Kubernetes
自簽名 ca 證書上的 kubeadm 令牌創建失敗
我正在嘗試在 ubuntu 伺服器的 openstack 集群上使用 kubespray 部署 k8s 集群。當 kubeadm 嘗試通過向 keystone 端點 xxx:5000/v3/ 送出發布請求以創建引導令牌來初始化雲提供商時,安裝失敗。kubelet.service 無法啟動,因為 keystone 端點是由自簽名證書籤名的。見下文。我從 keystone 端點保存了 ca 證書,並將其放在 /etc/kubernetes/ssl/ 中的主節點上,kubelet 和 kubeadm 會在其中查找證書。我還根據此處和此處的文件更新了 /etc/kubernetes/kubeadm-config.yaml,我已更新 kubeadm join-default 配置以包含“unsafeSkipCAVerification:true”,但 kubelet.service 在自簽名證書上仍然失敗。kubeadm 應該通過儲存在 /etc/kubernetes/cloud_config 文件中的使用者名/密碼進行身份驗證,並且我已經驗證這些值是正確的。我不確定在哪裡可以改變這種行為。任何指導將不勝感激。
ubuntu:/etc/kubernetes# kubeadm config print join-defaults apiVersion: kubeadm.k8s.io/v1beta3 caCertPath: /etc/kubernetes/pki/ca.crt discovery: bootstrapToken: apiServerEndpoint: kube-apiserver:6443 token: abcdef.0123456789abcdef unsafeSkipCAVerification: true timeout: 5m0s tlsBootstrapToken: abcdef.0123456789abcdef kind: JoinConfiguration nodeRegistration: criSocket: /var/run/dockershim.sock imagePullPolicy: IfNotPresent name: mdap-node-01 taints: null
kubelet 堆棧跟踪:
Dec 15 22:19:51 ubuntu kubelet[388780]: E1215 22:19:51.760564 388780 server.go:294] "Failed to run kubelet" err="failed to run Kubelet: could not init cloud provider \"openstack\": Post \"https://XXX.XXX.XXX.132:5000/v3/auth/tokens\": x509: certificate signed by unknown authority" Dec 15 22:19:51 ubuntu systemd[1]: kubelet.service: Main process exited, code=exited, status=1/FAILURE FAILED - RETRYING: Create kubeadm token for joining nodes with 24h expiration (default) (4 retries left).Result was: { "attempts": 2, "changed": false, "cmd": [ "/usr/local/bin/kubeadm", "--kubeconfig", "/etc/kubernetes/admin.conf", "token", "create" ], "delta": "0:01:15.035670", "end": "2021-12-16 15:03:22.901080", "invocation": { "module_args": { "_raw_params": "/usr/local/bin/kubeadm --kubeconfig /etc/kubernetes/admin.conf token create", "_uses_shell": false, "argv": null, "chdir": null, "creates": null, "executable": null, "removes": null, "stdin": null "stdin_add_newline": true, "strip_empty_ends": true, "warn": true } }, "msg": "non-zero return code", "rc": 1, "retries": 6, "start": "2021-12-16 15:02:07.865410", "stderr": "timed out waiting for the condition\nTo see the stack trace of this error execute with --v=5 or higher", "stderr_lines": [ "timed out waiting for the condition", "To see the stack trace of this error execute with --v=5 or higher" ], "stdout": "", "stdout_lines": []
為了澄清我正在發布社區 Wiki 答案。
為了解決這個問題,您刪除了 openstack 雲提供商設置。之後使用 kubespray 就可以成功安裝 k8s 集群了。
要閱讀證書 - 正如我之前提到的有關證書管理的文件位於此連結下。要檢查證書是否由外部管理,您可以使用以下命令:
kubeadm certs check-expiration