无法运行Kubelet：无法创建证书签名请求：未经授权

Question

I have a K8s cluster running under an OpenStack cloud provider. 我有一个在OpenStack云提供商下运行的K8s集群。

The cluster is set up using kubeadm tool which contains a master node and slave node . 使用kubeadm工具设置群集，该工具包含一个主节点和一个从属节点。

I'm trying to add an other worker node by using the kubeadm join command, the command shows a positive response telling that the node is successfully added, But I can't find it using kubectl get nodes command. 我正在尝试使用kubeadm join命令添加另一个工作程序节点，该命令显示一个肯定的响应，告诉您该节点已成功添加，但是我无法使用kubectl get nodes命令找到它。

I investigated and I've found that kubelet on the new slave node is not running showing cannot create certificate signing request: Unauthorized . 我进行了调查，发现新的从属节点上的kubelet没有运行，显示cannot create certificate signing request: Unauthorized 。

-- The start-up result is done.
May 14 12:15:33 vm1 kubelet[17678]: W0514 12:15:33.715964   17678 cni.go:171] Unable to update cni config: No networks found in /etc/cni/net.d
May 14 12:15:33 vm1 kubelet[17678]: W0514 12:15:33.738398   17678 hostport_manager.go:68] The binary conntrack is not installed, this can cause failures in network connection cleanup.
May 14 12:15:33 vm1 kubelet[17678]: I0514 12:15:33.738669   17678 server.go:376] Version: v1.10.1
May 14 12:15:33 vm1 kubelet[17678]: I0514 12:15:33.738913   17678 feature_gate.go:226] feature gates: &{{} map[]}
May 14 12:15:33 vm1 kubelet[17678]: I0514 12:15:33.739222   17678 plugins.go:89] No cloud provider specified.
May 14 12:15:33 vm1 kubelet[17678]: F0514 12:15:33.784257   17678 server.go:233] failed to run Kubelet: cannot create certificate signing request: Unauthorized
May 14 12:15:33 vm1 systemd[1]: kubelet.service: Main process exited, code=exited, status=255/n/a
May 14 12:15:33 vm1 systemd[1]: kubelet.service: Unit entered failed state.
May 14 12:15:33 vm1 systemd[1]: kubelet.service: Failed with result 'exit-code'.

version on worker node : kubeadm version kubeadm version: &version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.1", GitCommit:"d4ab47518836c750f9949b9e0d387f20fb92260b", GitTreeState:"clean", BuildDate:"2018-04-12T14:14:26Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"} 工作节点上的kubeadm version kubeadm version: &version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.1", GitCommit:"d4ab47518836c750f9949b9e0d387f20fb92260b", GitTreeState:"clean", BuildDate:"2018-04-12T14:14:26Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"} ： kubeadm version kubeadm version: &version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.1", GitCommit:"d4ab47518836c750f9949b9e0d387f20fb92260b", GitTreeState:"clean", BuildDate:"2018-04-12T14:14:26Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

version on master node : 主节点上的版本：

kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"10", 
GitVersion:"v1.10.1", 
GitCommit:"d4ab47518836c750f9949b9e0d387f20fb92260b", 
GitTreeState:"clean", BuildDate:"2018-04-12T14:14:26Z", 
GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

command used to make the join : 用于进行连接的命令：

get the token : kubeadm token list | awk '/The default bootstrap token/ { print $1; }' 获取令牌： kubeadm token list | awk '/The default bootstrap token/ { print $1; }' kubeadm token list | awk '/The default bootstrap token/ { print $1; }'
get the hash : openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //' 获得哈希值： openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //' openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
join command: kubeadm join --skip-preflight-checks --token {{token}} --discovery-token-ca-cert-hash sha256:{{hash}} master_ip:6443 加入命令： kubeadm join --skip-preflight-checks --token {{token}} --discovery-token-ca-cert-hash sha256:{{hash}} master_ip:6443

thanks ! 谢谢！

Answer 1

It looks like your token has expired, but you can always generate a new one. 您的令牌似乎已过期，但是您始终可以生成一个新令牌。

Run the following command on master: 在master上运行以下命令：

kubeadm token generate

Then run the next command on a new worker: 然后在新工作线程上运行下一个命令：

kubeadm join --token=<token> <master-ip>

Example: 例：

kubeadm join --token=858698.51d1418b0490485a 192.168.0.13

Answer 2

I had this problem too and the solution was to to re-create the token, as it expires after 24 hours. 我也遇到了这个问题，解决方案是重新创建令牌，因为令牌会在24小时后失效。 So: 所以：

On master: 在母版上：
kubeadm token create
<outputs NEWTOKEN>

On worker: 在工人上：
kubeadm reset
kubeadm join --token NEWTOKEN --discovery-token-unsafe-skip-ca-verification MASTER:6443

无法运行Kubelet：无法创建证书签名请求：未经授权

问题描述

2 个解决方案

解决方案1
2 已采纳 2018-05-15 10:31:26

解决方案2
1 2018-05-15 11:09:16

无法运行Kubelet：无法创建证书签名请求：未经授权

问题描述

2 个解决方案

解决方案1 2 已采纳 2018-05-15 10:31:26

解决方案2 1 2018-05-15 11:09:16

解决方案1
2 已采纳 2018-05-15 10:31:26

解决方案2
1 2018-05-15 11:09:16