52:5a:91:1d:0c:c2:31:72:
11:0b:56:31:27:c5:fa:dc:99:de:9d:db:02:69:5a:37:7c:0c:
8d:b9:7d:3d:75:c8:69:18:32:db:3a:f4:82:c1:3e:7e:e6:b5:
fc:0f:3b:bd:e3:0f:1c:b0:e2:33:fe:e4:99:e7:df:9a:1e:68:
41:8e:b0:16:56:18:8b:7c:14:50:d5:08:ec:96:61:03:55:19:
51:48:8d:17:a0:b9:90:6e:e3:ca:c7:de:75:b5:22:84:f2:4d:
0e:e4:c6:fa:4e:25:f5:20:68:03:ae:5c:43:a8:ce:9e:0e:fe:
e0:c7:ab:16:f1:87:fc:a9:d3:4a:f6:41:90:51:f7:57:01:34:
6f:aa:8f:a4:5d:9c:4c:1e:8d:97:8f:e7:66:5c:3e:dd:b3:83:
f0:84:74:26:37:8b:c4:e2:a6:66:89:ef:db:30:8e:1f:4b:85:
ee:0a:52:46:0c:50:6f:8e:97:68:89:63:60:0e:cc:e6:f2:73:
e8:f4:16:34:37:c3:3e:63:d2:7d:c7:cb:2d:1f:ae:05:e0:30:
0d:ea:af:6a:0f:89:35:cc:1f:6a:af:2b:19:5a:eb:45:1b:24:
b2:ad:fc:71
我对证书生成没有太多了解,这是我第一次配置,有人可以澄清一下我遗漏了什么吗?
答案1
实际上,您的证书没有 subjectAltName 扩展名(在“X509v3 扩展名”下)。您引用的是部分alt_names
中的部分,该部分可能有效也可能无效,具体取决于您生成证书的方式。我建议找到有关如何生成包含 subjectAltName 扩展名的证书的更好的说明来源。v3_req
openssl.cnf