不确定如何解决证书问题,也许有人遇到过这个问题?
核心
uname -a
Linux node2 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
操作系统
cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
库布克
kubectl version
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.2", GitCommit:"f5743093fd1c663cb0cbc89748f730662345d44d", GitTreeState:"clean", BuildDate:"2020-09-16T13:41:02Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-03-31T09:11:37+03:00 is after 2023-03-25T05:32:30Z
kubeadm
kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.2", GitCommit:"f5743093fd1c663cb0cbc89748f730662345d44d", GitTreeState:"clean", BuildDate:"2020-09-16T13:38:53Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
Problem:
当我尝试获取节点时:
kubectl get nodes
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-03-31T09:15:30+03:00 is after 2023-03-25T05:32:30Z
尝试续订:
kubeadm alpha certs renew all
W0331 09:15:52.880115 4475 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
MISSING! certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
Error checking external CA condition for ca certificate authority: failure loading certificate for API server: failed to load certificate: the certificate has expired
To see the stack trace of this error execute with --v=5 or higher
Kubeam 续订:
kubeadm alpha phase certs apiserver --apiserver-advertise-add ress 10.2.27.11
unknown flag: --apiserver-advertise-address
To see the stack trace of this error execute with --v=5 or higher
[root@node2 pki]#
[root@node2 pki]#
[root@node2 pki]# kubeadm alpha phase certs apiserver --apiserver-advertise-addr ess 10.2.27.11
unknown flag: --apiserver-advertise-address
To see the stack trace of this error execute with --v=5 or higher
[root@node2 pki]# sudo kubeadm alpha certs renew apiserver
sudo: kubeadm: command not found
[root@node2 pki]# kubeadm alpha certs renew apiserver
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get c m kubeadm-config -oyaml'
[renew] Error reading configuration from the Cluster. Falling back to default co nfiguration
W0404 13:54:08.589075 17136 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io ]
MISSING! certificate for serving the Kubernetes API
kubeadm alpha certs renew apiserver
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
W0404 13:54:26.555686 17270 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
MISSING! certificate for serving the Kubernetes API
[root@node2 pki]# kubeadm alpha certs renew apiserver-etcd-client
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
W0404 13:54:32.885559 17375 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
MISSING! certificate the apiserver uses to access etcd
[root@node2 pki]# kubeadm alpha certs renew apiserver-kubelet-client
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
W0404 13:54:37.895333 17459 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
MISSING! certificate for the API server to connect to kubelet
答案1
这个错误无法连接到服务器:x509:证书已过期或尚未生效,表示在 DX APM OnPrem 安装上,Kubernetes 系统创建了自己的密钥/证书,有效期为 1 年,然后过期。
解决:
尝试此解决步骤文档。
正如本文所提到的git 链接您需要遵循以下步骤:
1)更新过期的证书,使用kubeadm。
sudo kubeadm alpha certs renew apiserver
sudo kubeadm alpha certs renew apiserver-etcd-client
sudo kubeadm alpha certs renew apiserver-kubelet-client
sudo kubeadm alpha certs renew front-proxy-client
2)生成新的kube-configs
sudo kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin > admin.conf
sudo kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > controller-manager.conf
sudo kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > kubelet.conf
sudo kubeadm alpha kubeconfig user --client-name system:kube-scheduler > scheduler.conf
3)移动新生成的Kube-configs来替换现有的kube-configs。
sudo mv admin.conf /etc/kubernetes/
sudo mv controller-manager.conf /etc/kubernetes/
sudo mv kubelet.conf /etc/kubernetes/
sudo mv scheduler.conf /etc/kubernet
4)重新启动主组件。
sudo kill -s SIGHUP $(pidof kube-apiserver)
sudo kill -s SIGHUP $(pidof kube-controller-manager)
sudo kill -s SIGHUP $(pidof kube-scheduler
参考这个官方文档有关使用 kubeadm 进行证书管理的更多信息。