无法使用证书设置kubernetes为x509:由未知权限机构签署的证书

时间:2016-10-19 19:12:22

标签: networking kubernetes x509

我正在努力保护kubernetes,我有一个主人和一个仆从都可以工作,然后我按照指南http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/

我现在有正在运行的主人,可以通过https访问,但我得到了一个" Unauthorized"错误所以我通过我为minion所做的相同过程为自己创建了一个证书,创建了一个p12文件然后导入到firefox中,我重新启动浏览器并提示用证书进行身份验证,我使用了我刚导入的那个并且是提出:

{
  "major": "1",
  "minor": "2",
  "gitVersion": "v1.2.0",
  "gitCommit": "ec7364b6e3b155e78086018aa644057edbe196e5",
  "gitTreeState": "clean"
}

所以我现在可以通过浏览器连接,然后我设置minion并重新启动服务,当我检查状态时我得到的是

kubelet[1655]: E1019 14:53:26.962906    1655 event.go:202] Unable to write event: 'x509: certificate signed by unknown authority' (may retry after sleeping)

我尝试安装我在master和minion中创建的根CA证书,但是没有用,所以我想也许证书已损坏,所以使用相同的证书,minion正在使用我做了

 curl -k --key /srv/kubernetes/${HOSTNAME}.key  --cert /srv/kubernetes/${HOSTNAME}.crt  --cacert /srv/kubernetes/ca.crt https://kubernetes.master:6443/version

并得到相同的

{
  "major": "1",
  "minor": "2",
  "gitVersion": "v1.2.0",
  "gitCommit": "ec7364b6e3b155e78086018aa644057edbe196e5",
  "gitTreeState": "clean"
}

所以主人显然是因为其他原因拒绝了我的证书,因为在curl中使用证书工作得很好,我一直在做一些谷歌搜索,但到目前为止还没能解决这个问题,我发现了什么,有没有人指出我在正确的方向?

我的设置在cent os minimal上,用于生成配置文件的代码在

之下
kubectl config set-cluster my_cluster --server=https://kubernetes.master:6443 --insecure-skip-tls-verify=true
kubectl config unset clusters
kubectl config set-cluster my_cluster --certificate-authority=/srv/kubernetes/ca.crt --embed-certs=true --server=https://kubernetes.master:6443
kubectl config set-credentials minion --client-certificate=/srv/kubernetes/minion.one.crt --client-key=/srv/kubernetes/minion.one.key --embed-certs=true --token=59qbOTrcPcdSEgz1EZ0jOznJQ7uOYEsO
kubectl config set-context service-account-context --cluster=my_cluster --user=minion
kubectl config use-context service-account-context

[更新]

进一步检查后,它甚至可能与证书或tls握手无关,我跑了     systemctl status -l kubelet.service 得到以下

Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.683943   13120 manager.go:123] Starting to sync pod status with apiserver
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.683958   13120 kubelet.go:2372] Starting kubelet main sync loop.
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.683967   13120 kubelet.go:2381] skipping pod synchronization - [container runtime is down]
Oct 19 16:11:58 minion.one kubelet[13120]: E1019 16:11:58.687984   13120 event.go:202] Unable to write event: 'Post https://kubernetes.master:6443/api/v1/namespaces/default/events: x509: certificate signed by unknown authority' (may retry after sleeping)
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.930635   13120 factory.go:233] Registering Docker factory
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.930995   13120 factory.go:97] Registering Raw factory
Oct 19 16:11:59 minion.one kubelet[13120]: I1019 16:11:59.063535   13120 manager.go:1003] Started watching for new ooms in manager
Oct 19 16:11:59 minion.one kubelet[13120]: I1019 16:11:59.063556   13120 oomparser.go:198] OOM parser using kernel log file: "/var/log/messages"
Oct 19 16:11:59 minion.one kubelet[13120]: I1019 16:11:59.063885   13120 manager.go:256] Starting recovery of all containers
Oct 19 16:11:59 minion.one kubelet[13120]: I1019 16:11:59.090785   13120 manager.go:261] Recovery completed

可能是第一个错误

skipping pod synchronization - [container runtime is down]

导致证书的后续问题?

试图找出错误的来源

1 个答案:

答案 0 :(得分:0)

我最终使用安装版本1.4

的脚本
rm -f /etc/hostname
rm -f /etc/hosts
rm -f /etc/sysconfig/network
cat <<EOF > /etc/hostname
${HOSTNAME}
EOF
cat <<EOF > /etc/sysconfig/network
HOSTNAME=${HOSTNAME}
EOF
cat <<EOF > /etc/hosts
127.0.0.1   ${HOSTNAME} localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
${KUBERMASTER} kubernetes.vetology.net
EOF
systemctl disable firewalld
systemctl stop firewalld
yum -y update
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://yum.kubernetes.io/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
       https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF
setenforce 0
yum install -y docker kubelet kubeadm kubectl kubernetes-cni
systemctl enable docker && systemctl start docker
systemctl enable kubelet && systemctl start kubelet
kubeadm init

现在一切正常。