我无法将CertSAN添加到多主群集配置中
嘿。创建了一个具有三个主节点和一个工作节点的k8s集群。放置在本地网络192.168.1.0/24上。入口点是通过每个主节点上的keepalived + nginx通过虚拟IP 192.168.1.42实现的。 通常会添加本地工作节点。
Versions:
Ubuntu 18.04.1 LTS
kubeadm 1.13.0-00
kubectl 1.13.0-00
kubelet 1.13.0-00
kubernetes-cni 0.6.0-00
docker-ce 18.06.1~ce~3-0~ubuntu
我的初始YAML:http://paste.org.ru/?5fvtpx
我将端口16443转发到主服务器。我尝试从AWS添加一个工作节点。 我收到一个错误:
ubuntu@ip-172-31-18-25:~$ sudo kubeadm join 92.255.235.100:16443 --token XXX --discovery-token-ca-cert-hash sha256:XXX
[preflight] Running pre-flight checks
[discovery] Trying to connect to API Server "92.255.235.100:16443"
[discovery] Created cluster-info discovery client, requesting info from "https://92.255.235.100:16443"
[discovery] Requesting info from "https://92.255.235.100:16443" again to validate TLS against the pinned public key
[discovery] Failed to request cluster info, will try again: [Get https://92.255.235.100:16443/api/v1/namespaces/kube-public/configmaps/cluster-info: x509: certificate is valid for 10.96.0.1, 192.168.1.42, 192.168.1.42, 192.168.1.44, 192.168.1.46, 192.168.1.47, 192.168.1.42, 127.0.0.1, not 92.255.235.100]
我在configmap中输入了另一个CertSAN:
kubectl edit -n kube-system configmap
apiVersion: v1
data:
ClusterConfiguration: |
apiServer:
certSANs:
- master-k8s
- node1
- node2
- 192.168.1.44
- 192.168.1.46
- 192.168.1.47
- 192.168.1.42
- 92.255.235.100
- 127.0.0.1
我尝试将CertSAN添加到configmap并更新证书。
kubeadm alpha certs renew all
但是更新证书后,错误仍然存在。 除了CA,front-proxy-ca,sa以外的所有证书都已更新。
|apiserver-kubelet-client.crt │ 1099│Dec 25 16:48│
│ apiserver-kubelet-client.key │ 1679│Dec 25 16:48│
│ apiserver.crt │ 1310│Dec 25 16:48│
│ apiserver.key │ 1679│Dec 25 16:48│
│ ca.crt │ 1025│Dec 17 14:10│
│ ca.key │ 1679│Dec 17 14:10│
│ front-proxy-ca.crt │ 1038│Dec 17 14:10│
│ front-proxy-ca.key │ 1679│Dec 17 14:10│
│ front-proxy-client.crt │ 1058│Dec 25 16:48│
│ front-proxy-client.key │ 1679│Dec 25 16:48│
│ sa.key │ 1679│Dec 17 14:10│
│ sa.pub │ 451│Dec 17 14:10|
我试图通过easyrsa3创建自签名证书,但是cubernetis即使在更新CA之后也不接受它们。并且不允许使用kubectl:
kubectl get pods --all-namespaces
无法连接到服务器:x509:未知授权机构签名的证书
我已经更新了CA证书:
sudo cp ca.crt /usr/local/share/ca-certificates/kubernetes.crt
sudo update-ca-certificates
但这没有帮助。 我将证书添加到kubernetes配置。 http://paste.org.ru/?nqej8o 但这无济于事。
在AWS机器上:
sudo kubeadm join 92.255.235.100:16443 --token XXX --discovery-token-ca-cert-hash sha256:XXX
[preflight] Running pre-flight checks
[discovery] Trying to connect to API Server "92.255.235.100:16443"
[discovery] Created cluster-info discovery client, requesting info from "https://92.255.235.100:16443"
[discovery] Requesting info from "https://92.255.235.100:16443" again to validate TLS against the pinned public key
[discovery] Failed to request cluster info, will try again: [Get https://92.255.235.100:16443/api/v1/namespaces/kube-public/configmaps/cluster-info: x509: certificate signed by unknown authority]
在本地主机中:
root@master-k8s:/root/pki_backup# kubectl get pods --all-namespaces
Unable to connect to the server: x509: certificate signed by unknown authority
在早期版本的kubernetes中,有一个命令:
kubeadm alpha phase certs selfsign --apiserver-advertise-address=0.0.0.0 --cert-altnames=10.161.233.80 --cert-altnames=114.215.201.87
但是在版本1.13.0中则不是。如何在证书kubernetes中添加主服务器的其他地址?