我正在努力保护kubernetes,我有一个主人和一个仆从都可以工作,然后我按照指南http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/
我现在有正在运行的主人,可以通过https访问,但我得到了一个" Unauthorized"错误所以我通过我为minion所做的相同过程为自己创建了一个证书,创建了一个p12文件然后导入到firefox中,我重新启动浏览器并提示用证书进行身份验证,我使用了我刚导入的那个并且是提出:
{
"major": "1",
"minor": "2",
"gitVersion": "v1.2.0",
"gitCommit": "ec7364b6e3b155e78086018aa644057edbe196e5",
"gitTreeState": "clean"
}
所以我现在可以通过浏览器连接,然后我设置minion并重新启动服务,当我检查状态时我得到的是
kubelet[1655]: E1019 14:53:26.962906 1655 event.go:202] Unable to write event: 'x509: certificate signed by unknown authority' (may retry after sleeping)
我尝试安装我在master和minion中创建的根CA证书,但是没有用,所以我想也许证书已损坏,所以使用相同的证书,minion正在使用我做了
curl -k --key /srv/kubernetes/${HOSTNAME}.key --cert /srv/kubernetes/${HOSTNAME}.crt --cacert /srv/kubernetes/ca.crt https://kubernetes.master:6443/version
并得到相同的
{
"major": "1",
"minor": "2",
"gitVersion": "v1.2.0",
"gitCommit": "ec7364b6e3b155e78086018aa644057edbe196e5",
"gitTreeState": "clean"
}
所以主人显然是因为其他原因拒绝了我的证书,因为在curl中使用证书工作得很好,我一直在做一些谷歌搜索,但到目前为止还没能解决这个问题,我发现了什么,有没有人指出我在正确的方向?
我的设置在cent os minimal上,用于生成配置文件的代码在
之下kubectl config set-cluster my_cluster --server=https://kubernetes.master:6443 --insecure-skip-tls-verify=true
kubectl config unset clusters
kubectl config set-cluster my_cluster --certificate-authority=/srv/kubernetes/ca.crt --embed-certs=true --server=https://kubernetes.master:6443
kubectl config set-credentials minion --client-certificate=/srv/kubernetes/minion.one.crt --client-key=/srv/kubernetes/minion.one.key --embed-certs=true --token=59qbOTrcPcdSEgz1EZ0jOznJQ7uOYEsO
kubectl config set-context service-account-context --cluster=my_cluster --user=minion
kubectl config use-context service-account-context
[更新]
进一步检查后,它甚至可能与证书或tls握手无关,我跑了 systemctl status -l kubelet.service 得到以下
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.683943 13120 manager.go:123] Starting to sync pod status with apiserver
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.683958 13120 kubelet.go:2372] Starting kubelet main sync loop.
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.683967 13120 kubelet.go:2381] skipping pod synchronization - [container runtime is down]
Oct 19 16:11:58 minion.one kubelet[13120]: E1019 16:11:58.687984 13120 event.go:202] Unable to write event: 'Post https://kubernetes.master:6443/api/v1/namespaces/default/events: x509: certificate signed by unknown authority' (may retry after sleeping)
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.930635 13120 factory.go:233] Registering Docker factory
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.930995 13120 factory.go:97] Registering Raw factory
Oct 19 16:11:59 minion.one kubelet[13120]: I1019 16:11:59.063535 13120 manager.go:1003] Started watching for new ooms in manager
Oct 19 16:11:59 minion.one kubelet[13120]: I1019 16:11:59.063556 13120 oomparser.go:198] OOM parser using kernel log file: "/var/log/messages"
Oct 19 16:11:59 minion.one kubelet[13120]: I1019 16:11:59.063885 13120 manager.go:256] Starting recovery of all containers
Oct 19 16:11:59 minion.one kubelet[13120]: I1019 16:11:59.090785 13120 manager.go:261] Recovery completed
可能是第一个错误
skipping pod synchronization - [container runtime is down]
导致证书的后续问题?
试图找出错误的来源
答案 0 :(得分:0)
我最终使用安装版本1.4
的脚本rm -f /etc/hostname
rm -f /etc/hosts
rm -f /etc/sysconfig/network
cat <<EOF > /etc/hostname
${HOSTNAME}
EOF
cat <<EOF > /etc/sysconfig/network
HOSTNAME=${HOSTNAME}
EOF
cat <<EOF > /etc/hosts
127.0.0.1 ${HOSTNAME} localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
${KUBERMASTER} kubernetes.vetology.net
EOF
systemctl disable firewalld
systemctl stop firewalld
yum -y update
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://yum.kubernetes.io/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF
setenforce 0
yum install -y docker kubelet kubeadm kubectl kubernetes-cni
systemctl enable docker && systemctl start docker
systemctl enable kubelet && systemctl start kubelet
kubeadm init
现在一切正常。