cookeem / kubeadm-ha

通过kubeadm安装kubernetes高可用集群,使用docker/containerd容器运行时,适用v1.24.x以上版本
MIT License
678 stars 275 forks source link

新建的集群就报证书过期 #44

Closed dotbalo closed 6 years ago

dotbalo commented 6 years ago

您好,我新建的集群,上午还好好的。下午就报

[root@k8s-master01 ~]# kubectl get po
No resources found.
Unable to connect to the server: x509: certificate has expired or is not yet valid

然后我尝试用kubeadm alpha phase certs all --config /root/kubeadm-config.yaml重新生成证书,但是也报错

[root@k8s-master01 ~]# kubeadm alpha phase certs all --config /root/kubeadm-config.yaml
[endpoint] WARNING: port specified in api.controlPlaneEndpoint overrides api.bindPort in the controlplane address
failure loading ca certificate: the certificate is not valid yet

网上说是时间不同步的问题,但是我的时间是同步的。请问您有遇到过么?或者怎么更换证书呢

dotbalo commented 6 years ago

然后我看了一下证书,没有一个过期。。

[root@k8s-master01 pki]# for i in `find . -name "*.crt"`;do  cfssl-certinfo -cert $i |  grep not_after;done
  "not_after": "2028-11-27T11:16:30Z",
  "not_after": "2019-11-30T11:16:30Z",
  "not_after": "2019-11-30T11:16:31Z",
  "not_after": "2028-11-27T11:16:31Z",
  "not_after": "2019-11-30T11:16:31Z",
  "not_after": "2028-11-27T11:16:32Z",
  "not_after": "2019-11-30T11:16:32Z",
  "not_after": "2019-11-30T11:16:32Z",
  "not_after": "2019-11-30T11:16:33Z",
  "not_after": "2019-11-30T11:16:33Z",
cookeem commented 6 years ago

这个感觉是kubectl的客户端证书提示的错误。先检查一下kubelet的日志,看看是集群问题还是客户端证书问题?有没有设置KUBECONFIG环境变量?

dotbalo commented 6 years ago

您好,环境变量有设置的

[root@k8s-master01 ~]# cat .bashrc 
# .bashrc

# User specific aliases and functions

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

# Source global definitions
if [ -f /etc/bashrc ]; then
    . /etc/bashrc
fi
export KUBECONFIG=/etc/kubernetes/admin.conf

这是今天上午刚搭建的集群,当时好好的,下午就不行了。 这是master的日志 image

这是node的日志 image

然后我发现所有的pod都是新启动的,一直是这个状态 image

cookeem commented 6 years ago

证书有问题,建议你重建一次。

dotbalo commented 6 years ago

好的,非常感谢