Kubernetes(kubeadm)在传出连接的容器中缺少公共证书

时间:2017-07-17 16:37:49

标签: ssl kubernetes

我在我的contabo(提供商)服务器上设置了kubernetes集群。 到目前为止,一切都运行良好,直到我想从容器访问外部SSL域。

我能够通过

重现这些步骤
  1. 设置新服务器
  2. 在其上运行kubeadm init
  3. 运行kubectl run -i --tty test --image=tutum/curl --restart=Never -- sh

  4. 运行(在容器中)

    root @ test:/#curl https://acme-v01.api.letsencrypt.org/directory -v

    • 在DNS缓存中找不到主机名
    • 尝试91.194.91.220 ......
    • 已连接至acme-v01.api.letsencrypt.org(91.194.91.220)端口443(#0)
    • 成功设置证书验证位置:
    • CAfile:无 CApath:/ etc / ssl / certs
    • SSLv3,TLS握手,客户端问候(1):
    • SSLv3,TLS握手,服务器问候(2):
    • SSLv3,TLS握手,CERT(11):
    • SSLv3,TLS握手,服务器密钥交换(12):
    • SSLv3,TLS握手,服务器完成(14):
    • SSLv3,TLS握手,客户端密钥交换(16):
    • SSLv3,TLS更改密码,客户端问候(1):
    • SSLv3,TLS握手,已完成(20):
    • SSLv3,TLS更改密码,客户端问候(1):
    • SSLv3,TLS握手,已完成(20):
    • 使用ECDHE-RSA-AES256-GCM-SHA384进行SSL连接
    • 服务器证书:
    • 主题:CN = contabo.at
    • 开始日期:2017-06-13 03:21:00 GMT
    • 到期日期:2017-09-11 03:21:00 GMT
    • subjectAltName与acme-v01.api.letsencrypt.org
      • 不匹配
    • SSL:没有其他证书使用者名称与目标主机名'acme-v01.api.letsencrypt.org'
      • 相匹配
    • 关闭连接0
    • SSLv3,TLS警报,客户问候(1): curl:(51)SSL:没有替代证书主题名称与目标主机名'acme-v01.api.letsencrypt.org'相匹配

    5. 如果我在像docker run -it --rm tutum/curl /bin/bash这样的普通docker容器中运行相同的东西(也在服务器上),一切运行正常。

    所以这对kubernetes来说一定是个问题。

    有人可以帮我将公共SSL证书添加到我的kubernetes设置吗?

    谢谢你&问候 多米尼克

    //编辑1

    经过一些进一步的调查后,我编辑了我的/etc/resolv.conf,它只包含了Google名称服务器。

    但这不是问题。

    一切正常,直到我加入网络上的另一个节点,如: kubeadm join --token db8341.36b4c997b2681683 1.2.3.4:6443

    然后它停止工作。我正在使用编织网络/印花布相同的问题。

    //编辑2

    我在测试中添加了一个完整的代码示例:

     root@sh0k:~# kubectl get nodes -o wide
    NAME         STATUS    AGE       VERSION   EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION
    c1.sh0k.de   Ready     1m        v1.7.1    <none>        Ubuntu 16.04.2 LTS   4.4.0-83-generic
    sh0k.de      Ready     9m        v1.7.1    <none>        Ubuntu 16.04.2 LTS   4.4.0-83-generic
    root@sh0k:~# kubectl get pods --all-namespaces -o wide
    NAMESPACE     NAME                              READY     STATUS    RESTARTS   AGE       IP              NODE
    kube-system   etcd-sh0k.de                      1/1       Running   1          8m        5.189.140.74    sh0k.de
    kube-system   kube-apiserver-sh0k.de            1/1       Running   1          8m        5.189.140.74    sh0k.de
    kube-system   kube-controller-manager-sh0k.de   1/1       Running   1          8m        5.189.140.74    sh0k.de
    kube-system   kube-dns-2425271678-n3cgv         3/3       Running   3          9m        10.40.0.22      sh0k.de
    kube-system   kube-proxy-fw41z                  1/1       Running   0          1m        213.136.88.53   c1.sh0k.de
    kube-system   kube-proxy-wtd7l                  1/1       Running   1          9m        5.189.140.74    sh0k.de
    kube-system   kube-scheduler-sh0k.de            1/1       Running   1          8m        5.189.140.74    sh0k.de
    kube-system   weave-net-8tts6                   2/2       Running   1          1m        213.136.88.53   c1.sh0k.de
    kube-system   weave-net-smfpn                   2/2       Running   3          5m        5.189.140.74    sh0k.de
    (reverse-i-search)`': ^C
    root@sh0k:~# kubectl run -i --tty test --image=tutum/curl --restart=Never -- sh
    If you don't see a command prompt, try pressing enter.

    # curl -v https://www.google.com
    * Rebuilt URL to: https://www.google.com/
    * Hostname was NOT found in DNS cache
    * Could not resolve host: www.google.com
    * Closing connection 0
    curl: (6) Could not resolve host: www.google.com
    # exit
    root@sh0k:~# kubectl -n kube-system logs kube-dns-2425271678-n3cgv kubedns   
    I0719 05:36:25.156505       7 dns.go:48] version: 1.14.3-4-gee838f6
    I0719 05:36:25.174462       7 server.go:70] Using configuration read from directory: /kube-dns-config with period 10s
    I0719 05:36:25.175247       7 server.go:113] FLAG: --alsologtostderr="false"
    I0719 05:36:25.175810       7 server.go:113] FLAG: --config-dir="/kube-dns-config"
    I0719 05:36:25.176361       7 server.go:113] FLAG: --config-map=""
    I0719 05:36:25.176918       7 server.go:113] FLAG: --config-map-namespace="kube-system"
    I0719 05:36:25.177459       7 server.go:113] FLAG: --config-period="10s"
    I0719 05:36:25.177509       7 server.go:113] FLAG: --dns-bind-address="0.0.0.0"
    I0719 05:36:25.177555       7 server.go:113] FLAG: --dns-port="10053"
    I0719 05:36:25.177593       7 server.go:113] FLAG: --domain="cluster.local."
    I0719 05:36:25.177643       7 server.go:113] FLAG: --federations=""
    I0719 05:36:25.177674       7 server.go:113] FLAG: --healthz-port="8081"
    I0719 05:36:25.177702       7 server.go:113] FLAG: --initial-sync-timeout="1m0s"
    I0719 05:36:25.177748       7 server.go:113] FLAG: --kube-master-url=""
    I0719 05:36:25.177779       7 server.go:113] FLAG: --kubecfg-file=""
    I0719 05:36:25.177806       7 server.go:113] FLAG: --log-backtrace-at=":0"
    I0719 05:36:25.177858       7 server.go:113] FLAG: --log-dir=""
    I0719 05:36:25.177887       7 server.go:113] FLAG: --log-flush-frequency="5s"
    I0719 05:36:25.177933       7 server.go:113] FLAG: --logtostderr="true"
    I0719 05:36:25.177961       7 server.go:113] FLAG: --nameservers=""
    I0719 05:36:25.177988       7 server.go:113] FLAG: --stderrthreshold="2"
    I0719 05:36:25.178017       7 server.go:113] FLAG: --v="2"
    I0719 05:36:25.178057       7 server.go:113] FLAG: --version="false"
    I0719 05:36:25.178086       7 server.go:113] FLAG: --vmodule=""
    I0719 05:36:25.178447       7 server.go:176] Starting SkyDNS server (0.0.0.0:10053)
    I0719 05:36:25.179197       7 server.go:198] Skydns metrics enabled (/metrics:10055)
    I0719 05:36:25.179209       7 dns.go:147] Starting endpointsController
    I0719 05:36:25.179215       7 dns.go:150] Starting serviceController
    I0719 05:36:25.179327       7 logs.go:41] skydns: ready for queries on cluster.local. for tcp://0.0.0.0:10053 [rcache 0]
    I0719 05:36:25.179347       7 logs.go:41] skydns: ready for queries on cluster.local. for udp://0.0.0.0:10053 [rcache 0]
    I0719 05:36:25.679413       7 dns.go:171] Initialized services and endpoints from apiserver
    I0719 05:36:25.679440       7 server.go:129] Setting up Healthz Handler (/readiness)
    I0719 05:36:25.679451       7 server.go:134] Setting up cache handler (/cache)
    I0719 05:36:25.679460       7 server.go:120] Status HTTP port 8081

