Kubelet-x509:证书的有效期为10.233.0.1,不适用于< IP> [英] Kubelet - x509: certificate is valid for 10.233.0.1 not for <IP>

查看:423
本文介绍了Kubelet-x509:证书的有效期为10.233.0.1,不适用于< IP>的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我已经使用 kubespray 安装了kubernetes集群(两个节点).现在,我添加了第三个节点.而且我从新节点上的kubelet服务器收到错误:

I've installed my kubernetes cluster (two nodes) with kubespray. Now I have added an third node. And I get the error from kubelet server on the new node:

无法列出* v1.Service:获取 https: //94.130.25.248:6443/api/v1/services?limit=500&resourceVersion=0 :x509:证书的有效期为10.233.0.1、94.130.25.247、94.130.25.247、10.233.0.1、127.0. 0.1,94.130.25.247,144.76.14.131,而不是94.130.25.248

Failed to list *v1.Service: Get https://94.130.25.248:6443/api/v1/services?limit=500&resourceVersion=0: x509: certificate is valid for 10.233.0.1, 94.130.25.247, 94.130.25.247, 10.233.0.1, 127.0.0.1, 94.130.25.247, 144.76.14.131, not 94.130.25.248

IP 94.130.25.248是新节点的ip.

The IP 94.130.25.248 is the ip of new node.

我发现了这篇文章,其中写有关于重新创建尖锐的.但是新版本的kubeadm(v1.13.1)没有此选项.

I've found this post, where was wrote about recreating the apicert. But the new version of kubeadm (v1.13.1) don't have this option.

我也尝试使用以下命令续订证书:

Also I've try to renew the certificates with command:

kubeadm alpha certs renew all --config /etc/kubernetes/kubeadm-config.yaml

此命令重新生成证书,但具有相同的ips和dns.

This command regenerate the certificates, but with the same ips and dns.

我的kubeadmin-config.yml(certSAN):

My kubeadmin-config.yml (certSANs):

  certSANs:
  - kubernetes
  - kubernetes.default
  - kubernetes.default.svc
  - kubernetes.default.svc.cluster.local
  - 10.233.0.1
  - localhost
  - 127.0.0.1
  - heku1
  - heku4
  - heku2
  - 94.130.24.247
  - 144.76.14.131
  - 94.130.24.248

有人可以告诉我如何将IP添加到apicert吗?

Can someone tell me how can I added the ip to apicert?

推荐答案

hm ... 我删除了apiserver.*和apiserver-kubelet-client.*,并使用以下命令重新创建了它:

hm... I've removed the apiserver.* and apiserver-kubelet-client.* and recreated this with command:

kubeadm init phase certs apiserver --config=/etc/kubernetes/kubeadm-config.yaml
kubeadm init phase certs apiserver-kubelet-client --config=/etc/kubernetes/kubeadm-config.yaml
systemctl stop kubelet
delete the docker container with kubelet
systemctl restart kubelet

这篇关于Kubelet-x509:证书的有效期为10.233.0.1,不适用于< IP>的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