[英]x509 certificate signed by unknown authority- Kubernetes
I am configuring a Kube.netes cluster with 2 nodes in CoreOS as described in https://coreos.com/kube.netes/docs/latest/getting-started.html without flannel .我正在 CoreOS 中配置一个具有 2 个节点的 Kube.netes 集群,如https://coreos.com/kube.netes/docs/latest/getting-started.html中所述,没有法兰绒。 Both servers are in the same.network.
两台服务器都在同一个网络中。
But I am getting: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kube-ca") while running kubelet in worker.但我得到:x509:证书由未知权威签署(可能是因为“crypto/rsa:验证错误”,同时尝试验证候选权威证书“kube-ca”) ,同时在 worker 中运行 kubelet。
I configured the TLS certificates properly on both the servers as discussed in the doc.如文档中所述,我在两台服务器上正确配置了 TLS 证书。
The master node is working fine.主节点工作正常。 And the kubectl is able to fire containers and pods in master.
kubectl 能够在 master 中启动容器和 pod。
Question 1: How to fix this problem?问题1:如何解决这个问题?
Question 2: Is there any way to configure a cluster without TLS certificates?问题2:没有TLS证书,有什么办法可以配置集群吗?
Coreos version:
VERSION=899.15.0
VERSION_ID=899.15.0
BUILD_ID=2016-04-05-1035
PRETTY_NAME="CoreOS 899.15.0"
Etcd conf: Etcd 配置文件:
$ etcdctl member list
ce2a822cea30bfca: name=78c2c701d4364a8197d3f6ecd04a1d8f peerURLs=http://localhost:2380,http://localhost:7001 clientURLs=http://172.24.0.67:2379
Master: kubelet.service:主人:kubelet.service:
[Service]
ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
Environment=KUBELET_VERSION=v1.2.2_coreos.0
ExecStart=/opt/bin/kubelet-wrapper \
--api-servers=http://127.0.0.1:8080 \
--register-schedulable=false \
--allow-privileged=true \
--config=/etc/kubernetes/manifests \
--hostname-override=172.24.0.67 \
--cluster-dns=10.3.0.10 \
--cluster-domain=cluster.local
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
Master: kube-controller.yaml主人:kube-controller.yaml
apiVersion: v1
kind: Pod
metadata:
name: kube-controller-manager
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-controller-manager
image: quay.io/coreos/hyperkube:v1.2.2_coreos.0
command:
- /hyperkube
- controller-manager
- --master=http://127.0.0.1:8080
- --leader-elect=true
- --service-account-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
- --root-ca-file=/etc/kubernetes/ssl/ca.pem
livenessProbe:
httpGet:
host: 127.0.0.1
path: /healthz
port: 10252
initialDelaySeconds: 15
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/kubernetes/ssl
name: ssl-certs-kubernetes
readOnly: true
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
volumes:
- hostPath:
path: /etc/kubernetes/ssl
name: ssl-certs-kubernetes
- hostPath:
path: /usr/share/ca-certificates
name: ssl-certs-host
Master: kube-proxy.yaml主人:kube-proxy.yaml
apiVersion: v1
kind: Pod
metadata:
name: kube-proxy
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-proxy
image: quay.io/coreos/hyperkube:v1.2.2_coreos.0
command:
- /hyperkube
- proxy
- --master=http://127.0.0.1:8080
securityContext:
privileged: true
volumeMounts:
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
volumes:
- hostPath:
path: /usr/share/ca-certificates
name: ssl-certs-host
Master: kube-apiserver.yaml大师:kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
name: kube-apiserver
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-apiserver
image: quay.io/coreos/hyperkube:v1.2.2_coreos.0
command:
- /hyperkube
- apiserver
- --bind-address=0.0.0.0
- --etcd-servers=http://172.24.0.67:2379
- --allow-privileged=true
- --service-cluster-ip-range=10.3.0.0/24
- --secure-port=443
- --advertise-address=172.24.0.67
- --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
- --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem
- --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
- --client-ca-file=/etc/kubernetes/ssl/ca.pem
- --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem
ports:
- containerPort: 443
hostPort: 443
name: https
- containerPort: 8080
hostPort: 8080
name: local
volumeMounts:
- mountPath: /etc/kubernetes/ssl
name: ssl-certs-kubernetes
readOnly: true
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
volumes:
- hostPath:
path: /etc/kubernetes/ssl
name: ssl-certs-kubernetes
- hostPath:
path: /usr/share/ca-certificates
name: ssl-certs-host
Master: kube-scheduler.yaml大师:kube-scheduler.yaml
apiVersion: v1
kind: Pod
metadata:
name: kube-scheduler
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-scheduler
image: quay.io/coreos/hyperkube:v1.2.2_coreos.0
command:
- /hyperkube
- scheduler
- --master=http://127.0.0.1:8080
- --leader-elect=true
livenessProbe:
httpGet:
host: 127.0.0.1
path: /healthz
port: 10251
initialDelaySeconds: 15
timeoutSeconds: 1
Slave: kubelet.service从站:kubelet.service
[Service]
ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
Environment=KUBELET_VERSION=v1.2.2_coreos.0
ExecStart=/opt/bin/kubelet-wrapper \
--api-servers=https://172.24.0.67:443 \
--register-node=true \
--allow-privileged=true \
--config=/etc/kubernetes/manifests \
--hostname-override=172.24.0.63 \
--cluster-dns=10.3.0.10 \
--cluster-domain=cluster.local \
--kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml \
--tls-cert-file=/etc/kubernetes/ssl/worker.pem \
--tls-private-key-file=/etc/kubernetes/ssl/worker-key.pem
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
Slave: kube-proxy.yaml从站:kube-proxy.yaml
apiVersion: v1
kind: Pod
metadata:
name: kube-proxy
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-proxy
image: quay.io/coreos/hyperkube:v1.2.2_coreos.0
command:
- /hyperkube
- proxy
- --master=https://172.24.0.67:443
- --kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml
- --proxy-mode=iptables
securityContext:
privileged: true
volumeMounts:
- mountPath: /etc/ssl/certs
name: "ssl-certs"
- mountPath: /etc/kubernetes/worker-kubeconfig.yaml
name: "kubeconfig"
readOnly: true
- mountPath: /etc/kubernetes/ssl
name: "etc-kube-ssl"
readOnly: true
volumes:
- name: "ssl-certs"
hostPath:
path: "/usr/share/ca-certificates"
- name: "kubeconfig"
hostPath:
path: "/etc/kubernetes/worker-kubeconfig.yaml"
- name: "etc-kube-ssl"
hostPath:
path: "/etc/kubernetes/ssl"
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
From kubernetes official site:来自kubernetes官网:
Verify that the $HOME/.kube/config file contains a valid certificate, and regenerate a certificate验证 $HOME/.kube/config 文件包含有效证书,并重新生成证书
Unset the KUBECONFIG environment variable using:使用以下命令取消设置 KUBECONFIG 环境变量:
unset KUBECONFIG
Or set it to the default KUBECONFIG location:或者将其设置为默认的 KUBECONFIG 位置:
export KUBECONFIG=/etc/kubernetes/admin.conf
Another workaround is to overwrite the existing kubeconfig for the “admin” user:另一种解决方法是覆盖“admin”用户的现有 kubeconfig:
mv $HOME/.kube $HOME/.kube.bak mkdir $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config
Reference: official site link reference参考: 官网链接参考
Please see this as a reference and maybe help you resolve your issue by exporting your certs:请将此作为参考,也许可以通过导出证书来帮助您解决问题:
kops export kubecfg "your cluster-name"
export KOPS_STATE_STORE=s3://"paste your S3 store"
Hope that will help.希望这会有所帮助。
Well, to answer your first question I think you have to do a few things to resolve your problem.好吧,要回答你的第一个问题,我认为你必须做一些事情来解决你的问题。
First, run the command given in this link : kubernetes.io/docs/setup/independent/create-cluster-kubeadm/…
首先,运行此链接中给出的命令:
kubernetes.io/docs/setup/independent/create-cluster-kubeadm/…
Complete with those commands :完成这些命令:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
This admin.conf should be known to kubectl so as to work properly.这个 admin.conf 应该被 kubectl 知道才能正常工作。
The above mentioned regular method does not work.上面提到的常规方法不起作用。 I have tried to use the complete commands for a successful certificate.
我试图使用完整的命令来获得成功的证书。 Please see the commands as follows.
请参阅以下命令。
$ sudo kubeadm reset
$ sudo swapoff -a
$ sudo kubeadm init --pod-network-cidr=10.244.10.0/16 --kubernetes-
version "1.18.3"
$ sudo rm -rf $HOME/.kube
$ mkdir -p $HOME/.kube
$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
$ sudo systemctl enable docker.service
$ sudo service kubelet restart
$ kubectl get nodes
Notes:注意事项:
If the port refuses to be connected, please add the following command.如果端口拒绝连接,请添加以下命令。
$ export KUBECONFIG=$HOME/admin.conf
I had the problem persist even after:即使在以下情况下,我的问题仍然存在:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
In that case, restarting kubelet
solved the problem:在这种情况下,重启
kubelet
解决了这个问题:
systemctl restart kubelet
Create a link file.创建链接文件。
ln -s /etc/kubernetes/admin.conf $HOME/.kube/config ln -s /etc/kubernetes/admin.conf $HOME/.kube/config
I found this error in coredns pods, pod creation failed due to x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kube-ca") The issue was for me is that i already installed a k8s cluster before on the same node, and i used the kubeadm reset
command to remove the cluster.我在 coredns pods 中发现了这个错误,pod creation failed due to x509: certificate signed by unknown authority(可能是因为“crypto/rsa:验证错误”,同时尝试验证候选权威证书“kube-ca”)问题是给我的是我之前已经在同一个节点上安装了k8s集群,我使用
kubeadm reset
命令删除了集群。 This command left behind some files in /etc/cni/
that probably caused the issue for me.该命令在
/etc/cni/
中留下了一些可能导致我出现问题的文件。 I deleted this folder and reinstalled the cluster with kubeadm init
.我删除了这个文件夹并使用
kubeadm init
重新安装了集群。
For anyone like me who is facing same error only in vs code Kube.netes extension .对于像我这样只在vs code Kube.netes extension中面临同样错误的人。
I reinstalled docker/Kube.netes and didn't update vs code Kube.netes extension我重新安装了 docker/Kube.netes 并且没有更新vs code Kube.netes 扩展
You need to make sure you are using the correct kubeconfig since reinstalling Kube.netes creates a new certificate.您需要确保使用正确的 kubeconfig,因为重新安装 Kube.netes 会创建一个新证书。
Either use $HOME/.kube/config
in setKubeconfig option or just copy it to path where you have set vs code extension to read the config from.在setKubeconfig选项中使用
$HOME/.kube/config
或将其复制到您设置 vs 代码扩展以从中读取配置的路径。 Using following command使用以下命令
cp $HOME/.kube/config /{{path-for-kubeconfig}}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.