堆栈内存溢出
  简体   繁体   English

由未知权威机构签署的 x509 证书 - Kube.netes

[英]x509 certificate signed by unknown authority- Kubernetes

 原文  2016-04-29 13:16:10       docker/ kubernetes/ coreos

问题描述

I am configuring a Kube.netes cluster with 2 nodes in CoreOS as described in https://coreos.com/kube.netes/docs/latest/getting-started.html without flannel .我正在 CoreOS 中配置一个具有 2 个节点的 Kube.netes 集群,如https://coreos.com/kube.netes/docs/latest/getting-started.html中所述,没有法兰绒 Both servers are in the same.network.两台服务器都在同一个网络中。

But I am getting: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kube-ca") while running kubelet in worker.但我得到:x509:证书由未知权威签署(可能是因为“crypto/rsa:验证错误”,同时尝试验证候选权威证书“kube-ca”) ,同时在 worker 中运行 kubelet。

I configured the TLS certificates properly on both the servers as discussed in the doc.如文档中所述,我在两台服务器上正确配置了 TLS 证书。

The master node is working fine.主节点工作正常。 And the kubectl is able to fire containers and pods in master. kubectl 能够在 master 中启动容器和 pod。

Question 1: How to fix this problem?问题1:如何解决这个问题?

Question 2: Is there any way to configure a cluster without TLS certificates?问题2:没有TLS证书,有什么办法可以配置集群吗?

Coreos version:
VERSION=899.15.0
VERSION_ID=899.15.0
BUILD_ID=2016-04-05-1035
PRETTY_NAME="CoreOS 899.15.0"

Etcd conf: Etcd 配置文件:

 $ etcdctl member list          
ce2a822cea30bfca: name=78c2c701d4364a8197d3f6ecd04a1d8f peerURLs=http://localhost:2380,http://localhost:7001 clientURLs=http://172.24.0.67:2379

Master: kubelet.service:主人:kubelet.service:

[Service]
ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
Environment=KUBELET_VERSION=v1.2.2_coreos.0
ExecStart=/opt/bin/kubelet-wrapper \
  --api-servers=http://127.0.0.1:8080 \
  --register-schedulable=false \
  --allow-privileged=true \
  --config=/etc/kubernetes/manifests \
  --hostname-override=172.24.0.67 \
  --cluster-dns=10.3.0.10 \
  --cluster-domain=cluster.local
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target

Master: kube-controller.yaml主人:kube-controller.yaml

apiVersion: v1
kind: Pod
metadata:
  name: kube-controller-manager
  namespace: kube-system
spec:
  hostNetwork: true
  containers:
  - name: kube-controller-manager
    image: quay.io/coreos/hyperkube:v1.2.2_coreos.0
    command:
    - /hyperkube
    - controller-manager
    - --master=http://127.0.0.1:8080
    - --leader-elect=true 
    - --service-account-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
    - --root-ca-file=/etc/kubernetes/ssl/ca.pem
    livenessProbe:
      httpGet:
        host: 127.0.0.1
        path: /healthz
        port: 10252
      initialDelaySeconds: 15
      timeoutSeconds: 1
    volumeMounts:
    - mountPath: /etc/kubernetes/ssl
      name: ssl-certs-kubernetes
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: ssl-certs-host
      readOnly: true
  volumes:
  - hostPath:
      path: /etc/kubernetes/ssl
    name: ssl-certs-kubernetes
  - hostPath:
      path: /usr/share/ca-certificates
    name: ssl-certs-host

Master: kube-proxy.yaml主人:kube-proxy.yaml

apiVersion: v1
kind: Pod
metadata:
  name: kube-proxy
  namespace: kube-system
spec:
  hostNetwork: true
  containers:
  - name: kube-proxy
    image: quay.io/coreos/hyperkube:v1.2.2_coreos.0
    command:
    - /hyperkube
    - proxy
    - --master=http://127.0.0.1:8080
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /etc/ssl/certs
      name: ssl-certs-host
      readOnly: true
  volumes:
  - hostPath:
      path: /usr/share/ca-certificates
    name: ssl-certs-host

Master: kube-apiserver.yaml大师:kube-apiserver.yaml

apiVersion: v1
kind: Pod
metadata:
  name: kube-apiserver
  namespace: kube-system
spec:
  hostNetwork: true
  containers:
  - name: kube-apiserver
    image: quay.io/coreos/hyperkube:v1.2.2_coreos.0
    command:
    - /hyperkube
    - apiserver
    - --bind-address=0.0.0.0
    - --etcd-servers=http://172.24.0.67:2379
    - --allow-privileged=true
    - --service-cluster-ip-range=10.3.0.0/24
    - --secure-port=443
    - --advertise-address=172.24.0.67
    - --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
    - --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem
    - --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
    - --client-ca-file=/etc/kubernetes/ssl/ca.pem
    - --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem
    ports:
    - containerPort: 443
      hostPort: 443
      name: https
    - containerPort: 8080
      hostPort: 8080
      name: local
    volumeMounts:
    - mountPath: /etc/kubernetes/ssl
      name: ssl-certs-kubernetes
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: ssl-certs-host
      readOnly: true
  volumes:
  - hostPath:
      path: /etc/kubernetes/ssl
    name: ssl-certs-kubernetes
  - hostPath:
      path: /usr/share/ca-certificates
    name: ssl-certs-host

