ã¯ãã®å Žåã¯ããã©ãã«ã·ã¥ãŒãã£ã³ã°ã¬ã€ããšã³ãã¥ããã£ãµããŒããã£ãã«ã䜿çšããå¿ èŠããããŸããhttpïŒ//kubernetes.io/docs/troubleshooting/ãåç §ããŠãã ãã
ãããã®å Žåããã®ã»ã¯ã·ã§ã³ãåé€ããŠç¶è¡ããŸãã
éè€ãèŠã€ããå Žåã¯ã代ããã«ããã«è¿ä¿¡ããŠãã®ããŒãžãéããå¿ èŠããããŸãã
éè€ãèŠã€ãããªãå Žåã¯ããã®ã»ã¯ã·ã§ã³ãåé€ããŠç¶è¡ããŠãã ããã
ãã°ã¬ããŒããŸãã¯æ©èœãªã¯ãšã¹ãã®ãããããéžæããŠãã ãã
kubeadmããŒãžã§ã³ïŒ kubeadm version
ïŒïŒ1.7.5
ç°å¢ïŒ
kubectl version
ïŒïŒ1.7.5uname -a
ïŒïŒ@zalmanzhaoãã®åé¡ã解決ã§ããŸãããïŒ
1幎ã»ã©åã«kubeadm v1.9.3
ã¯ã©ã¹ã¿ãŒãäœæããŸããããããã¯ãã£ãšæ£åžžã«æ©èœããŠããŸããã ä»æ¥ã1ã€ã®ãããã€ã¡ã³ããæŽæ°ããŸãããã蚌ææžã®æå¹æéãåãããããAPIããããã¯ã¢ãŠããããŠããããšã«æ°ä»ããŸããã failure loading apiserver certificate: the certificate has expired
ãååŸããããã kubeadm alpha phase certs apiserver
ããã§ããŸããïŒã¢ããã°ã¬ãŒããããã®ã§ãkubeadmããŒãžã§ã³ã¯çŸåš1.10.6
ã§ãïŒã
è¿œå insecure-skip-tls-verify: true
ã«~/.kube/config
â clusters[0].cluser
ãããªãã§ã¯ãªãå©ã-ç§ã¯èŠYou must be logged in to the server (Unauthorized)
ã«ããããšãããšãã«kubectl get pods
ïŒhttpsïŒ//ã§githubã®ã com / kubernetes / kubernetes / issues / 39767ïŒã
ã¯ã©ã¹ã¿ãŒã¯æ©èœããŠããŸãããèªå·±ç Žå£ããããåé¡ãä¿®æ£ããããŸã§ãç¬èªã®ç掻ãéã£ãŠããŸãð
æ®å¿µãªãããïŒ206ã§èªåã®ç¶æ³ã®è§£æ±ºçãèŠã€ããããšãã§ãããã©ããã£ãŠæãåºãã®ãçåã«æã£ãŠããŸãã ç§ãæãäžããããšãã§ããå¯äžã®é¢é£è³æã¯ã _ 'kubernetesã¯ã©ã¹ã¿ãŒã§ããã°æçš¿ã§ãããããã¯äžèŠææã«èŠããŸããã ãã ãããã¹ã¿ãŒãã·ã³ã«/etc/kubernetes/ssl/
ãã©ã«ããŒããªãã£ãããïŒ /etc/kubernetes/pki/
ïŒãæçµçã«ã¯åãŸããŸãã/etc/kubernetes/ssl/
ããå¥ã®k8sããŒãžã§ã³ã䜿çšããŠããããæ°ä»ããã«ãã®ãã©ã«ããŒãåé€ããã ãã§ãã
@errordeveloperäœããå§ãããŠkubeadm reset
ãšãã€ããŒãã®åäœæãªãã§åé¡ãä¿®æ£ããããšæããŸãã
@kachkaev kubeadmããªã»ããããã«èšŒææžãæŽæ°ããããšã«éããããŸãããïŒ
ãããããªããå
±æããŠãã ãããç§ã¯ããã§k8s1.7.4ãšåãåé¡ãæ±ããŠããŸãã ãŸãã蚌ææžã®æå¹æéãåããŠãããã¯ã©ã¹ã¿ãŒå
ã®ãã¹ã¿ãŒãäžèŠ§è¡šç€ºã§ããªããšãããšã©ãŒãå床衚瀺ããããããã¢ããã°ã¬ãŒãã§ããªãããã§ãïŒ$ kubeadmã¢ããã°ã¬ãŒããã©ã³ïŒã
[ERROR APIServerHealth]: the API Server is unhealthy; /healthz didn't return "ok"
[ERROR MasterNodesReady]: couldn't list masters in cluster: Get https://172.31.18.88:6443/api/v1/nodes?labelSelector=node-role.kubernetes.io%2Fmaster%3D: x509: certificate has expired or is not yet valid
æ®å¿µãªãããçµå±ãããããŸããã 解決çã¯ãæ°ããã¯ã©ã¹ã¿ãŒãäœæãããã®ã¯ã©ã¹ã¿ãŒäžã®ãã¹ãŠã®ãã€ããŒãã埩å ããDNSã¬ã³ãŒããåãæ¿ããŠãæåŸã«å ã®ã¯ã©ã¹ã¿ãŒãåé€ããããšã§ããð移è¡äžã«å€ãk8ã«æ£åžžãªããããã€ã³ã¹ããŒã«ã§ããã®ã§ãå°ãªããšãããŠã³ã¿ã€ã ã¯ãããŸããã§ããã
è¿ä¿¡ããŠãããŠããããšã
äœãèŠã€ããããå¿
ãããã«æçš¿ããŸã...
