问题描述
我们的Kubernetes 1.6集群具有在2017年4月13日构建集群时生成的证书.
Our Kubernetes 1.6 cluster had certificates generated when the cluster was built on April 13th, 2017.
2017年12月13日,我们的集群升级到1.8版,并生成了新证书(显然是一组不完整的证书).
On December 13th, 2017, our cluster was upgraded to version 1.8, and new certificates were generated [apparently, an incomplete set of certificates].
2018年4月13日,我们开始在Kubernetes仪表板中的api-server中看到以下消息:
On April 13th, 2018, we started seeing this message within our Kubernetes dashboard for api-server:
[authentication.go:64] Unable to authenticate the request due to an error: [x509: certificate has expired or is not yet valid, x509: certificate has expired or is not yet valid]
尝试指向客户证书&在/etc/kubernetes/kubelet.conf
中位于/etc/kubernetes/kubelet.conf
中的 client-key 中,该证书于12月13日[apiserver-kubelet-client.crt
和apiserver-kubelet-client.crt
]生成,但是仍然会看到上述错误.
Tried pointing client-certificate & client-key within /etc/kubernetes/kubelet.conf
at the certificates generated on Dec 13th [apiserver-kubelet-client.crt
and apiserver-kubelet-client.crt
], but continue to see the above error.
尝试指向客户证书& 12月13日[apiserver.crt
和apiserver.crt
]生成的不同证书的/etc/kubernetes/kubelet.conf
中的 client-key 证书/密钥),但继续看到上述错误.
Tried pointing client-certificate & client-key within /etc/kubernetes/kubelet.conf
at different certificates generated on Dec 13th [apiserver.crt
and apiserver.crt
] (I honestly don't understand the difference between these 2 sets of certs/keys), but continue to see the above error.
尝试指向客户证书& /etc/kubernetes/kubelet.conf
中的 client-key 在不存在的文件中,并且任何kube *服务都无法启动,而/var/log/syslog
对此表示抱怨:
Tried pointing client-certificate & client-key within /etc/kubernetes/kubelet.conf
at non-existent files, and none of the kube* services would start, with /var/log/syslog
complaining about this:
Apr 17 17:50:08 kuber01 kubelet[2422]: W0417 17:50:08.181326 2422 server.go:381] invalid kubeconfig: invalid configuration: [unable to read client-cert /tmp/this/cert/does/not/exist.crt for system:node:node01 due to open /tmp/this/cert/does/not/exist.crt: no such file or directory, unable to read client-key /tmp/this/key/does/not/exist.key for system:node:node01 due to open /tmp/this/key/does/not/exist.key: no such file or directory]
关于如何克服此错误,甚至更详细地解决问题的任何建议?正在考虑根据 https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-alpha/#cmd-phase-certs ...但不确定是否要造成更大的伤害.
Any advice on how to overcome this error, or even troubleshoot it at a more granular level? Was considering regenerating certificates for api-server (kubeadm alpha phase certs apiserver
), based on instructions within https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-alpha/#cmd-phase-certs ... but not sure if I'd be doing more damage.
Kubernetes相对较新,设置此设置的绅士不可以咨询...非常感谢您的帮助.谢谢.
Relatively new to Kubernetes, and the gentleman who set this up is not available for consult ... any help is appreciated. Thanks.
推荐答案
Kubernetes集群中的每个节点都包含一个用于运行 kubelet ... /etc/kubernetes/kubelet.conf
...的配置文件.由 kubeadm 自动生成.在自动生成过程中, kubeadm 使用/etc/kubernetes/ca.key
来创建特定于节点的文件/etc/kubernetes/kubelet.conf
,其中有两个非常重要的部分... client-certificate-data 和客户端密钥数据.我最初的思考过程使我相信,我需要找到相应的证书文件&;密钥文件,续订这些文件,将它们都转换为base64,然后在整个群集的kubelet.conf
文件中使用这些值...这种想法是不正确的.
Each node within the Kubernetes cluster contains a config file for running kubelet ... /etc/kubernetes/kubelet.conf
... and this file is auto-generated by kubeadm. During this auto-generation, kubeadm uses /etc/kubernetes/ca.key
to create a node-specific file, /etc/kubernetes/kubelet.conf
, within which are two very important pieces ... client-certificate-data and client-key-data. My original thought process led me to believe that I needed to find the corresponding certificate file & key file, renew those files, convert both to base64, and use those values within kubelet.conf
files across the cluster ... this thinking was not correct.
相反,解决方法是使用 kubeadm 在所有节点上以及集群主节点上的admin.conf
,controller-manager.conf
和scheduler.conf
上重新生成kubectl.conf
.在每个节点上都需要/etc/kubernetes/pki/ca.key
,以便配置文件包括 client-certificate-data 和 client-key-data 的有效数据.
Instead, the fix was to use kubeadm to regenerate kubectl.conf
on all nodes, as well as admin.conf
, controller-manager.conf
, and scheduler.conf
on the cluster's master node. You'll need /etc/kubernetes/pki/ca.key
on each node in order for your config files to include valid data for client-certificate-data and client-key-data.
提示:使用--apiserver-advertise-address
参数来确保新的配置文件包含托管 kube-apiserver 服务的节点的正确IP地址.
Pro tip: make use of the --apiserver-advertise-address
parameter to ensure your new config files contain the correct IP address of the node hosting the kube-apiserver service.
这篇关于Kubernetes:证书过期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!