Master: kube-scheduler.yaml大师:kube-scheduler.yaml

apiVersion: v1
kind: Pod
metadata:
  name: kube-scheduler
  namespace: kube-system
spec:
  hostNetwork: true
  containers:
  - name: kube-scheduler
    image: quay.io/coreos/hyperkube:v1.2.2_coreos.0
    command:
    - /hyperkube
    - scheduler
    - --master=http://127.0.0.1:8080
    - --leader-elect=true
    livenessProbe:
      httpGet:
        host: 127.0.0.1
        path: /healthz
        port: 10251
      initialDelaySeconds: 15
      timeoutSeconds: 1

Slave: kubelet.service从站:kubelet.service

[Service]
ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests

Environment=KUBELET_VERSION=v1.2.2_coreos.0 
ExecStart=/opt/bin/kubelet-wrapper \
  --api-servers=https://172.24.0.67:443 \
  --register-node=true \
  --allow-privileged=true \
  --config=/etc/kubernetes/manifests \
  --hostname-override=172.24.0.63 \
  --cluster-dns=10.3.0.10 \
  --cluster-domain=cluster.local \
  --kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml \
  --tls-cert-file=/etc/kubernetes/ssl/worker.pem \
  --tls-private-key-file=/etc/kubernetes/ssl/worker-key.pem
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target

Slave: kube-proxy.yaml从站:kube-proxy.yaml

apiVersion: v1
kind: Pod
metadata:
  name: kube-proxy
  namespace: kube-system
spec:
  hostNetwork: true
  containers:
  - name: kube-proxy
    image: quay.io/coreos/hyperkube:v1.2.2_coreos.0
    command:
    - /hyperkube
    - proxy
    - --master=https://172.24.0.67:443
    - --kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml
    - --proxy-mode=iptables
    securityContext:
      privileged: true
    volumeMounts:
      - mountPath: /etc/ssl/certs
        name: "ssl-certs"
      - mountPath: /etc/kubernetes/worker-kubeconfig.yaml
        name: "kubeconfig"
        readOnly: true
      - mountPath: /etc/kubernetes/ssl
        name: "etc-kube-ssl"
        readOnly: true
  volumes:
    - name: "ssl-certs"
      hostPath:
        path: "/usr/share/ca-certificates"
    - name: "kubeconfig"
      hostPath:
        path: "/etc/kubernetes/worker-kubeconfig.yaml"
    - name: "etc-kube-ssl"
      hostPath:
        path: "/etc/kubernetes/ssl"

9 个解决方案

解决方案1
 26  2019-02-17 08:24:39

mkdir -p $HOME/.kube   
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config   
sudo chown $(id -u):$(id -g) $HOME/.kube/config

解决方案2
 10  2020-01-02 13:49:27

From kubernetes official site:来自kubernetes官网:

  1. Verify that the $HOME/.kube/config file contains a valid certificate, and regenerate a certificate验证 $HOME/.kube/config 文件包含有效证书,并重新生成证书

  2. Unset the KUBECONFIG environment variable using:使用以下命令取消设置 KUBECONFIG 环境变量:

    unset KUBECONFIG

    Or set it to the default KUBECONFIG location:或者将其设置为默认的 KUBECONFIG 位置:

    export KUBECONFIG=/etc/kubernetes/admin.conf

  3. Another workaround is to overwrite the existing kubeconfig for the “admin” user:另一种解决方法是覆盖“admin”用户的现有 kubeconfig:

     mv $HOME/.kube $HOME/.kube.bak mkdir $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config

Reference: official site link reference参考: 官网链接参考

解决方案3
 2  2018-03-14 15:18:54

Please see this as a reference and maybe help you resolve your issue by exporting your certs:请将此作为参考,也许可以通过导出证书来帮助您解决问题:

kops export kubecfg "your cluster-name"
export KOPS_STATE_STORE=s3://"paste your S3 store"

Hope that will help.希望这会有所帮助。

解决方案4
 0  2017-11-24 13:16:27

Well, to answer your first question I think you have to do a few things to resolve your problem.好吧,要回答你的第一个问题,我认为你必须做一些事情来解决你的问题。

First, run the command given in this link : kubernetes.io/docs/setup/independent/create-cluster-kubeadm‌​/…首先,运行此链接中给出的命令: kubernetes.io/docs/setup/independent/create-cluster-kubeadm‌​/…

