我每 15 分钟收到一次证书签名请求
❯ kubectl get csr -A --sort-by=.metadata.creationTimestamp
csr-r2dwb 3h kubernetes.io/kubelet-serving system:node:host-cluster-control-plane-2hhtt <none> Pending
csr-kcj2m 165m kubernetes.io/kubelet-serving system:node:host-cluster-control-plane-2hhtt <none> Pending
csr-h4k8j 149m kubernetes.io/kubelet-serving system:node:host-cluster-control-plane-2hhtt <none> Pending
csr-rp5k8 134m kubernetes.io/kubelet-serving system:node:host-cluster-control-plane-2hhtt <none> Pending
csr-dpx5w 118m kubernetes.io/kubelet-serving system:node:host-cluster-control-plane-2hhtt <none> Pending
csr-f5zlj 103m kubernetes.io/kubelet-serving system:node:host-cluster-control-plane-2hhtt <none> Pending
csr-vmjrk 87m kubernetes.io/kubelet-serving system:node:host-cluster-control-plane-2hhtt <none> Pending
csr-q6nz7 72m kubernetes.io/kubelet-serving system:node:host-cluster-control-plane-2hhtt <none> Pending
csr-hhnfx 57m kubernetes.io/kubelet-serving system:node:host-cluster-control-plane-2hhtt <none> Pending
csr-bq2dl 41m kubernetes.io/kubelet-serving system:node:host-cluster-control-plane-2hhtt <none> Pending
csr-9cgws 26m kubernetes.io/kubelet-serving system:node:host-cluster-control-plane-2hhtt <none> Pending
csr-xmz2k 10m kubernetes.io/kubelet-serving system:node:host-cluster-control-plane-2hhtt <none> Pending
我已经通过 批准了证书kubectl certificate approve csr-...,但尽管如此,我每 15 分钟就会收到新的 CSR。
如何解决这个问题?
root@host-cluster-control-plane-2hhtt:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Sep 11, 2023 19:57 UTC 334d ca no
apiserver Sep 11, 2023 19:57 UTC 334d ca no
apiserver-etcd-client Sep 11, 2023 19:57 UTC 334d etcd-ca no
apiserver-kubelet-client Sep 11, 2023 19:57 UTC 334d ca no
controller-manager.conf Sep 11, 2023 19:57 UTC 334d ca no
etcd-healthcheck-client Sep 11, 2023 19:57 UTC 334d etcd-ca no
etcd-peer Sep 11, 2023 19:57 UTC 334d etcd-ca no
etcd-server Sep 11, 2023 19:57 UTC 334d etcd-ca no
front-proxy-client Sep 11, 2023 19:57 UTC 334d front-proxy-ca no
scheduler.conf Sep 11, 2023 19:57 UTC 334d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Sep 08, 2032 19:55 UTC 9y no
etcd-ca Sep 08, 2032 19:55 UTC 9y no
front-proxy-ca Sep 08, 2032 19:55 UTC 9y no
文件/var/lib/kubelet/config.yaml
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 0s
cacheUnauthorizedTTL: 0s
cgroupDriver: systemd
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
cpuManagerReconcilePeriod: 0s
evictionPressureTransitionPeriod: 0s
fileCheckFrequency: 0s
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 0s
imageMinimumGCAge: 0s
kind: KubeletConfiguration
logging:
flushFrequency: 0
options:
json:
infoBufferSize: "0"
verbosity: 0
memorySwap: {}
nodeStatusReportFrequency: 0s
nodeStatusUpdateFrequency: 0s
resolvConf: /run/systemd/resolve/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 0s
shutdownGracePeriod: 0s
shutdownGracePeriodCriticalPods: 0s
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 0s
syncFrequency: 0s
volumeStatsAggPeriod: 0s
批准证书 4 小时后,我一次又一次地收到新的 CSR:
csr-xmz2k 21h kubernetes.io/kubelet-serving system:node:host-cluster-control-plane-2hhtt <none> Pending
csr-d564x 16h kubernetes.io/kubelet-serving system:node:host-
...
...
...
csr-nn9tz 28m kubernetes.io/kubelet-serving system:node:host-cluster-control-plane-2hhtt <none> Pending
csr-h9k7j 12m kubernetes.io/kubelet-serving system:node:host-cluster-control-plane-2hhtt <none> Pending
答案1
我找到了解决方案:我通过 Cluster-API 创建了集群。
创建工作负载集群的管理集群位于我笔记本电脑上的 minikube 中。
工作负载集群运行良好,但我的笔记本电脑已关闭,因此管理集群的自动批准尚未完成。
在minikube内部启动管理集群后,一切又恢复正常。