1.8ããåã®ããŒãžã§ã³ã®kubeadmã䜿çšããŠããŠã蚌ææžããŒããŒã·ã§ã³ïŒ206ãå°å ¥ãããŠããïŒããŒã¿æ©èœãšããŠïŒãã蚌ææžã®æå¹æéãåããŠãããšç解ããŠããå Žåã¯ã蚌ææžãæåã§æŽæ°ããïŒãŸãã¯ã¯ã©ã¹ã¿ãŒãåäœæããïŒå¿ èŠããããŸããäžéšïŒ@kachkaevã ãã§ãªãïŒãïŒ@ kachkaevã ãã§ãªãïŒé Œãããšã«ãªãããã§ãïŒã
ãã¹ã¿ãŒããŒãã«SSHã§æ¥ç¶ããå¿ èŠããããŸãã kubeadm> = 1.8ã䜿çšããŠããå Žåã¯ã2ã«ã¹ãããããŠãã ããã
$ sudo curl -sSL https://dl.k8s.io/release/v1.8.15/bin/linux/amd64/kubeadm > ./kubeadm.1.8.15
$ chmod a+rx kubeadm.1.8.15
$ sudo mv /usr/bin/kubeadm /usr/bin/kubeadm.1.7
$ sudo mv kubeadm.1.8.15 /usr/bin/kubeadm
$ sudo mv /etc/kubernetes/pki/apiserver.key /etc/kubernetes/pki/apiserver.key.old
$ sudo mv /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.crt.old
$ sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.crt /etc/kubernetes/pki/apiserver-kubelet-client.crt.old
$ sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.key /etc/kubernetes/pki/apiserver-kubelet-client.key.old
$ sudo mv /etc/kubernetes/pki/front-proxy-client.crt /etc/kubernetes/pki/front-proxy-client.crt.old
$ sudo mv /etc/kubernetes/pki/front-proxy-client.key /etc/kubernetes/pki/front-proxy-client.key.old
$ sudo kubeadm alpha phase certs apiserver --apiserver-advertise-address <IP address of your master server>
$ sudo kubeadm alpha phase certs apiserver-kubelet-client
$ sudo kubeadm alpha phase certs front-proxy-client
$ sudo mv /etc/kubernetes/admin.conf /etc/kubernetes/admin.conf.old
$ sudo mv /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.old
$ sudo mv /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.old
$ sudo mv /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.old
ããã«éèŠãªæ³šæäºé
ããããŸãã AWSã䜿çšããŠããå Žåã¯ããã®ãªã¯ãšã¹ãã§--node-name
ãã©ã¡ãŒã¿ãŒãæ瀺çã«æž¡ãå¿
èŠããããŸãã ãã以å€ã®å Žåã¯ããªãã®ãããªãšã©ãŒã衚瀺ãããŸãïŒ Unable to register node "ip-10-0-8-141.ec2.internal" with API server: nodes "ip-10-0-8-141.ec2.internal" is forbidden: node ip-10-0-8-141 cannot modify node ip-10-0-8-141.ec2.internal
ããªãã®ãã°ã«sudo journalctl -u kubelet --all | tail
ãšãã¹ã¿ãŒããŒãã¯ããããããããšãå ±åããŸãNot Ready
ããªããå®è¡ãããšãã«kubectl get nodes
ã
--apiserver-advertise-address
ããã³--node-name
ã§æž¡ãããå€ããã䜿çšã®ç°å¢ã«é©ããå€ã«çœ®ãæããŠãã ããã
$ sudo kubeadm alpha phase kubeconfig all --apiserver-advertise-address 10.0.8.141 --node-name ip-10-0-8-141.ec2.internal
[kubeconfig] Wrote KubeConfig file to disk: "admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "scheduler.conf"
kubectl
ãæ§æãã¡ã€ã«ã®é©åãªå Žæãæ¢ããŠããããšã確èªããŠãã ããã$ mv .kube/config .kube/config.old
$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
$ sudo chmod 777 $HOME/.kube/config
$ export KUBECONFIG=.kube/config
$ sudo /sbin/shutdown -r now
$ kubectl get nodes
$ kubeadm token list
æå¹ãªããŒã¯ã³ããªãå Žåã 次ã®æ¹æ³ã§äœæã§ããŸãã
$ kubeadm token create
ããŒã¯ã³ã¯6dihyb.d09sbgae8ph2atjwã®ããã«ãªããŸãã
$ sudo curl -sSL https://dl.k8s.io/release/v1.8.15/bin/linux/amd64/kubeadm > ./kubeadm.1.8.15
$ chmod a+rx kubeadm.1.8.15
$ sudo mv /usr/bin/kubeadm /usr/bin/kubeadm.1.7
$ sudo mv kubeadm.1.8.15 /usr/bin/kubeadm
$ sudo kubeadm join --token=<token from step 8> <ip of master node>:<port used 6443 is the default> --node-name <should be the same one as from step 5>
$ kubectl get nodes
ããŸãããã°ãããã¯ããªãã@davidcomeyneã§ããå¿ èŠãããå Žæã«ããªããé£ããŠè¡ãã§ãããã
ããããã®@danroliverã«æè¬ããŸãïŒ
ç§ã¯ééããªããããè©ŠããŠãç§ã®çºèŠãããã«æçš¿ããŸãã
@danroliverããããšãïŒ å€ãã·ã³ã°ã«ããŒãã¯ã©ã¹ã¿ãŒã§è©ŠããŠã¿ãã®ã§ã7ãŸã§ã®æé ãå®è¡ããŸãããããã¯æ©èœããŸããã
@danroliverç§ã®ããã«åããã ããããšãããããŸããã
ç§ã«ã¯ããŸããããŸããã§ãããæ°ããã¯ã©ã¹ã¿ãŒãã»ããã¢ããããå¿ èŠããããŸããã ãããããããä»ã®äººãå©ããŠãããŠããããã§ãïŒ
ããããšã@danroliver ã ãããã«ã¯ã§ãã
ç§ã®kubeadmããŒãžã§ã³ã¯1.8.5ã§ã
æé ããŸãšããŠããã@danroliverã«æè¬ããŸãã ç§ã¯ããªãã®ã¹ãããã«å°ããªè¿œå ãããªããã°ãªããŸããã§ããã ç§ã®ã¯ã©ã¹ã¿ãŒã¯v1.9.3ãå®è¡ããŠãããã€ã³ã¿ãŒãããããé¢ãããã©ã€ããŒãããŒã¿ã»ã³ã¿ãŒã«ãããŸãã
config.yml
ãæºåããŸããapiVersion: kubeadm.k8s.io/v1alpha1
kind: MasterConfiguration
api:
advertiseAddress: <master-ip>
kubernetesVersion: 1.9.3
mkdir ~/conf-archive/
for f in `ls *.conf`;do mv $f ~/conf-archive/$f.old;done
mkdir ~/pki-archive
for f in `ls apiserver* front-*client*`;do mv $f ~/pki-archive/$f.old;done
--config config.yml
ãããªkubeadm alpha phase certs apiserver --config ./config.yml
kubeadm alpha phase certs apiserver-kubelet-client --config ./config.yml
kubeadm alpha phase certs front-proxy-client --config ./config.yml
kubeadm alpha phase kubeconfig all --config ./config.yml --node-name <master-node>
reboot
ç§ã¯ç§»åããªããã°ãªããŸããã§ãã
mv /etc/kubernetes/pki/ca.crt ~/archive/
mv /etc/kubernetes/kubelet.conf ~/archive/
systemctl stop kubelet
kubeadm join --token=eeefff.55550009999b3333 --discovery-token-unsafe-skip-ca-verification <master-ip>:6443
ããããšã@danroliverïŒ ç§ã®ã·ã³ã°ã«ããŒãã¯ã©ã¹ã¿ãŒã ãã§ãæé 1ã6ïŒåèµ·åãªãïŒãå®è¡ããŠããSIGHUP
ãkube-apiserver
éä¿¡ããã ãã§åådocker ps
ã³ã³ããIDãèŠã€ãã docker kill -s HUP <container id>
ã·ã°ãã«ãèšå®ããŸããã
ã©ããããããšã@danroliverïŒ ã·ã³ã°ã«ãã¹ã¿ãŒ/ãã«ãã¯ãŒã«ãŒã¯ã©ã¹ã¿ãŒã§ã¯ã1ãã7ãŸã§ã®æé ãå®è¡ããã ãã§ååã§ããããã¹ãŠã®ã¯ãŒã«ãŒããŒãããã¹ã¿ãŒã«åæ¥ç¶ããå¿ èŠã¯ãããŸããã§ããïŒããã¯æãé¢åãªéšåã§ããïŒã