Complete with those commands :完成这些命令:

  • mkdir -p $HOME/.kube
  • sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  • sudo chown $(id -u):$(id -g) $HOME/.kube/config

This admin.conf should be known to kubectl so as to work properly.这个 admin.conf 应该被 kubectl 知道才能正常工作。

解决方案5
 0  2020-06-07 15:43:47

The above mentioned regular method does not work.上面提到的常规方法不起作用。 I have tried to use the complete commands for a successful certificate.我试图使用完整的命令来获得成功的证书。 Please see the commands as follows.请参阅以下命令。

$ sudo kubeadm reset
$ sudo swapoff -a 

$ sudo kubeadm init --pod-network-cidr=10.244.10.0/16 --kubernetes- 
  version "1.18.3"
$ sudo rm -rf $HOME/.kube

$ mkdir -p $HOME/.kube
$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ sudo chown $(id -u):$(id -g) $HOME/.kube/config

$ sudo systemctl enable docker.service
$ sudo service kubelet restart

$ kubectl get nodes

Notes:注意事项:

If the port refuses to be connected, please add the following command.如果端口拒绝连接,请添加以下命令。

$ export KUBECONFIG=$HOME/admin.conf

解决方案6
 0  2022-04-06 23:01:01

I had the problem persist even after:即使在以下情况下,我的问题仍然存在:

mkdir -p $HOME/.kube   
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config   
sudo chown $(id -u):$(id -g) $HOME/.kube/config

In that case, restarting kubelet solved the problem:在这种情况下,重启kubelet解决了这个问题:

systemctl restart kubelet

解决方案7
 0  2022-07-29 14:09:14

Create a link file.创建链接文件。

ln -s /etc/kubernetes/admin.conf $HOME/.kube/config ln -s /etc/kubernetes/admin.conf $HOME/.kube/config

解决方案8
 0  2022-08-25 22:09:02

I found this error in coredns pods, pod creation failed due to x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kube-ca") The issue was for me is that i already installed a k8s cluster before on the same node, and i used the kubeadm reset command to remove the cluster.我在 coredns pods 中发现了这个错误,pod creation failed due to x509: certificate signed by unknown authority(可能是因为“crypto/rsa:验证错误”,同时尝试验证候选权威证书“kube-ca”)问题是给我的是我之前已经在同一个节点上安装了k8s集群,我使用kubeadm reset命令删除了集群。 This command left behind some files in /etc/cni/ that probably caused the issue for me.该命令在/etc/cni/中留下了一些可能导致我出现问题的文件。 I deleted this folder and reinstalled the cluster with kubeadm init .我删除了这个文件夹并使用kubeadm init重新安装了集群。

解决方案9
 0  2022-11-28 15:55:21

For anyone like me who is facing same error only in vs code Kube.netes extension .对于像我这样只在vs code Kube.netes extension中面临同样错误的人。

I reinstalled docker/Kube.netes and didn't update vs code Kube.netes extension我重新安装了 docker/Kube.netes 并且没有更新vs code Kube.netes 扩展

You need to make sure you are using the correct kubeconfig since reinstalling Kube.netes creates a new certificate.您需要确保使用正确的 kubeconfig,因为重新安装 Kube.netes 会创建一个新证书。

Either use $HOME/.kube/config in setKubeconfig option or just copy it to path where you have set vs code extension to read the config from.setKubeconfig选项中使用$HOME/.kube/config或将其复制到您设置 vs 代码扩展以从中读取配置的路径。 Using following command使用以下命令

cp $HOME/.kube/config /{{path-for-kubeconfig}}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 minikube - x509:由未知权威机构签署的证书 - minikube - x509: certificate signed by unknown authority x509:Kube.netes 中未知授权机构签名的证书(可能是因为“crypto/rsa:验证错误”) - x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error") in Kubernetes Docker Windows 的桌面无法启用 kube.netes 并出现错误 x509:未知授权机构签署的证书 - Docker Desktop for Windows cannot enable kubernetes with error x509: certificate signed by unknown authority 码头工人错误:x509:证书由未知授权机构签名 - docker error: x509: certificate signed by unknown authority x509:由未知机构签署的证书 - 使用 docker 和 github - x509: certificate signed by unknown authority - both with docker and with github dockerhub注册:x509:未知授权机构签署的证书 - dockerhub registery: x509: certificate signed by unknown authority Docker 私有注册表:x509:由未知权威签名的证书 - Docker Private Registry: x509: certificate signed by unknown authority ErrImagePull: x509: 未知权威签署的证书 - ErrImagePull: x509: certificate signed by unknown authority Docker-X509:Windows 7中未知权限错误签署的证书 - Docker - x509:certificate signed by unknown authority error in windows 7 由未知机构签署的 x509 证书 - go-pingdom - x509 certificate signed by unknown authority - go-pingdom
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM