我无法将CertSAN添加到多主k8s集群配置中

时间:2018-12-27 10:54:11

标签: kubernetes kubectl kubeadm self-signed-certificate

我无法将CertSAN添加到多主群集配置中

嘿。创建了一个具有三个主节点和一个工作节点的k8s集群。放置在本地网络192.168.1.0/24上。入口点是通过每个主节点上的keepalived + nginx通过虚拟IP 192.168.1.42实现的。 通常会添加本地工作节点。

Versions:
Ubuntu 18.04.1 LTS
kubeadm                               1.13.0-00
kubectl                               1.13.0-00
kubelet                               1.13.0-00
kubernetes-cni                        0.6.0-00
docker-ce                             18.06.1~ce~3-0~ubuntu

我的初始YAML:http://paste.org.ru/?5fvtpx

我将端口16443转发到主服务器。我尝试从AWS添加一个工作节点。 我收到一个错误:

ubuntu@ip-172-31-18-25:~$ sudo kubeadm join 92.255.235.100:16443 --token XXX --discovery-token-ca-cert-hash sha256:XXX
[preflight] Running pre-flight checks
[discovery] Trying to connect to API Server "92.255.235.100:16443"
[discovery] Created cluster-info discovery client, requesting info from "https://92.255.235.100:16443"
[discovery] Requesting info from "https://92.255.235.100:16443" again to validate TLS against the pinned public key
[discovery] Failed to request cluster info, will try again: [Get https://92.255.235.100:16443/api/v1/namespaces/kube-public/configmaps/cluster-info: x509: certificate is valid for 10.96.0.1, 192.168.1.42, 192.168.1.42, 192.168.1.44, 192.168.1.46, 192.168.1.47, 192.168.1.42, 127.0.0.1, not 92.255.235.100]

我在configmap中输入了另一个CertSAN:

kubectl edit -n kube-system configmap

apiVersion: v1
data:
  ClusterConfiguration: |
    apiServer:
      certSANs:
      - master-k8s
      - node1
      - node2
      - 192.168.1.44
      - 192.168.1.46
      - 192.168.1.47
      - 192.168.1.42
      - 92.255.235.100
      - 127.0.0.1

我尝试将CertSAN添加到configmap并更新证书。

 kubeadm alpha certs renew all

但是更新证书后,错误仍然存​​在。 除了CA,front-proxy-ca,sa以外的所有证书都已更新。

|apiserver-kubelet-client.crt                            │   1099│Dec 25 16:48│
│ apiserver-kubelet-client.key                           │   1679│Dec 25 16:48│
│ apiserver.crt                                          │   1310│Dec 25 16:48│
│ apiserver.key                                          │   1679│Dec 25 16:48│
│ ca.crt                                                 │   1025│Dec 17 14:10│
│ ca.key                                                 │   1679│Dec 17 14:10│
│ front-proxy-ca.crt                                     │   1038│Dec 17 14:10│
│ front-proxy-ca.key                                     │   1679│Dec 17 14:10│
│ front-proxy-client.crt                                 │   1058│Dec 25 16:48│
│ front-proxy-client.key                                 │   1679│Dec 25 16:48│
│ sa.key                                                 │   1679│Dec 17 14:10│
│ sa.pub                                                 │    451│Dec 17 14:10|

我试图通过easyrsa3创建自签名证书,但是cubernetis即使在更新CA之后也不接受它们。并且不允许使用kubectl:

 kubectl get pods --all-namespaces

无法连接到服务器:x509:未知授权机构签名的证书

我已经更新了CA证书:

 sudo cp ca.crt /usr/local/share/ca-certificates/kubernetes.crt
 sudo update-ca-certificates

但这没有帮助。 我将证书添加到kubernetes配置。 http://paste.org.ru/?nqej8o 但这无济于事。

在AWS机器上:

 sudo kubeadm join 92.255.235.100:16443 --token XXX --discovery-token-ca-cert-hash sha256:XXX
[preflight] Running pre-flight checks
[discovery] Trying to connect to API Server "92.255.235.100:16443"
[discovery] Created cluster-info discovery client, requesting info from "https://92.255.235.100:16443"
[discovery] Requesting info from "https://92.255.235.100:16443" again to validate TLS against the pinned public key
[discovery] Failed to request cluster info, will try again: [Get https://92.255.235.100:16443/api/v1/namespaces/kube-public/configmaps/cluster-info: x509: certificate signed by unknown authority]

在本地主机中:

root@master-k8s:/root/pki_backup# kubectl get pods --all-namespaces
Unable to connect to the server: x509: certificate signed by unknown authority

在早期版本的kubernetes中,有一个命令:

kubeadm alpha phase certs selfsign --apiserver-advertise-address=0.0.0.0 --cert-altnames=10.161.233.80 --cert-altnames=114.215.201.87

但是在版本1.13.0中则不是。如何在证书kubernetes中添加主服务器的其他地址?

0 个答案:

没有答案