Kubernetes:过期的证书 [英] Kubernetes: expired certificate

问题描述

我们的 Kubernetes 1.6 集群在 2017 年 4 月 13 日构建集群时生成了证书.

Our Kubernetes 1.6 cluster had certificates generated when the cluster was built on April 13th, 2017.

2017 年 12 月 13 日，我们的集群升级到 1.8 版，并生成了新证书[显然是一组不完整的证书].

On December 13th, 2017, our cluster was upgraded to version 1.8, and new certificates were generated [apparently, an incomplete set of certificates].

2018 年 4 月 13 日，我们开始在 api-server 的 Kubernetes 仪表板中看到此消息:

On April 13th, 2018, we started seeing this message within our Kubernetes dashboard for api-server:

[authentication.go:64] 由于错误而无法验证请求:[x509:证书已过期或尚未有效，x509:证书已过期或尚未有效]

尝试指向客户端证书 &/etc/kubernetes/kubelet.conf 中的 client-key 在 12 月 13 日生成的证书中 [apiserver-kubelet-client.crt 和 apiserver-kubelet-client.crt]，但是继续看到上面的错误.

Tried pointing client-certificate & client-key within /etc/kubernetes/kubelet.conf at the certificates generated on Dec 13th [apiserver-kubelet-client.crt and apiserver-kubelet-client.crt], but continue to see the above error.

尝试指向客户端证书 &/etc/kubernetes/kubelet.conf 中的 client-key 位于 12 月 13 日生成的 不同 证书 [apiserver.crt> 和 apiserver.crt](老实说，我不明白这 2 组证书/密钥之间的区别)，但继续看到上述错误.

Tried pointing client-certificate & client-key within /etc/kubernetes/kubelet.conf at different certificates generated on Dec 13th [apiserver.crt and apiserver.crt] (I honestly don't understand the difference between these 2 sets of certs/keys), but continue to see the above error.

尝试指向客户端证书 &/etc/kubernetes/kubelet.conf 中不存在的文件中的 client-key，并且所有 kube* 服务都不会启动，带有 /var/log/syslog 抱怨这个:

Tried pointing client-certificate & client-key within /etc/kubernetes/kubelet.conf at non-existent files, and none of the kube* services would start, with /var/log/syslog complaining about this:

Apr 17 17:50:08 kuber01 kubelet[2422]: W0417 17:50:08.181326 2422 server.go:381] 无效 kubeconfig:无效配置:[无法读取客户端证书/tmp/this/cert/does/not/exist.crt for system:node:node01 由于打开/tmp/this/cert/does/not/exist.crt: 没有这样的文件或目录，无法读取客户端密钥/tmp/this/key/does/not/exist.key for system:node:node01 由于打开/tmp/this/key/does/not/exist.key: 没有这样的文件或目录]

关于如何克服此错误，甚至在更细粒度的级别对其进行故障排除的任何建议?正在考虑根据 https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-alpha/#cmd-phase-certs... 但不确定我是否会造成更多伤害.

Any advice on how to overcome this error, or even troubleshoot it at a more granular level? Was considering regenerating certificates for api-server (kubeadm alpha phase certs apiserver), based on instructions within https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-alpha/#cmd-phase-certs ... but not sure if I'd be doing more damage.

Kubernetes 相对较新，设置此功能的绅士无法咨询……感谢您的帮助.谢谢.

Relatively new to Kubernetes, and the gentleman who set this up is not available for consult ... any help is appreciated. Thanks.

推荐答案

Kubernetes 集群中的每个节点都包含一个配置文件，用于运行 kubelet ... /etc/kubernetes/kubelet.conf ... 这个文件是由 kubeadm 自动生成的.在这个自动生成过程中，kubeadm 使用 /etc/kubernetes/ca.key 创建一个节点特定的文件，/etc/kubernetes/kubelet.conf，其中有两个非常重要的部分...client-certificate-data 和 client-key-data.我最初的思考过程让我相信我需要找到相应的证书文件&密钥文件，更新这些文件，将两者都转换为 base64，并在整个集群的 kubelet.conf 文件中使用这些值......这种想法是不正确的.

Each node within the Kubernetes cluster contains a config file for running kubelet ... /etc/kubernetes/kubelet.conf ... and this file is auto-generated by kubeadm. During this auto-generation, kubeadm uses /etc/kubernetes/ca.key to create a node-specific file, /etc/kubernetes/kubelet.conf, within which are two very important pieces ... client-certificate-data and client-key-data. My original thought process led me to believe that I needed to find the corresponding certificate file & key file, renew those files, convert both to base64, and use those values within kubelet.conf files across the cluster ... this thinking was not correct.

相反，修复是使用 kubeadm 在所有节点上重新生成 kubectl.conf，以及 admin.conf、controller-manager.conf 和 scheduler.conf 在集群的主节点上.您需要在每个节点上使用 /etc/kubernetes/pki/ca.key 以便您的配置文件包含 client-certificate-data 和 的有效数据>客户密钥数据.

Instead, the fix was to use kubeadm to regenerate kubectl.conf on all nodes, as well as admin.conf, controller-manager.conf, and scheduler.conf on the cluster's master node. You'll need /etc/kubernetes/pki/ca.key on each node in order for your config files to include valid data for client-certificate-data and client-key-data.

专业提示:使用 --apiserver-advertise-address 参数来确保您的新配置文件包含托管 kube-apiserver 服务.

Pro tip: make use of the --apiserver-advertise-address parameter to ensure your new config files contain the correct IP address of the node hosting the kube-apiserver service.

这篇关于Kubernetes:过期的证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！