错误报告:(我认为?)
发生了什么:
我在 Ubuntu 16.04 上运行了以下步骤:
sudo apt-get update
sudo apt-get upgrade
sudo su
kubeadm reset
kubeadm init --token [redacted] --apiserver-advertise-address=192.168.13.1 --pod-network-cidr=10.244.0.0/16
exit
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
kubectl get nodes
这样做后,我收到:
Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
我已经尝试卸载kubectl
、 kubeadm
和kubelet
几次(即使使用--purge
),无论我做什么,它(kubeadm 1.7 ) 不会生成有效的admin.conf
。 但是,我运行以下命令:
curl --cacert /etc/kubernetes/pki/ca.crt --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt --key /etc/kubernetes/pki/apiserver-kubelet-client.key https://192.168.13.1:6443
并得到:
{
"paths": [
"/api",
"/api/v1",
"/apis",
"/apis/",
"/apis/apiextensions.k8s.io",
"/apis/apiextensions.k8s.io/v1beta1",
"/apis/apiregistration.k8s.io",
"/apis/apiregistration.k8s.io/v1beta1",
"/apis/apps",
"/apis/apps/v1beta1",
"/apis/authentication.k8s.io",
"/apis/authentication.k8s.io/v1",
"/apis/authentication.k8s.io/v1beta1",
"/apis/authorization.k8s.io",
"/apis/authorization.k8s.io/v1",
"/apis/authorization.k8s.io/v1beta1",
"/apis/autoscaling",
"/apis/autoscaling/v1",
"/apis/batch",
"/apis/batch/v1",
"/apis/certificates.k8s.io",
"/apis/certificates.k8s.io/v1beta1",
"/apis/extensions",
"/apis/extensions/v1beta1",
"/apis/networking.k8s.io",
"/apis/networking.k8s.io/v1",
"/apis/policy",
"/apis/policy/v1beta1",
"/apis/rbac.authorization.k8s.io",
"/apis/rbac.authorization.k8s.io/v1alpha1",
"/apis/rbac.authorization.k8s.io/v1beta1",
"/apis/settings.k8s.io",
"/apis/settings.k8s.io/v1alpha1",
"/apis/storage.k8s.io",
"/apis/storage.k8s.io/v1",
"/apis/storage.k8s.io/v1beta1",
"/healthz",
"/healthz/autoregister-completion",
"/healthz/ping",
"/healthz/poststarthook/apiservice-registration-controller",
"/healthz/poststarthook/apiservice-status-available-controller",
"/healthz/poststarthook/bootstrap-controller",
"/healthz/poststarthook/ca-registration",
"/healthz/poststarthook/extensions/third-party-resources",
"/healthz/poststarthook/generic-apiserver-start-informers",
"/healthz/poststarthook/kube-apiserver-autoregistration",
"/healthz/poststarthook/rbac/bootstrap-roles",
"/healthz/poststarthook/start-apiextensions-controllers",
"/healthz/poststarthook/start-apiextensions-informers",
"/healthz/poststarthook/start-kube-aggregator-informers",
"/healthz/poststarthook/start-kube-apiserver-informers",
"/logs",
"/metrics",
"/swagger-2.0.0.json",
"/swagger-2.0.0.pb-v1",
"/swagger-2.0.0.pb-v1.gz",
"/swagger.json",
"/swaggerapi",
"/ui",
"/ui/",
"/version"
]
}
你期望发生的事情:
通过kubeadm init
初始化 master 后,我希望能够使用kubectl
安装网络插件; 因为它是x509
的,我不能那样做。
环境:
kubectl version
):1.7uname -a
):Linux radium-control 4.4.0-83-generic #106-Ubuntu SMP Mon Jun 26 17:54:43 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux/sig 集群生命周期
不确定这是否有帮助,但我也有同样的想法,并意识到我正在使用旧的设置指南,将/etc/kubernetes/admin.conf
复制到~/.kube/admin.conf
并设置$KUBECONFIG=$HOME/.kube/admin.conf
。 我清除了环境变量, kubectl
默认返回使用~/.kube/config
。
我也使用 kubeadm v1.7 看到了这一点 - 它阻止节点加入集群
我的安装出现同样的错误。 尝试使用 v1.6.5 和 1.6.7 它工作正常。
同样的问题在这里。
.
