我每 15 分钟收到一次证书签名请求(Kubernetes)

我每 15 分钟收到一次证书签名请求(Kubernetes)

我每 15 分钟收到一次证书签名请求

❯ kubectl get csr -A --sort-by=.metadata.creationTimestamp

csr-r2dwb   3h      kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-kcj2m   165m    kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-h4k8j   149m    kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-rp5k8   134m    kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-dpx5w   118m    kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-f5zlj   103m    kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-vmjrk   87m     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-q6nz7   72m     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-hhnfx   57m     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-bq2dl   41m     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-9cgws   26m     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-xmz2k   10m     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending

我已经通过 批准了证书kubectl certificate approve csr-...,但尽管如此,我每 15 分钟就会收到新的 CSR。

如何解决这个问题?

root@host-cluster-control-plane-2hhtt:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Sep 11, 2023 19:57 UTC   334d            ca                      no      
apiserver                  Sep 11, 2023 19:57 UTC   334d            ca                      no      
apiserver-etcd-client      Sep 11, 2023 19:57 UTC   334d            etcd-ca                 no      
apiserver-kubelet-client   Sep 11, 2023 19:57 UTC   334d            ca                      no      
controller-manager.conf    Sep 11, 2023 19:57 UTC   334d            ca                      no      
etcd-healthcheck-client    Sep 11, 2023 19:57 UTC   334d            etcd-ca                 no      
etcd-peer                  Sep 11, 2023 19:57 UTC   334d            etcd-ca                 no      
etcd-server                Sep 11, 2023 19:57 UTC   334d            etcd-ca                 no      
front-proxy-client         Sep 11, 2023 19:57 UTC   334d            front-proxy-ca          no      
scheduler.conf             Sep 11, 2023 19:57 UTC   334d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Sep 08, 2032 19:55 UTC   9y              no      
etcd-ca                 Sep 08, 2032 19:55 UTC   9y              no      
front-proxy-ca          Sep 08, 2032 19:55 UTC   9y              no      

文件/var/lib/kubelet/config.yaml

apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
  anonymous:
    enabled: false
  webhook:
    cacheTTL: 0s
    enabled: true
  x509:
    clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 0s
    cacheUnauthorizedTTL: 0s
cgroupDriver: systemd
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
cpuManagerReconcilePeriod: 0s
evictionPressureTransitionPeriod: 0s
fileCheckFrequency: 0s
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 0s
imageMinimumGCAge: 0s
kind: KubeletConfiguration
logging:
  flushFrequency: 0
  options:
    json:
      infoBufferSize: "0"
  verbosity: 0
memorySwap: {}
nodeStatusReportFrequency: 0s
nodeStatusUpdateFrequency: 0s
resolvConf: /run/systemd/resolve/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 0s
shutdownGracePeriod: 0s
shutdownGracePeriodCriticalPods: 0s
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 0s
syncFrequency: 0s
volumeStatsAggPeriod: 0s

批准证书 4 小时后,我一次又一次地收到新的 CSR:

csr-xmz2k   21h     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-d564x   16h     kubernetes.io/kubelet-serving   system:node:host-
...
...
...
csr-nn9tz   28m     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-h9k7j   12m     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending

答案1

我找到了解决方案:我通过 Cluster-API 创建了集群。

创建工作负载集群的管理集群位于我笔记本电脑上的 minikube 中。

工作负载集群运行良好,但我的笔记本电脑已关闭,因此管理集群的自动批准尚未完成。

在minikube内部启动管理集群后,一切又恢复正常。

相关内容