ãã®çŽ æŽãããã¹ããããã€ã¹ãããã@ danroliverãããããšãïŒ ãã®ããã»ã¹ããã«ããã¹ã¿ãŒã¯ã©ã¹ã¿ãŒïŒãã¢ã¡ã¿ã«ãçŸåš1.11.1ãå®è¡äžïŒã«ãã§ããã°ããŠã³ã¿ã€ã ãªãã§ã©ã®ããã«é©çšã§ããã®ãçåã«æã£ãŠããŸãã ç§ã®èšŒææžã¯ãŸã æå¹æéãåããŠããŸãããããããçºçããåã«ããããåçæ/æŽæ°ããæ¹æ³ãåŠãŒããšããŠããŸãã
@kcronin
ãã®æ°ããããã¥ã¡ã³ããã芧ãã ããã
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/
ãããã圹ã«ç«ãŠã°å¹žãã§ãã
@danroliver ïŒããããšãããããŸãããåäœããŠããŸãã
ãµãŒããŒãåèµ·åããå¿
èŠã¯ãããŸããã
次ã®2ã€ã®ã³ãã³ãã§ãkubeã·ã¹ãã ãããïŒapiserverãschdulerãªã©ïŒãåäœæããã ãã§ååã§ãã
systemctl restart kubelet
for i in $ïŒdocker ps | egrep'admin | controller | scheduler | api | fron | proxy '| rev | awk' {print $ 1} '| revïŒ;
docker stop $ iãå®è¡ããŸãã çµãã
1.13ã¯ã©ã¹ã¿ãŒã§ãããã«å¯ŸåŠããå¿
èŠããããŸãããç§ã®å Žåã蚌ææžã®æå¹æéãè¿ã¥ããŠããããããããã«ç°ãªããŸãã
ãŸãããªã³ãã¬ãã¹ã§åäžã®ãã¹ã¿ãŒ/ã³ã³ãããŒã«ã€ã³ã¹ã¿ã³ã¹ãåŠçãããããHAã®ã»ããã¢ãããAWSã®è©³çŽ°ã«ã€ããŠå¿é
ããå¿
èŠã¯ãããŸããã§ãã
ä»ã®äººãäžã«å«ããããã«ãããã¯ã¹ããããå«ããŠããŸãã
蚌ææžã®æå¹æéãåããŠããªããããã¯ã©ã¹ã¿ãŒã«ã¯ãã§ã«äœæ¥ãç¶ç¶ãããã¯ãŒã¯ããŒãããããŸãã
çŸæç¹ã§ãetcd蚌ææžãåŠçããå¿
èŠããªãã£ããããçç¥ããŸãã
ã ããé«ã¬ãã«ã§ç§ã¯ããªããã°ãªããªãã£ã
# On master - See https://kubernetes.io/docs/setup/certificates/#all-certificates
# Generate the new certificates - you may have to deal with AWS - see above re extra certificate SANs
sudo kubeadm alpha certs renew apiserver
sudo kubeadm alpha certs renew apiserver-etcd-client
sudo kubeadm alpha certs renew apiserver-kubelet-client
sudo kubeadm alpha certs renew front-proxy-client
# Generate new kube-configs with embedded certificates - Again you may need extra AWS specific content - see above
sudo kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin > admin.conf
sudo kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > controller-manager.conf
sudo kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > kubelet.conf
sudo kubeadm alpha kubeconfig user --client-name system:kube-scheduler > scheduler.conf
# chown and chmod so they match existing files
sudo chown root:root {admin,controller-manager,kubelet,scheduler}.conf
sudo chmod 600 {admin,controller-manager,kubelet,scheduler}.conf
# Move to replace existing kubeconfigs
sudo mv admin.conf /etc/kubernetes/
sudo mv controller-manager.conf /etc/kubernetes/
sudo mv kubelet.conf /etc/kubernetes/
sudo mv scheduler.conf /etc/kubernetes/
# Restart the master components
sudo kill -s SIGHUP $(pidof kube-apiserver)
sudo kill -s SIGHUP $(pidof kube-controller-manager)
sudo kill -s SIGHUP $(pidof kube-scheduler)
# Verify master component certificates - should all be 1 year in the future
# Cert from api-server
echo -n | openssl s_client -connect localhost:6443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout | grep Not
# Cert from controller manager
echo -n | openssl s_client -connect localhost:10257 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout | grep Not
# Cert from scheduler
echo -n | openssl s_client -connect localhost:10259 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout | grep Not
# Generate kubelet.conf
sudo kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > kubelet.conf
sudo chown root:root kubelet.conf
sudo chmod 600 kubelet.conf
# Drain
kubectl drain --ignore-daemonsets $(hostname)
# Stop kubelet
sudo systemctl stop kubelet
# Delete files
sudo rm /var/lib/kubelet/pki/*
# Copy file
sudo mv kubelet.conf /etc/kubernetes/
# Restart
sudo systemctl start kubelet
# Uncordon
kubectl uncordon $(hostname)
# Check kubelet
echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout | grep Not
ã¯ã©ã¹ã¿ãŒã«ååå ããããŒãã®æ°ããããŒã¯ã³ãäœæããŸãããïŒkubeletã®åèµ·ååŸïŒ
# On master
sudo kubeadm token create
ä»ãååŽåè ã®ããã«-äžåºŠã«1ã€
kubectl drain --ignore-daemonsets --delete-local-data WORKER-NODE-NAME
ã¯ãŒã«ãŒããŒããžã®ssh
# Stop kubelet
sudo systemctl stop kubelet
# Delete files
sudo rm /etc/kubernetes/kubelet.conf
sudo rm /var/lib/kubelet/pki/*
# Alter the bootstrap token
new_token=TOKEN-FROM-CREATION-ON-MASTER
sudo sed -i "s/token: .*/token: $new_token/" /etc/kubernetes/bootstrap-kubelet.conf
# Start kubelet
sudo systemctl start kubelet
# Check kubelet certificate
echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout | grep Not
sudo openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -text -noout | grep Not
sudo openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -text -noout | grep Not
ãã¹ã¿ãŒã«æ»ããåŽåè ã®å®¹èµŠãåãæ¶ã
kubectl uncordon WORKER-NODE-NAME
ãã¹ãŠã®ã¯ãŒã«ãŒãæŽæ°ãããåŸ-ããŒã¯ã³ãåé€-ã¯24æéã§æéåãã«ãªããŸããããããåãé€ãããšãã§ããŸã
On master
sudo kubeadm token delete TOKEN-FROM-CREATION-ON-MASTER
@pmcgrathãããã®æé ãæçš¿ããŠããã ãããããšãããããŸãã ç§ã¯ãªããšããããã«åŸãã蚌ææžãæŽæ°ããåäœããã¯ã©ã¹ã¿ãŒãååŸããŸããã
1.8ããåã®ããŒãžã§ã³ã®kubeadmã䜿çšããŠããŠã蚌ææžããŒããŒã·ã§ã³ïŒ206ãå°å ¥ãããŠããïŒããŒã¿æ©èœãšããŠïŒãã蚌ææžã®æå¹æéãåããŠãããšç解ããŠããå Žåã¯ã蚌ææžãæåã§æŽæ°ããïŒãŸãã¯ã¯ã©ã¹ã¿ãŒãåäœæããïŒå¿ èŠããããŸããäžéšïŒ@kachkaevã ãã§ãªãïŒãïŒ@ kachkaevã ãã§ãªãïŒé Œãããšã«ãªãããã§ãïŒã
ãã¹ã¿ãŒããŒãã«SSHã§æ¥ç¶ããå¿ èŠããããŸãã kubeadm> = 1.8ã䜿çšããŠããå Žåã¯ã2ã«ã¹ãããããŠãã ããã