( kubeadm init
似乎没问题)
ns2 ~ # kubeadm init
[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[init] Using Kubernetes version: v1.7.3
[init] Using Authorization modes: [Node RBAC]
[preflight] Running pre-flight checks
[preflight] WARNING: docker version is greater than the most recently validated version. Docker version: 17.03.1-ce. Max validated version: 1.12
[preflight] WARNING: no supported init system detected, skipping checking for services
[preflight] WARNING: no supported init system detected, skipping checking for services
[preflight] WARNING: no supported init system detected, skipping checking for services
[preflight] WARNING: socat not found in system path
[preflight] No supported init system detected, won't ensure kubelet is running.
[certificates] Generated CA certificate and key.
[certificates] Generated API server certificate and key.
[certificates] API Server serving cert is signed for DNS names [ns2 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 ip_of_my_server]
[certificates] Generated API server kubelet client certificate and key.
[certificates] Generated service account token signing key and public key.
[certificates] Generated front-proxy CA certificate and key.
[certificates] Generated front-proxy client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/scheduler.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
[apiclient] Created API client, waiting for the control plane to become ready
[apiclient] All control plane components are healthy after 36.004283 seconds
[token] Using token: 62af23.9fba33a48799d425
[apiconfig] Created RBAC rules
[addons] Applied essential addon: kube-proxy
[addons] Applied essential addon: kube-dns
Your Kubernetes master has initialized successfully!
To start using your cluster, you need to run (as a regular user):
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
http://kubernetes.io/docs/admin/addons/
You can now join any number of machines by running the following on each node
as root:
kubeadm join --token [some string] [ip_of_my_server]:6443
( kubeadm join
似乎也不错)
h1 ~ # kubeadm join --token [some string] [ip_of_my_server]:6443 --skip-preflight-checks
[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[preflight] Skipping pre-flight checks
[discovery] Trying to connect to API Server "192.168.0.254:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://192.168.0.254:6443"
[discovery] Cluster info signature and contents are valid, will use API Server "https://192.168.0.254:6443"
[discovery] Successfully established connection with API Server "192.168.0.254:6443"
[bootstrap] Detected server version: v1.7.3
[bootstrap] The server supports the Certificates API (certificates.k8s.io/v1beta1)
[csr] Created API client to obtain unique certificate for this node, generating keys and certificate signing request
[csr] Received signed certificate from the API server, generating KubeConfig...
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
Node join complete:
* Certificate signing request sent to master and response
received.
* Kubelet informed of new secure connection details.
Run 'kubectl get nodes' on the master to see this machine join.
(但kubectl get nodes
失败)
byungnam2<strong i="17">@ns2</strong> ~ $ kubectl get nodes
Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
你有$KUBECONFIG
指向/etc/kubernetes/kubelet.conf
吗?
export KUBECONFIG=/etc/kubernetes/kubelet.conf
kubectl get nodes
@liggitt在我将$KUBECONFIG
为/etc/kubernetes/kubelet.conf
,现在它给了我一个超时错误。
ns2 ~ # ./kubernetes/kubernetes/server/bin/kubectl get nodes
Error from server (ServerTimeout): the server cannot complete the requested operation at this time, try again later (get nodes)
现在我想知道$KUBECONFIG
来源,因为我引用的手册中没有这样的声明。
从节点加入命令的输出:
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
在玩 kubeadm 时遇到了同样的问题。
在kubeadm init
和kubeadm reset
几次之后,kubelet 将无法与 apiserver 通信,因为certificate signed by unknown authority
(在 kubelet 日志中)。 并且永远kubeadm init
块。
手动删除/run/kubernetes/
,一切都回来了。 也许在运行kubeadm reset
时存在清理证书的问题?
