kubeadm 令牌在自签名 CA 证书上创建失败

tag-icon tag-icon kubernetes openstack kubeadm
kubeadm 令牌在自签名 CA 证书上创建失败

我正在尝试使用 kubespray 在 ubuntu 服务器的 openstack 集群上部署 k8s 集群。当 kubeadm 尝试通过向 keystone 端点 xxx:5000/v3/ 提交 post 请求来创建引导令牌来初始化云提供商时,安装失败。kubelet.service 无法启动,因为 keystone 端点是由自签名证书签名的。见下文。我保存了 keystone 端点的 ca 证书,并将其放在主节点的 /etc/kubernetes/ssl/ 中,kubelet 和 kubeadm 会在此查找证书。我还根据文档更新了 /etc/kubernetes/kubeadm-config.yaml这里这里,我已更新 kubeadm join-default 配置以包含“unsafeSkipCAVerification:true”,但 kubelet.service 仍然无法通过自签名证书。kubeadm 应该通过存储在 /etc/kubernetes/cloud_config 文件中的用户名/密码进行身份验证,并且我已验证这些值是正确的。我不确定在哪里可以改变行为。任何指导都将不胜感激。

ubuntu:/etc/kubernetes# kubeadm config print join-defaults
apiVersion: kubeadm.k8s.io/v1beta3
caCertPath: /etc/kubernetes/pki/ca.crt
discovery:
  bootstrapToken:
  apiServerEndpoint: kube-apiserver:6443
  token: abcdef.0123456789abcdef
  unsafeSkipCAVerification: true
  timeout: 5m0s
  tlsBootstrapToken: abcdef.0123456789abcdef
kind: JoinConfiguration
  nodeRegistration:
  criSocket: /var/run/dockershim.sock
  imagePullPolicy: IfNotPresent
  name: mdap-node-01
  taints: null

kubelet 堆栈跟踪:

 Dec 15 22:19:51 ubuntu kubelet[388780]: E1215 22:19:51.760564  388780 server.go:294] "Failed to run kubelet" err="failed to run Kubelet: could not init cloud provider \"openstack\": Post \"https://XXX.XXX.XXX.132:5000/v3/auth/tokens\": x509: certificate signed by unknown authority"
 Dec 15 22:19:51 ubuntu systemd[1]: kubelet.service: Main process exited, code=exited, status=1/FAILURE


FAILED - RETRYING: Create kubeadm token for joining nodes with 24h expiration (default) (4 retries left).Result was: {
"attempts": 2,
"changed": false,
"cmd": [
    "/usr/local/bin/kubeadm",
    "--kubeconfig",
    "/etc/kubernetes/admin.conf",
    "token",
    "create"
],
"delta": "0:01:15.035670",
"end": "2021-12-16 15:03:22.901080",
"invocation": {
    "module_args": {
        "_raw_params": "/usr/local/bin/kubeadm --kubeconfig /etc/kubernetes/admin.conf token create",
        "_uses_shell": false,
        "argv": null,
        "chdir": null,
        "creates": null,
        "executable": null,
        "removes": null,
        "stdin": null
        "stdin_add_newline": true,
        "strip_empty_ends": true,
        "warn": true
    }
},
"msg": "non-zero return code",
"rc": 1,
"retries": 6,
"start": "2021-12-16 15:02:07.865410",
"stderr": "timed out waiting for the condition\nTo see the stack trace of this error execute with --v=5 or higher",
"stderr_lines": [
    "timed out waiting for the condition",
    "To see the stack trace of this error execute with --v=5 or higher"
],
"stdout": "",
"stdout_lines": []

答案1

为了澄清起见,我正在发布社区 Wiki 答案。

为了解决这个问题,您删除了 openstack 云提供商设置。之后,使用 kubespray,您能够成功安装 k8s 集群。

要了解证书 - 正如我之前提到的,有关证书管理的文档位于此链接。要检查证书是否由外部管理,可以使用以下命令:

kubeadm certs check-expiration

相关内容