1. Update Kubeadm, if needed. I was on 1.7 previously.
$ sudo curl -sSL https://dl.k8s.io/release/v1.8.15/bin/linux/amd64/kubeadm > ./kubeadm.1.8.15 $ chmod a+rx kubeadm.1.8.15 $ sudo mv /usr/bin/kubeadm /usr/bin/kubeadm.1.7 $ sudo mv kubeadm.1.8.15 /usr/bin/kubeadm
1. Backup old apiserver, apiserver-kubelet-client, and front-proxy-client certs and keys.
$ sudo mv /etc/kubernetes/pki/apiserver.key /etc/kubernetes/pki/apiserver.key.old $ sudo mv /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.crt.old $ sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.crt /etc/kubernetes/pki/apiserver-kubelet-client.crt.old $ sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.key /etc/kubernetes/pki/apiserver-kubelet-client.key.old $ sudo mv /etc/kubernetes/pki/front-proxy-client.crt /etc/kubernetes/pki/front-proxy-client.crt.old $ sudo mv /etc/kubernetes/pki/front-proxy-client.key /etc/kubernetes/pki/front-proxy-client.key.old
1. Generate new apiserver, apiserver-kubelet-client, and front-proxy-client certs and keys.
$ sudo kubeadm alpha phase certs apiserver --apiserver-advertise-address <IP address of your master server> $ sudo kubeadm alpha phase certs apiserver-kubelet-client $ sudo kubeadm alpha phase certs front-proxy-client
1. Backup old configuration files
$ sudo mv /etc/kubernetes/admin.conf /etc/kubernetes/admin.conf.old $ sudo mv /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.old $ sudo mv /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.old $ sudo mv /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.old
1. Generate new configuration files.
ããã«éèŠãªæ³šæäºé ããããŸãã AWSã䜿çšããŠããå Žåã¯ããã®ãªã¯ãšã¹ãã§
--node-name
ãã©ã¡ãŒã¿ãŒãæ瀺çã«æž¡ãå¿ èŠããããŸãã ããããªããšããã°sudo journalctl -u kubelet --all | tail
Unable to register node "ip-10-0-8-141.ec2.internal" with API server: nodes "ip-10-0-8-141.ec2.internal" is forbidden: node ip-10-0-8-141 cannot modify node ip-10-0-8-141.ec2.internal
ãããªãšã©ãŒãçºçãããã¹ã¿ãŒããŒãã¯kubectl get nodes
ãå®è¡ãããšNot Ready
ãšå ±åããŸãã
--apiserver-advertise-address
ããã³--node-name
ã§æž¡ãããå€ããã䜿çšã®ç°å¢ã«é©ããå€ã«çœ®ãæããŠãã ããã$ sudo kubeadm alpha phase kubeconfig all --apiserver-advertise-address 10.0.8.141 --node-name ip-10-0-8-141.ec2.internal [kubeconfig] Wrote KubeConfig file to disk: "admin.conf" [kubeconfig] Wrote KubeConfig file to disk: "kubelet.conf" [kubeconfig] Wrote KubeConfig file to disk: "controller-manager.conf" [kubeconfig] Wrote KubeConfig file to disk: "scheduler.conf"
1. Ensure that your `kubectl` is looking in the right place for your config files.
$ mv .kube/config .kube/config.old $ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config $ sudo chown $(id -u):$(id -g) $HOME/.kube/config $ sudo chmod 777 $HOME/.kube/config $ export KUBECONFIG=.kube/config
1. Reboot your master node
$ sudo /sbin/shutdown -r now
1. Reconnect to your master node and grab your token, and verify that your Master Node is "Ready". Copy the token to your clipboard. You will need it in the next step.
$ kubectl get nodes $ kubeadm token list
æå¹ãªããŒã¯ã³ããªãå Žåã 次ã®æ¹æ³ã§äœæã§ããŸãã
$ kubeadm token create
ããŒã¯ã³ã¯6dihyb.d09sbgae8ph2atjwã®ããã«ãªããŸãã
1. SSH into each of the slave nodes and reconnect them to the master
$ sudo curl -sSL https://dl.k8s.io/release/v1.8.15/bin/linux/amd64/kubeadm > ./kubeadm.1.8.15 $ chmod a+rx kubeadm.1.8.15 $ sudo mv /usr/bin/kubeadm /usr/bin/kubeadm.1.7 $ sudo mv kubeadm.1.8.15 /usr/bin/kubeadm $ sudo kubeadm join --token=<token from step 8> <ip of master node>:<port used 6443 is the default> --node-name <should be the same one as from step 5>
