Kubernetes

自簽名 ca 證書上的 kubeadm 令牌創建失敗

  • January 14, 2022

我正在嘗試在 ubuntu 伺服器的 openstack 集群上使用 kubespray 部署 k8s 集群。當 kubeadm 嘗試通過向 keystone 端點 xxx:5000/v3/ 送出發布請求以創建引導令牌來初始化雲提供商時,安裝失敗。kubelet.service 無法啟動,因為 keystone 端點是由自簽名證書籤名的。見下文。我從 keystone 端點保存了 ca 證書,並將其放在 /etc/kubernetes/ssl/ 中的主節點上,kubelet 和 kubeadm 會在其中查找證書。我還根據此處此處的文件更新了 /etc/kubernetes/kubeadm-config.yaml,我已更新 kubeadm join-default 配置以包含“unsafeSkipCAVerification:true”,但 kubelet.service 在自簽名證書上仍然失敗。kubeadm 應該通過儲存在 /etc/kubernetes/cloud_config 文件中的使用者名/密碼進行身份驗證,並且我已經驗證這些值是正確的。我不確定在哪裡可以改變這種行為。任何指導將不勝感激。

ubuntu:/etc/kubernetes# kubeadm config print join-defaults
apiVersion: kubeadm.k8s.io/v1beta3
caCertPath: /etc/kubernetes/pki/ca.crt
discovery:
 bootstrapToken:
 apiServerEndpoint: kube-apiserver:6443
 token: abcdef.0123456789abcdef
 unsafeSkipCAVerification: true
 timeout: 5m0s
 tlsBootstrapToken: abcdef.0123456789abcdef
kind: JoinConfiguration
 nodeRegistration:
 criSocket: /var/run/dockershim.sock
 imagePullPolicy: IfNotPresent
 name: mdap-node-01
 taints: null

kubelet 堆棧跟踪:

Dec 15 22:19:51 ubuntu kubelet[388780]: E1215 22:19:51.760564  388780 server.go:294] "Failed to run kubelet" err="failed to run Kubelet: could not init cloud provider \"openstack\": Post \"https://XXX.XXX.XXX.132:5000/v3/auth/tokens\": x509: certificate signed by unknown authority"
Dec 15 22:19:51 ubuntu systemd[1]: kubelet.service: Main process exited, code=exited, status=1/FAILURE


FAILED - RETRYING: Create kubeadm token for joining nodes with 24h expiration (default) (4 retries left).Result was: {
"attempts": 2,
"changed": false,
"cmd": [
   "/usr/local/bin/kubeadm",
   "--kubeconfig",
   "/etc/kubernetes/admin.conf",
   "token",
   "create"
],
"delta": "0:01:15.035670",
"end": "2021-12-16 15:03:22.901080",
"invocation": {
   "module_args": {
       "_raw_params": "/usr/local/bin/kubeadm --kubeconfig /etc/kubernetes/admin.conf token create",
       "_uses_shell": false,
       "argv": null,
       "chdir": null,
       "creates": null,
       "executable": null,
       "removes": null,
       "stdin": null
       "stdin_add_newline": true,
       "strip_empty_ends": true,
       "warn": true
   }
},
"msg": "non-zero return code",
"rc": 1,
"retries": 6,
"start": "2021-12-16 15:02:07.865410",
"stderr": "timed out waiting for the condition\nTo see the stack trace of this error execute with --v=5 or higher",
"stderr_lines": [
   "timed out waiting for the condition",
   "To see the stack trace of this error execute with --v=5 or higher"
],
"stdout": "",
"stdout_lines": []

為了澄清我正在發布社區 Wiki 答案。

為了解決這個問題,您刪除了 openstack 雲提供商設置。之後使用 kubespray 就可以成功安裝 k8s 集群了。

要閱讀證書 - 正如我之前提到的有關證書管理的文件位於此連結下。要檢查證書是否由外部管理,您可以使用以下命令:

kubeadm certs check-expiration

引用自:https://serverfault.com/questions/1087525