Kubernetes Master的无效X509证书 [英] Invalid x509 certificate for kubernetes master

问题描述

我正在尝试从工作站联系我的k8s主服务器.我可以通过LAN正常访问主机，但不能从我的工作站访问主机.错误消息是:

I am trying reach my k8s master from my workstation. I can access the master from the LAN fine but not from my workstation. The error message is:

% kubectl --context=employee-context get pods
Unable to connect to the server: x509: certificate is valid for 10.96.0.1, 10.161.233.80, not 114.215.201.87

如何将114.215.201.87添加到证书中?我是否需要删除旧群集ca.crt，重新创建它，重新启动整个群集，然后辞职客户端证书?我已经用kubeadm部署了集群，但不确定如何手动执行这些步骤.

How can I do to add 114.215.201.87 to the certificate? Do I need to remove my old cluster ca.crt, recreate it, restart whole cluster and then resign client certificate? I have deployed my cluster with kubeadm and I am not sure how to do these steps manually.

推荐答案

一种选择是告诉kubectl您不希望证书通过验证.显然，这带来了安全性问题，但我想您只是在测试，因此请按以下步骤操作:

One option is to tell kubectl that you don't want the certificate to be validated. Obviously this brings up security issues but I guess you are only testing so here you go:

kubectl --insecure-skip-tls-verify --context=employee-context get pods

更好的选择是修复证书.最简单的方法是，通过在包括主节点在内的所有节点上运行kubeadm reset来重新初始化集群，然后执行

The better option is to fix the certificate. Easiest if you reinitialize the cluster by running kubeadm reset on all nodes including the master and then do

kubeadm init --apiserver-cert-extra-sans=114.215.201.87

也可以在不清除所有内容的情况下修复该证书，但这有点棘手.以root身份在主服务器上执行以下操作:

It's also possible to fix that certificate without wiping everything, but that's a bit more tricky. Execute something like this on the master as root:

rm /etc/kubernetes/pki/apiserver.*
kubeadm alpha phase certs selfsign --apiserver-advertise-address=0.0.0.0 --cert-altnames=10.161.233.80 --cert-altnames=114.215.201.87
docker rm `docker ps -q -f 'name=k8s_kube-apiserver*'`
systemctl restart kubelet

这篇关于Kubernetes Master的无效X509证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！