1. Repeat Step 9 for each connecting node. From the master node, you can verify that all slave nodes have connected and are ready with:
$ kubectl get nodes
ããŸãããã°ãããã¯ããªãã@davidcomeyneã§ããå¿ èŠãããå Žæã«ããªããé£ããŠè¡ãã§ãããã
ããã¯ç§ã1.14.2ã«ã®ã¿å¿ èŠãªãã®ã§ã..æ¹æ³ã«é¢ãããã³ã
1.13ã¯ã©ã¹ã¿ãŒã§ãããã«å¯ŸåŠããå¿ èŠããããŸãããç§ã®å Žåã蚌ææžã®æå¹æéãè¿ã¥ããŠããããããããã«ç°ãªããŸãã
ãŸãããªã³ãã¬ãã¹ã§åäžã®ãã¹ã¿ãŒ/ã³ã³ãããŒã«ã€ã³ã¹ã¿ã³ã¹ãåŠçãããããHAã®ã»ããã¢ãããAWSã®è©³çŽ°ã«ã€ããŠå¿é ããå¿ èŠã¯ãããŸããã§ãã
ä»ã®äººãäžã«å«ããããã«ãããã¯ã¹ããããå«ããŠããŸãã蚌ææžã®æå¹æéãåããŠããªããããã¯ã©ã¹ã¿ãŒã«ã¯ãã§ã«äœæ¥ãç¶ç¶ãããã¯ãŒã¯ããŒãããããŸãã
çŸæç¹ã§ãetcd蚌ææžãåŠçããå¿ èŠããªãã£ããããçç¥ããŸããã ããé«ã¬ãã«ã§ç§ã¯ããªããã°ãªããªãã£ã
* On the master * Generate new certificates on the master * Generate new kubeconfigs with embedded certificates * Generate new kubelet certicates - client and server * Generate a new token for the worker node kubelets * For each worker * Drain the worker first on the master * ssh to the worker, stop the kubelet, remove files and restart the kubelet * Uncordon the worker on the master * On master at the end * Delete token
# On master - See https://kubernetes.io/docs/setup/certificates/#all-certificates # Generate the new certificates - you may have to deal with AWS - see above re extra certificate SANs sudo kubeadm alpha certs renew apiserver sudo kubeadm alpha certs renew apiserver-etcd-client sudo kubeadm alpha certs renew apiserver-kubelet-client sudo kubeadm alpha certs renew front-proxy-client # Generate new kube-configs with embedded certificates - Again you may need extra AWS specific content - see above sudo kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin > admin.conf sudo kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > controller-manager.conf sudo kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > kubelet.conf sudo kubeadm alpha kubeconfig user --client-name system:kube-scheduler > scheduler.conf # chown and chmod so they match existing files sudo chown root:root {admin,controller-manager,kubelet,scheduler}.conf sudo chmod 600 {admin,controller-manager,kubelet,scheduler}.conf # Move to replace existing kubeconfigs sudo mv admin.conf /etc/kubernetes/ sudo mv controller-manager.conf /etc/kubernetes/ sudo mv kubelet.conf /etc/kubernetes/ sudo mv scheduler.conf /etc/kubernetes/ # Restart the master components sudo kill -s SIGHUP $(pidof kube-apiserver) sudo kill -s SIGHUP $(pidof kube-controller-manager) sudo kill -s SIGHUP $(pidof kube-scheduler) # Verify master component certificates - should all be 1 year in the future # Cert from api-server echo -n | openssl s_client -connect localhost:6443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout | grep Not # Cert from controller manager echo -n | openssl s_client -connect localhost:10257 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout | grep Not # Cert from scheduler echo -n | openssl s_client -connect localhost:10259 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout | grep Not # Generate kubelet.conf sudo kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > kubelet.conf sudo chown root:root kubelet.conf sudo chmod 600 kubelet.conf # Drain kubectl drain --ignore-daemonsets $(hostname) # Stop kubelet sudo systemctl stop kubelet # Delete files sudo rm /var/lib/kubelet/pki/* # Copy file sudo mv kubelet.conf /etc/kubernetes/ # Restart sudo systemctl start kubelet # Uncordon kubectl uncordon $(hostname) # Check kubelet echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout | grep Not
ã¯ã©ã¹ã¿ãŒã«ååå ããããŒãã®æ°ããããŒã¯ã³ãäœæããŸãããïŒkubeletã®åèµ·ååŸïŒ
# On master sudo kubeadm token create
ä»ãååŽåè ã®ããã«-äžåºŠã«1ã€
