k8s dashboard无法登录,从dashboard查到apiserver 再查到etcd 最后是发现是master证书问题,自签证书有效1期年,服务初始由kubeadm搭建
2020-07-16 09:31:21.660802 I | raft: aa548f97cfe05a3f is starting a new election at term 7829
2020-07-16 09:31:21.660842 I | raft: aa548f97cfe05a3f became candidate at term 7830
2020-07-16 09:31:21.660855 I | raft: aa548f97cfe05a3f received MsgVoteResp from aa548f97cfe05a3f at term 7830
2020-07-16 09:31:21.660877 I | raft: aa548f97cfe05a3f [logterm: 7109, index: 66329229] sent MsgVote request to 9585571875104827 at term 7830
2020-07-16 09:31:21.660890 I | raft: aa548f97cfe05a3f [logterm: 7109, index: 66329229] sent MsgVote request to f800f3113703eccb at term 7830
2020-07-16 09:31:21.664434 I | embed: rejected connection from "" (error "tls: failed to verify client's certificate: x509: certificate has expired or is not yet valid", ServerName "")
查看节点
NAME STATUS ROLES AGE VERSION
bj-github-1 Ready master 365d v1.15.0
bj-github-2 Ready master 365d v1.15.0
bj-github-3 Ready master 349d v1.15.0
bj-github-4 Ready master 349d v1.15.0
bj-github-5 Ready master 349d v1.15.0
bj-github-6 Ready master 365d v1.15.0
bj-github-7 Ready master 365d v1.15.0
bj-github-8 Ready master 365d v1.15.0
bj-github-9 Ready master 365d v1.15.0
查看旧证书,果然过期了
https://github.com/kubernetes/kubeadm/issues/581 官方也有类似的issue
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '
Not Before: Jul 17 08:49:08 2019 GMT
Not After : Jul 16 08:49:08 2020 GMT
按操作流程,备份原证书,创建新证书,但,kubeadm alpha phase certs apiserver命令不存在
kubeadm alpha phase certs apiserver --apiserver-advertise-address ${MASTER_API_SERVER_IP}
猜测是kubeadm的版本不一致,一级一级查看命令说明,存在certs子命令
kubeadm alpha --help
kubeadm alpha --help
Kubeadm experimental sub-commands
Usage:
kubeadm alpha [command]
Available Commands:
certs Commands related to handling kubernetes certificates
kubeconfig Kubeconfig file utilities
kubelet Commands related to handling the kubelet
selfhosting Make a kubeadm cluster self-hosted
kubeadm alpha certs --help
kubeadm alpha certs --help
Commands related to handling kubernetes certificates
Usage:
kubeadm alpha certs [command]
Aliases:
certs, certificates
Available Commands:
certificate-key Generate certificate keys
check-expiration Check certificates expiration for a Kubernetes cluster
renew Renew certificates for a Kubernetes cluster
kubeadm alpha certs renew --help
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha certs renew [flags]
kubeadm alpha certs renew [command]
Available Commands:
admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
all Renew all available certificates
apiserver Renew the certificate for serving the Kubernetes API
apiserver-etcd-client Renew the certificate the apiserver uses to access etcd
apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use
etcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcd
etcd-peer Renew the certificate for etcd nodes to communicate with each other
etcd-server Renew the certificate for serving etcd
front-proxy-client Renew the certificate for the front proxy client
scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
执行kubeadm alpha certs renew all 即可
验证新证书
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '
Not Before: Jul 17 08:49:08 2019 GMT
Not After : Jul 16 10:05:36 2021 GMT
end