/area kubeadm
我在 kubeadm 1.8 上,这个问题仍然存在。
ubuntu@ip-172-31-9-157:~$ kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.0", GitCommit:"6e937839ac04a38cac63e6a7a306c5d035fe7b0a", GitTreeState:"clean", BuildDate:"2017-09-28T22:46:41Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
ubuntu@ip-172-31-9-157:~$
ubuntu@ip-172-31-9-157:~$
ubuntu@ip-172-31-9-157:~$ kubectl get nodes
Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
ubuntu@ip-172-31-9-157:~$
ubuntu@ip-172-31-9-157:~$
ubuntu@ip-172-31-9-157:~$
我手动检查了/var/run/kubernetes
。 当我运行kubeadm reset
时它被清理
注意:“要开始使用您的集群,您需要运行(作为普通用户)”
[ root@master1 ~]# kubectl 获取节点
无法连接到服务器:x509:由未知机构签名的证书(可能是因为在尝试验证候选机构证书“kubernetes”时出现“crypto/rsa:验证错误”)
[ root@master1 ~]# su
[ regular_user@master1 ~]$ mkdir -p $HOME/.kube
[ regular_user@master1 ~]$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[ regular_user@master1 ~]$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
[ regular_user@master1 ~]$ kubectl 获取节点
姓名 状态 角色 年龄 版本
master1.virti.corp NotReady master 6m v1.8.1
master2.virti.corp 未就绪
@jeffbr13谢谢。 有用。
请使用此解决方法更新文档
如果您 kubeadm reset 然后再次 kubeadm init,并且如果您曾经以 root 身份运行以下命令,则需要再次(以 root 身份)运行它以获取新配置:
mkdir -p $HOME/.kube
须藤cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
须藤 chown $(id -u):$(id -g) $HOME/.kube/config
然后你仍然可以以root身份运行。
如果发现如果您要运行“sudo kubeadm reset”,则需要删除 .kube 目录以清除缓存的目录。
之后你可以关注@petersonwsantos
哦,请务必将 KUBECONFIG 设置为您(重新)命名您的配置文件的任何名称,例如 $HOME/.kube/config
坦克朋友 ints 是真的。
配置为以下几行,_$kubectl get nodes_ 工作:
_root:~/k8s# cat 04-config.sh
mkdir -p $HOME/.kube
须藤cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
须藤 chown $(id -u):$(id -g) $HOME/.kube/config
须藤 chmod 777 $HOME/.kube/config
导出 KUBECONFIG=/etc/kubernetes/kubelet.conf
导出 KUBECONFIG=/home/ubuntu/.kube/config
kubectl 获取节点
这可能是因为您有一个多母版设置并且在每个母版上都生成了/etc/kubernetes/pki/ca.*
。 而不是将它们从第一个主人复制到其余的。
我在 kubernetes 文档中找到了解决方案
在遵循文档时不要忘记使用此命令创建 .kube 目录mkdir -p $HOME/.kube
因为当你需要这个命令时,它会移动 .kube 目录mv $HOME/.kube $HOME/.kube.bak
https://kubernetes.io/docs/setup/independent/troubleshooting-kubeadm/
对于可能有此问题的其他人,可能想要尝试将 /root/.kube 文件夹移动到备份位置(如果它存在)并重试。 很可能正在使用不再有效的缓存根版本,因为您将以 sudo 身份运行 kubeadm。
我的问题是我在 KubeEdge 入门指南中创建了自定义证书。 没有搞乱 ssl 和 kubeedge 使它工作。
注意:“要开始使用您的集群,您需要运行(作为普通用户)”
[ root@master1 ~]# kubectl 获取节点
无法连接到服务器:x509:由未知机构签名的证书(可能是因为在尝试验证候选机构证书“kubernetes”时出现“crypto/rsa:验证错误”)[ root@master1 ~]# su
[ regular_user@master1 ~]$ mkdir -p $HOME/.kube
[ regular_user@master1 ~]$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[ regular_user@master1 ~]$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
这有效。 除了我不得不再次设置我的 KUBECONFIG 因为它被改变了
导出 KUBECONFIG=$HOME/.kube/config
[ regular_user@master1 ~]$ kubectl 获取节点
姓名 状态 角色 年龄 版本
master1.virti.corp NotReady master 6m v1.8.1
master2.virti.corp 未就绪 4m v1.8.1
你有
$KUBECONFIG
指向/etc/kubernetes/kubelet.conf
吗?export KUBECONFIG=/etc/kubernetes/kubelet.conf kubectl get nodes
这对我有用,非常感谢。
导出 KUBECONFIG=/etc/kubernetes/kubelet.conf
kubectl 获取节点
是我的工作
注意:“要开始使用您的集群,您需要运行(作为普通用户)”
[ root@master1 ~]# kubectl 获取节点
无法连接到服务器:x509:由未知机构签名的证书(可能是因为在尝试验证候选机构证书“kubernetes”时出现“crypto/rsa:验证错误”)[ root@master1 ~]# su
[ regular_user@master1 ~]$ mkdir -p $HOME/.kube
[ regular_user@master1 ~]$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[ regular_user@master1 ~]$ sudo chown $(id -u):$(id -g) $HOME/.kube/config[ regular_user@master1 ~]$ kubectl 获取节点
姓名 状态 角色 年龄 版本
master1.virti.corp NotReady master 6m v1.8.1
master2.virti.corp 未就绪 4m v1.8.1
这有效!
在kubeadm init
您必须删除 $HOME/.kube 文件夹并创建新文件夹:
mkdir -p $HOME/.kube
须藤cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
须藤 chown $(id -u):$(id -g) $HOME/.kube/config
最有用的评论
你有
$KUBECONFIG
指向/etc/kubernetes/kubelet.conf
吗?