kubectl drain --ignore-daemonsets --delete-local-data WORKER-NODE-NAME
ã¯ãŒã«ãŒããŒããžã®ssh
# Stop kubelet sudo systemctl stop kubelet # Delete files sudo rm /etc/kubernetes/kubelet.conf sudo rm /var/lib/kubelet/pki/* # Alter the bootstrap token new_token=TOKEN-FROM-CREATION-ON-MASTER sudo sed -i "s/token: .*/token: $new_token/" /etc/kubernetes/bootstrap-kubelet.conf # Start kubelet sudo systemctl start kubelet # Check kubelet certificate echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout | grep Not sudo openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -text -noout | grep Not sudo openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -text -noout | grep Not
ãã¹ã¿ãŒã«æ»ããåŽåè ã®å®¹èµŠãåãæ¶ã
kubectl uncordon WORKER-NODE-NAME
ãã¹ãŠã®ã¯ãŒã«ãŒãæŽæ°ãããåŸ-ããŒã¯ã³ãåé€-ã¯24æéã§æéåãã«ãªããŸããããããåãé€ãããšãã§ããŸã
On master sudo kubeadm token delete TOKEN-FROM-CREATION-ON-MASTER
ãã®åé¡ã解決ããããšã¯ããã£ãŠããŸããã1.14.2ã§ãåãåé¡ãçºçããã¬ã€ãã«ã¯ãšã©ãŒã¯è¡šç€ºãããŸããããã¯ã©ã¹ã¿ãŒã«æ¥ç¶ããŠããŒã¯ã³ãåçºè¡ã§ããŸããïŒèªèšŒã«å€±æããŸãïŒ
kubeadm
v1.9.xã䜿çšããŠäœæãããk8sã¯ã©ã¹ã¿ãŒã§ã¯ã v1.14.1
幎霢ã§åãåé¡ãçºçããŸããïŒ apiserver-kubelet-client.crt
7æ2æ¥ã«æéåãã«ãªããŸããïŒã
蚌ææžãæŽæ°ããæ§æãã¡ã€ã«ãåçæããåçŽãª3ããŒãã¯ã©ã¹ã¿ãŒãå ã«æ»ãã«ã¯ã4ã€ã®ç°ãªããœãŒã¹ãåç §ããå¿ èŠããããŸããã
@danroliverã¯ãIBMããã®ä»¥äžã®ã¬ã€ãã«éåžžã«è¿ããéåžžã«åªããæ§é åãããæ瀺ãåºããŸããã
[Kubernetesã¯ã©ã¹ã¿ãŒèšŒææžã®æŽæ°] IBM WoWïŒ ïŒhttps://www.ibm.com/support/knowledgecenter/en/SSCKRH_1.1.0/platform/t_certificate_renewal.htmlïŒ
泚ïŒWatsonprivateã䜿çšããIBMFinancial Crimes Insightã¯k8sãå©çšããŠããããããç¥ããªãã£ãã
ã¹ããã3ãšã¹ããã5ã®åé¡
ã¹ããã3ã¯ãã³ãã³ãã«ãã§ãŒãºãå«ããã¹ãã§ã¯ãããŸãã
$ sudo kubeadm alpha certs renew apiserver
$ sudo kubeadm alpha certs renew apiserver-kubelet-client
$ sudo kubeadm alpha certs renew front-proxy-client
ã¹ããã5ã¯ä»¥äžã䜿çšããå¿
èŠããããŸãã kubeadm alpha
ã¯kubeconfigããã¹ãŠå«ãŸããŠããŸãããã€ãŸãã代ããã«kubeadminitãã§ãŒãºã§ãã
# kubeadm init phase kubeconfig all
I0705 12:42:24.056152 32618 version.go:240] remote version is much newer: v1.15.0; falling back to: stable-1.14
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
1.15ã§ã¯ã蚌ææžã®æŽæ°ã«é¢ããããåªããããã¥ã¡ã³ããè¿œå ããŸããã
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/
ãŸãã1.15以éã kubeadm upgrade
èªåçã«èšŒææžãæŽæ°ããŸãïŒ
kubeadm v1.9.xã䜿çšããŠäœæãããk8sã¯ã©ã¹ã¿ãŒã§ã¯ãv1.14.1ã®å¹Žéœ¢ã§åãåé¡ãçºçããŸããïŒapiserver-kubelet-client.crtã¯7æ2æ¥ã«æéåãã«ãªããŸããïŒã
1.13ããå€ãããŒãžã§ã³ã¯ãã§ã«ãµããŒããããŠããŸããã
ãã®åãã®éããããžã§ã¯ãã«ã€ããŠããããšããŠãŒã¶ãŒã«åŒ·ããå§ãããŸãã
çŸåšãLongTermSupportã¯ãŒãã³ã°ã°ã«ãŒãã«ãã£ãŠãkubernetesã®ããŒãžã§ã³ãé·æéãµããŒãããããšã«ã€ããŠè°è«ãè¡ãããŠããŸãããããã»ã¹ã®ç¢ºç«ã«ã¯æéããããå ŽåããããŸãã
ããããšã@pmorie ã
kubeããŒãžã§ã³1.13.6ã§åäœããŸã
ã³ã¡ã³ããšæ©èœã®ãªã¯ãšã¹ãïŒãã®èšŒææžã®æå¹æéã¯ãä»æãKubernetes1.11.xã¯ã©ã¹ã¿ãŒã§æ¬çªç°å¢ã«åœ±é¿ãäžããŸããã äžèšã®ãã¹ãŠïŒããã³ãªã³ã¯ïŒãè©ŠããŸããããå€æ°ã®ãšã©ãŒãçºçããæ°æéåŸã«å€§ããªããŒã¹ä»ãã¯ã©ã¹ã¿ãŒã§å®å šã«ã¹ã¿ãã¯ããããšãè«ŠããŸããã 幞ããKubernetes 1.15ãžã®ã¢ããã°ã¬ãŒãïŒããã³æ°ããã¯ã©ã¹ã¿ãŒã®æ§ç¯ïŒããçŽ2é±éé¢ããŠãããããæ°ãã1.15ã¯ã©ã¹ã¿ãŒãæåããäœæãããã¹ãŠã®ãŠãŒã¶ãŒããŒã¿ãã³ããŒããããšã«ãªããŸããã
ãããèµ·ããåã«ããã€ãã®èŠåããã£ãããšã匷ãé¡ã£ãŠããŸãã èŠåãªãã«ãä¿¡ããããªãã»ã©å®å®ããã¯ã©ã¹ã¿ãŒããããå®å šã«å£ããå°çã®æªå€¢ãã«ç§»è¡ããã°ããã§ããããããããŸã§ã§ææªã®ããŠã³ã¿ã€ã ãçºçããŸããã 幞ããªããšã«ãããã¯éææ¥ã®ååŸã®è¥¿æµ·å²žã ã£ãã®ã§ã圱é¿ã¯æ¯èŒçæå°éã§ããã
äžã§èª¬æãããã¹ãŠã®ãããã³ãªã³ã¯ããããã¹ãŠã®ãã±ããã®äžã§ã倧èŠæš¡ã«ãªã£ãã§ããã1ã€ã®ããš
ç§ãã¡ã«ãšã£ãŠã®éãã¯èšåãããŠããŸããïŒèšŒææžããŸããªãæéåãã«ãªããšãã«èŠåã®è¡šç€ºãéå§ããŸãã ïŒããšãã°ãkubectlã䜿çšããŠããŠã蚌ææžãæ°é±é以å
ã«æéåãã«ãªãå Žåã¯ãæããŠãã ããïŒïŒã
ãè¿·æããããããŠç³ãèš³ãããŸããã éåžžãããã¯ãªãã¬ãŒã¿ãŒã®è²¬ä»»ã§ã
ãã£ã¹ã¯äžã®èšŒææžã®æå¹æéãç£èŠããŸãã ããããç§ã¯ãã®æ¬ åŠã«åæããŸã
