无法运行Kubelet:无法创建证书签名请求:未经授权

时间:2018-05-14 12:30:13

标签: docker kubernetes ssl-certificate unauthorized

我有一个在OpenStack云提供商下运行的K8s群集。

使用 kubeadm 工具设置群集,该工具包含主节点和从属节点。

我尝试使用kubeadm join命令添加其他工作节点,该命令显示肯定响应,告知节点已成功添加,但我无法使用{{1}找到它}命令。

我调查过,我发现新的从属节点上的kubelet没有显示kubectl get nodes

cannot create certificate signing request: Unauthorized
工作节点上的

版本:-- The start-up result is done. May 14 12:15:33 vm1 kubelet[17678]: W0514 12:15:33.715964 17678 cni.go:171] Unable to update cni config: No networks found in /etc/cni/net.d May 14 12:15:33 vm1 kubelet[17678]: W0514 12:15:33.738398 17678 hostport_manager.go:68] The binary conntrack is not installed, this can cause failures in network connection cleanup. May 14 12:15:33 vm1 kubelet[17678]: I0514 12:15:33.738669 17678 server.go:376] Version: v1.10.1 May 14 12:15:33 vm1 kubelet[17678]: I0514 12:15:33.738913 17678 feature_gate.go:226] feature gates: &{{} map[]} May 14 12:15:33 vm1 kubelet[17678]: I0514 12:15:33.739222 17678 plugins.go:89] No cloud provider specified. May 14 12:15:33 vm1 kubelet[17678]: F0514 12:15:33.784257 17678 server.go:233] failed to run Kubelet: cannot create certificate signing request: Unauthorized May 14 12:15:33 vm1 systemd[1]: kubelet.service: Main process exited, code=exited, status=255/n/a May 14 12:15:33 vm1 systemd[1]: kubelet.service: Unit entered failed state. May 14 12:15:33 vm1 systemd[1]: kubelet.service: Failed with result 'exit-code'.

主节点上的

版本:

kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.1", GitCommit:"d4ab47518836c750f9949b9e0d387f20fb92260b", GitTreeState:"clean", BuildDate:"2018-04-12T14:14:26Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
用于进行连接的

命令:

  • 获取令牌:kubeadm version kubeadm version: &version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.1", GitCommit:"d4ab47518836c750f9949b9e0d387f20fb92260b", GitTreeState:"clean", BuildDate:"2018-04-12T14:14:26Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

  • 获取哈希:kubeadm token list | awk '/The default bootstrap token/ { print $1; }'

  • 加入命令:openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'

谢谢!

2 个答案:

答案 0 :(得分:2)

看起来您的令牌已过期,但您始终可以生成新令牌。

在master上运行以下命令:

kubeadm token generate

然后对新工作人员运行下一个命令:

kubeadm join --token=<token> <master-ip>

示例:

kubeadm join --token=858698.51d1418b0490485a 192.168.0.13

答案 1 :(得分:1)

我也有这个问题,解决方案是重新创建令牌,因为它在24小时后过期。所以:

主人:
    kubeadm token create
     <outputs NEWTOKEN>

关于工人:
    kubeadm reset
    kubeadm join --token NEWTOKEN --discovery-token-unsafe-skip-ca-verification MASTER:6443

相关问题
最新问题