root@sh0k:~# kubectl -n kube-system logs kube-dns-2425271678-n3cgv dnsmasq
I0719 05:36:25.672456      20 main.go:76] opts: {{/usr/sbin/dnsmasq [-k --cache-size=1000 --log-facility=- --server=/cluster.local/127.0.0.1#10053 --server=/in-addr.arpa/127.0.0.1#10053 --server=/ip6.arpa/127.0.0.1#10053] true} /etc/k8s/dns/dnsmasq-nanny 10000000000}
I0719 05:36:25.672682      20 nanny.go:86] Starting dnsmasq [-k --cache-size=1000 --log-facility=- --server=/cluster.local/127.0.0.1#10053 --server=/in-addr.arpa/127.0.0.1#10053 --server=/ip6.arpa/127.0.0.1#10053]
I0719 05:36:25.889812      20 nanny.go:111] 
W0719 05:36:25.889917      20 nanny.go:112] Got EOF from stdout
I0719 05:36:25.890205      20 nanny.go:108] dnsmasq[51]: started, version 2.76 cachesize 1000
I0719 05:36:25.890251      20 nanny.go:108] dnsmasq[51]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
I0719 05:36:25.890274      20 nanny.go:108] dnsmasq[51]: using nameserver 127.0.0.1#10053 for domain ip6.arpa 
I0719 05:36:25.890287      20 nanny.go:108] dnsmasq[51]: using nameserver 127.0.0.1#10053 for domain in-addr.arpa 
I0719 05:36:25.890294      20 nanny.go:108] dnsmasq[51]: using nameserver 127.0.0.1#10053 for domain cluster.local 
I0719 05:36:25.890687      20 nanny.go:108] dnsmasq[51]: reading /etc/resolv.conf
I0719 05:36:25.890706      20 nanny.go:108] dnsmasq[51]: using nameserver 127.0.0.1#10053 for domain ip6.arpa 
I0719 05:36:25.890715      20 nanny.go:108] dnsmasq[51]: using nameserver 127.0.0.1#10053 for domain in-addr.arpa 
I0719 05:36:25.890722      20 nanny.go:108] dnsmasq[51]: using nameserver 127.0.0.1#10053 for domain cluster.local 
I0719 05:36:25.890730      20 nanny.go:108] dnsmasq[51]: using nameserver 8.8.8.8#53
I0719 05:36:25.890740      20 nanny.go:108] dnsmasq[51]: using nameserver 8.8.4.4#53
I0719 05:36:25.891436      20 nanny.go:108] dnsmasq[51]: read /etc/hosts - 7 addresses

2 个答案:

答案 0 :(得分:1)

您没有为acme-v01.api.letsencrypt.org DNS主机名获取正确的IP地址。

您可以使用外部DNS服务器的IP更新/etc/resolv.conf并测试curl

例如。谷歌的DNS服务器。

nameserver 8.8.8.8

答案 1 :(得分:0)

通过执行以下命令解决了问题:

kubectl -n kube-system get ds -l 'k8s-app=kube-proxy' -o json | jq '.items[0].spec.template.spec.containers[0].command |= .+ ["--proxy-mode=userspace"]' | kubectl apply -f - && kubectl -n kube-system delete pods -l 'k8s-app=kube-proxy'
相关问题
最新问题