ç£èŠã容æãªå Žåãåé¡ãçºçããå¯èœæ§ããããŸãã ãããç§ãã¡ãè¿œå ããçç±ã®1ã€ã§ã
kubeadmã§èšŒææžã®æå¹æéã確èªããã³ãã³ãã èŠã
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/
ãŸãã1.15以éãkubeadmã¯ã§èšŒææžãèªåæŽæ°ããããšã«æ³šæããŠãã ããã
ã¢ããã°ã¬ãŒãã ããã«ããããŠãŒã¶ãŒã¯ããé »ç¹ã«ã¢ããã°ã¬ãŒãããããšãã§ããŸãã
2019幎7æ20æ¥03:49ãããŠã£ãªã¢ã ã¹ã¿ã€ã³ã [email protected]ã¯æ¬¡ã®ããã«æžããŠããŸãã
ãã ã®ã³ã¡ã³ããšæ©èœã®ãªã¯ãšã¹ãïŒãã®èšŒææžã®æå¹æéã¯ç§ãã¡ã襲ã£ã
ä»æã®Kubernetes1.11.xã¯ã©ã¹ã¿ãŒã§ã®æ¬çªã ãã£ãŠã¿ã
äžèšã®ãã¹ãŠïŒããã³ãªã³ã¯ãžïŒããå€æ°ã®ãšã©ãŒãçºçãã
倧ããªããŒã¹ä»ãã¯ã©ã¹ã¿ãŒã§å®å šã«ã¹ã¿ãã¯ããæ°æéã 幞éã«ãã
Kubernetes 1.15ãžã®ã¢ããã°ã¬ãŒãïŒããã³ãã«ãïŒããçŽ2é±éã§ãã
æ°ããã¯ã©ã¹ã¿ãŒïŒãªã®ã§ãæ°ãã1.15ã¯ã©ã¹ã¿ãŒãæåããäœæããããšã«ãªããŸããã
ãã¹ãŠã®ãŠãŒã¶ãŒããŒã¿ãã³ããŒããŸãããããèµ·ããåã«ããã€ãã®èŠåããã£ãããšã匷ãé¡ã£ãŠããŸãã ç§ãã¡ã¯ãã
ãä¿¡ããããªãã»ã©å®å®ããã¯ã©ã¹ã¿ãŒããããå®å šã«å£ããå°çã®ãããªãã«ãªããŸãã
æªå€¢ããšèŠåãªãã«ããããããããŸã§ã§ææªã®ããŠã³ã¿ã€ã ãçºçããŸããã
幞ããªããšã«ãããã¯éææ¥ã®ååŸã®è¥¿æµ·å²žã ã£ãã®ã§ãæ¯èŒçæå°éã§ãã
ã€ã³ãã¯ãããããŸããäžèšããã³ãªã³ã¯ããããã¹ãŠã®ãã±ããã§èª¬æãããŠãããã¹ãŠã®äžã§ã1ã€ã®ããš
ããã¯å€§èŠæš¡ã«ãªã£ãã§ããã
ç§ãã¡ã«ãšã£ãŠã®éãã¯èšåãããŠããŸããïŒèšŒææžãçºè¡ããããšãã«èŠåã衚瀺ãå§ããŸãéããªãæéåãã«ãªããŸãã ïŒããšãã°ãkubectlã䜿çšããŠããŠã蚌ææžã
æ°é±é以å ã«æéåãã«ãªããŸãã®ã§ãæããŠãã ããïŒïŒãâ
ããªããã³ã¡ã³ãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/kubernetes/kubeadm/issues/581?email_source=notifications&email_token=AACRATDWBQHYVVRG4LYVTXLQAJOJHA5CNFSM4EGBFHKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5
ãŸãã¯ã¹ã¬ããããã¥ãŒãããŸã
https://github.com/notifications/unsubscribe-auth/AACRATC437G4OZ3ZOEQM5LLQAJOJHANCNFSM4EGBFHKA
ã
@ neolit123ããããšã; ã³ã¡ã³ãã§èª¬æãããŠããããã«ãä»åŸã®èšŒææžã®åé¡ãå®æçã«ãã§ãã¯ããããã«ãç¬èªã®ç£èŠã€ã³ãã©ã¹ãã©ã¯ãã£ã«äœããè¿œå ããŸãã
@danroliverThxããªãã®è¿äºã«ããããã ããã¯ç§ã«ãšã£ãŠå€ãã®æéãç¯çŽããŸããã
èšåãã䟡å€ã®ãã1ã€ã®ãã€ã³ãã¯ããetcdãé¢é£ã®èšŒææžã§ããããã¯ãåãæ¹æ³ã§æŽæ°ããå¿
èŠããããŸãã ã¡ã¿ããŒã¿YAMLãã¡ã€ã«ã§åç
§ãšããŠäœ¿çšããããããæ§æãåããŒãããå¿
èŠã¯ãããŸããã
Kubernetes v1.14ã®å Žåã @ desdicã«ãã£ãŠææ¡ããããã®æé ãæã圹ç«ã¡ãŸãã
$ cd /etc/kubernetes/pki/
$ mv {apiserver.crt,apiserver-etcd-client.key,apiserver-kubelet-client.crt,front-proxy-ca.crt,front-proxy-client.crt,front-proxy-client.key,front-proxy-ca.key,apiserver-kubelet-client.key,apiserver.key,apiserver-etcd-client.crt} ~/
$ kubeadm init phase certs all --apiserver-advertise-address <IP>
$ cd /etc/kubernetes/
$ mv {admin.conf,controller-manager.conf,mv kubelet.conf,scheduler.conf} ~/
$ kubeadm init phase kubeconfig all
$ reboot
admin.conf
ã³ããŒããïŒ$ cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
Kubernetes v1.14ã®å Žåããã®æé ãæã圹ç«ã¡ãŸãã
* https://stackoverflow.com/a/56334732/1147487
èªåã®ã¯ã©ã¹ã¿ãŒãä¿®æ£ããããä¿®æ£ãäœæããŸãããä»ã®èª°ããããã䜿çšã§ããããšãæãã§ããŸããã
@danroliverã¯ãIBMããã®ä»¥äžã®ã¬ã€ãã«éåžžã«è¿ããéåžžã«åªããæ§é åãããæ瀺ãåºããŸããã
[Kubernetesã¯ã©ã¹ã¿ãŒèšŒææžã®æŽæ°] IBM WoWïŒ ïŒhttps://www.ibm.com/support/knowledgecenter/en/SSCKRH_1.1.0/platform/t_certificate_renewal.htmlïŒ
è¯ãïŒ ããã¯ãã€å ¬éãããã®ã ãããã ç§ããããçµéšããŠãããšããç§ã¯ç¢ºãã«ããã圹ã«ç«ã£ããšæã£ãã§ãããã
K8s 1.13.x
ïŒããããä»ã®K8sããŒãžã§ã³ïŒã®
CA蚌ææžïŒ /etc/kubernetes/pki/ca.crt
ïŒãåçæããããšã«ãªã£ãå ŽåãããŒã¯ã³ïŒ kubectl -n kube-system get secret | grep token
ïŒã«ã¯å€ãCAãå«ãŸããŠããå¯èœæ§ããããåçæããå¿
èŠããããŸãã åé¡ã®ããããŒã¯ã³ã«ã¯ãç§ã®å ŽåïŒããã³ãã®ä»ïŒã®kube-proxy-token
ã coredns-token
ããŠããŸãããããã«ãããã¯ã©ã¹ã¿ãŒã¯ãªãã£ã«ã«ãªãµãŒãã¹ãK8sAPIã§èªèšŒã§ããªããªããŸããã
ããŒã¯ã³ãåçæããã«ã¯ãå€ãããŒã¯ã³ãåé€ãããšãããŒã¯ã³ãåäœæãããŸãã
PVããããžã§ããŒãã€ã³ã°ã¬ã¹ã³ã³ãããŒã©ãŒã cert-manager
ãªã©ãK8sAPIãšéä¿¡ãããã¹ãŠã®ãµãŒãã¹ã«ã€ããŠãåãããšãèšããŸãã
ãã®çŽ æŽãããã¹ããããã€ã¹ãããã@ danroliverãããããšãïŒ ãã®ããã»ã¹ããã«ããã¹ã¿ãŒã¯ã©ã¹ã¿ãŒïŒãã¢ã¡ã¿ã«ãçŸåš1.11.1ãå®è¡äžïŒã«ãã§ããã°ããŠã³ã¿ã€ã ãªãã§ã©ã®ããã«é©çšã§ããã®ãçåã«æã£ãŠããŸãã ç§ã®èšŒææžã¯ãŸã æå¹æéãåããŠããŸãããããããçºçããåã«ããããåçæ/æŽæ°ããæ¹æ³ãåŠãŒããšããŠããŸãã
ããã«ã¡ã¯@kcronin ããã«ããã¹ã¿ãŒèšå®ã§ã©ã®ããã«è§£æ±ºããŸãããïŒ --apiserver-advertise-addressã®é²ãæ¹ãããããŸãã
ããããšã
@pmcgrathãã¹ã¿ãŒã3人ããå Žåãåãã¹ã¿ãŒã§æé ãç¹°ãè¿ãå¿ èŠããããŸããïŒ ãŸãã¯äœã§ããã å Žå
@ SuleimanWA ãCAãåçæãããå Žåã¯ãCAãã¡ã€ã«ãšåæ§ã«admin.conf
ãã³ããŒã§ããŸãã
ãã以å€ã®å Žåã¯ããã¹ãŠã®ãã¹ã¿ãŒã§èšŒææžïŒetcdãkubeletãschedulerãªã©ïŒãåçæããæé ãç¹°ãè¿ãå¿
èŠããããŸãã
@anapsix
1.13.xã¯ã©ã¹ã¿ãŒãå®è¡ããŠããŸããã kubeadm alpha certs renew all
å®è¡ããŠèšŒææžãæŽæ°ããåŸãapiserverãUnable to authenticate the request due to an error: [x509: certificate has expired or is not yet valid, x509: certificate has expired or is not yet valid]
å ±åããŠããŸãã
ããŒã¯ã³ãåçæããã«ã¯ãå€ãããŒã¯ã³ãåé€ãããšãããŒã¯ã³ãåäœæãããŸãã
ãã®å Žåãã©ã®ããŒã¯ã³ãåç §ããŠããŸããïŒ kubeadmã«ãã£ãŠçæããããã®ã§ããããããšãããŒã¯ã³ãåé€ããã«ã¯ã©ãããã°ããã§ããïŒ
- - -ã¢ããããŒã - - -
ãããç§å¯ã ãšæããŸããã ç§ã®å Žåãkube-controllerãèµ·åããŠããªãã£ããããã·ãŒã¯ã¬ããã¯èªåçæãããŸããã§ããã
ãã€ããŒãžã§ã³äœ¿çšïŒ
kubeadmalpha蚌ææžã¯ãã¹ãŠæŽæ°ããŸã
æåã®ãã¹ã¿ãŒããŒãã®kubeletãããŠã³ãããšïŒsystemctl stop kubeletïŒãä»ã®ãã¹ã¿ãŒããŒãã¯æåã®ãã¹ã¿ãŒããŒãã®CAã«æ¥ç¶ã§ããŸããã ããã«ãããå ã®ãã¹ã¿ãŒããŒãã®kubeletããªã³ã©ã€ã³ã«æ»ããŸã§ã次ã®ã¡ãã»ãŒãžã衚瀺ãããŸãã
kubectlgetããŒã
ãµãŒããŒããã®ãšã©ãŒïŒInternalErrorïŒïŒãµãŒããŒã®ãšã©ãŒïŒ ""ïŒã«ãããèŠæ±ãæåããŸããã§ããïŒããŒãã®ååŸïŒ
å ã®CAããŒãã®ãã¥ãŒãã¬ãããããŠã³ããŠãããšãã«CAã®åœ¹å²ãä»ã®ãã¹ã¿ãŒããŒãã«è»¢éããæ¹æ³ã¯ãããŸããïŒ
@anapsix
1.13.xã¯ã©ã¹ã¿ãŒãå®è¡ããŠããŸãããkubeadm alpha certs renew all
å®è¡ããŠèšŒææžãæŽæ°ããåŸãapiserverãUnable to authenticate the request due to an error: [x509: certificate has expired or is not yet valid, x509: certificate has expired or is not yet valid]
å ±åããŠããŸããããŒã¯ã³ãåçæããã«ã¯ãå€ãããŒã¯ã³ãåé€ãããšãããŒã¯ã³ãåäœæãããŸãã
ãã®å Žåãã©ã®ããŒã¯ã³ãåç §ããŠããŸããïŒ kubeadmã«ãã£ãŠçæããããã®ã§ããããããšãããŒã¯ã³ãåé€ããã«ã¯ã©ãããã°ããã§ããïŒ
- - -ã¢ããããŒã - - -
ãããç§å¯ã ãšæããŸããã ç§ã®å Žåãkube-controllerãèµ·åããŠããªãã£ããããã·ãŒã¯ã¬ããã¯èªåçæãããŸããã§ããã
ããã«ã¡ã¯ãç§ã¯ãã®ã¿ã¹ã¯ãå®è¡ããŸãããã1.13ããŒãžã§ã³ã§ã¯å®è¡ããŠããŸããã ããªãããã§ã«ããããããªãã°ãç§ã¯ããã€ãã®ããšãå°ããŠãããã§ããïŒ
ã ããåºæ¬çã«ç§ã¯ãã£ãŠããŸãïŒ
kubeadm alpha certsã¯ãã¹ãŠãæŽæ°ããŸãïŒããã«ããããã¹ã¿ãŒã®ã³ã³ãããŒã«ãã¬ãŒã³èšŒææžuber pki /ãã©ã«ããŒãæŽæ°ãããŸãïŒã
kubeadmåæåãã§ãŒãºkubeconfigã䜿çšããŠãkubeæ§æãã¡ã€ã«ãæŽæ°ããŸãã ïŒãã¹ã¿ãŒãšã¯ãŒã«ãŒã«ã€ããŠïŒã
ãã¹ãŠã®ããŒãã§kubeletãåèµ·åããŸãã
ããã§ãããŒã¯ã³ãäœæããŠã¯ãŒã«ãŒããŒãã§joinãå®è¡ããå¿ èŠããããŸããïŒ å¯èœã§ããã°ãå®è¡ããæé ãå ±æã§ããŸããïŒ
æãåèã«ãªãã³ã¡ã³ã
1.8ããåã®ããŒãžã§ã³ã®kubeadmã䜿çšããŠããŠã蚌ææžããŒããŒã·ã§ã³ïŒ206ãå°å ¥ãããŠããïŒããŒã¿æ©èœãšããŠïŒãã蚌ææžã®æå¹æéãåããŠãããšç解ããŠããå Žåã¯ã蚌ææžãæåã§æŽæ°ããïŒãŸãã¯ã¯ã©ã¹ã¿ãŒãåäœæããïŒå¿ èŠããããŸããäžéšïŒ@kachkaevã ãã§ãªãïŒãïŒ@ kachkaevã ãã§ãªãïŒé Œãããšã«ãªãããã§ãïŒã
ãã¹ã¿ãŒããŒãã«SSHã§æ¥ç¶ããå¿ èŠããããŸãã kubeadm> = 1.8ã䜿çšããŠããå Žåã¯ã2ã«ã¹ãããããŠãã ããã
ããã«éèŠãªæ³šæäºé ããããŸãã AWSã䜿çšããŠããå Žåã¯ããã®ãªã¯ãšã¹ãã§
--node-name
ãã©ã¡ãŒã¿ãŒãæ瀺çã«æž¡ãå¿ èŠããããŸãã ãã以å€ã®å Žåã¯ããªãã®ãããªãšã©ãŒã衚瀺ãããŸãïŒUnable to register node "ip-10-0-8-141.ec2.internal" with API server: nodes "ip-10-0-8-141.ec2.internal" is forbidden: node ip-10-0-8-141 cannot modify node ip-10-0-8-141.ec2.internal
ããªãã®ãã°ã«sudo journalctl -u kubelet --all | tail
ãšãã¹ã¿ãŒããŒãã¯ããããããããšãå ±åããŸãNot Ready
ããªããå®è¡ãããšãã«kubectl get nodes
ã--apiserver-advertise-address
ããã³--node-name
ã§æž¡ãããå€ããã䜿çšã®ç°å¢ã«é©ããå€ã«çœ®ãæããŠãã ãããkubectl
ãæ§æãã¡ã€ã«ã®é©åãªå Žæãæ¢ããŠããããšã確èªããŠãã ãããæå¹ãªããŒã¯ã³ããªãå Žåã 次ã®æ¹æ³ã§äœæã§ããŸãã
ããŒã¯ã³ã¯6dihyb.d09sbgae8ph2atjwã®ããã«ãªããŸãã
ããŸãããã°ãããã¯ããªãã@davidcomeyneã§ããå¿ èŠãããå Žæã«ããªããé£ããŠè¡ãã§ãããã