记一次k8s问题处理 => 6443端口没有监听 => 证书过期处理

原始的问题是这样:

The connection to the server 192.168.122.200:6443 was refused - did you specify the right host or port?

lsof -i :6443

端口没有监听 

master 的kubelet.service 是active的,docker容器api_server是down的

node的 kubelet.service 是 dead, docker容器都是down的

journalctl -xefu kubelet 看到的日志都是连不上6443端口

后面找到容器kube-apiserver查看日志:

 

 

 似乎是证书过期了。。。

以下是解决步骤:

一. 检查证书是否过期。

可以通过下面两种方式检查 Kubernetes 的证书是否过期。

1. kubeadm 命令查看

可以通过 kubeadm alpha certs check-expiration 命令查看相关证书是否过期。

[root@master ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 08, 2023 14:11 UTC   364d                                    no      
apiserver                  Jul 08, 2023 14:11 UTC   364d            ca                      no      
apiserver-etcd-client      Jul 08, 2023 14:11 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Jul 08, 2023 14:11 UTC   364d            ca                      no      
controller-manager.conf    Jul 08, 2023 14:11 UTC   364d                                    no      
etcd-healthcheck-client    Jul 08, 2023 14:11 UTC   364d            etcd-ca                 no      
etcd-peer                  Jul 08, 2023 14:11 UTC   364d            etcd-ca                 no      
etcd-server                Jul 08, 2023 14:11 UTC   364d            etcd-ca                 no      
front-proxy-client         Jul 08, 2023 14:11 UTC   364d            front-proxy-ca          no      
scheduler.conf             Jul 08, 2023 14:11 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jul 02, 2031 14:04 UTC   8y              no      
etcd-ca                 Jul 02, 2031 14:04 UTC   8y              no      
front-proxy-ca          Jul 02, 2031 14:04 UTC   8y              no      

2. openssl 命令查看

版本过低无法使用 kubeadm 命令时,可以通过 openssl 查看对应证书是否过期。

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '
            Not Before: Jul  4 14:04:27 2021 GMT
            Not After : Jul  8 14:11:17 2023 GMT

二. 自动更新证书

Kubenetes 在升级控制面板相关组件时会主动更新证书,因此如果保证 Kubernetes 能够定期(一年以内)升级的话,证书会自动更新。

三. 手动更新证书

1. 证书备份

cp -rp /etc/kubernetes /etc/kubernetes.bak

2. 删除旧的证书

将 /etc/kubernetes/pki 下要重新生成的证书删除

sudo rm -rf /etc/kubernetes/pki/apiserver.key

3. 重新生成证书

主要通过 kubeadm alpha certs renew 命令生成,命令简介如下

kubeadm alpha certs renew                                                                                         
Usage:
  kubeadm alpha certs renew [flags]
  kubeadm alpha certs renew [command]

Available Commands:
  all                      renew all available certificates
  apiserver                Generates the certificate for serving the Kubernetes API
  apiserver-etcd-client    Generates the client apiserver uses to access etcd
  apiserver-kubelet-client Generates the Client certificate for the API server to connect to kubelet
  etcd-healthcheck-client  Generates the client certificate for liveness probes to healtcheck etcd
  etcd-peer                Generates the credentials for etcd nodes to communicate with each other
  etcd-server              Generates the certificate for serving etcd
  front-proxy-client       Generates the client for the front proxy

重新生成所有证书

[root@master ~]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

W0708 11:36:20.404836    6022 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

4. 重新生成配置文件

备份旧的配置

mv /etc/kubernetes/*.conf /tmp/

生成新的配置

主要通过 kubeadm init phase kubeconfig 命令执行:

kubeadm init phase kubeconfig -h                                                                       
Usage:
  kubeadm init phase kubeconfig [flags]
  kubeadm init phase kubeconfig [command]

Available Commands:
  admin              Generates a kubeconfig file for the admin to use and for kubeadm itself
  all                Generates all kubeconfig files
  controller-manager Generates a kubeconfig file for the controller manager to use
  kubelet            Generates a kubeconfig file for the kubelet to use *only* for cluster bootstrapping purposes
  scheduler          Generates a kubeconfig file for the scheduler to use

5. 后续操作

完成证书和配置文件的更新后,需要进行一系列后续操作保证更新生效,主要包括重启 kubelet、更新管理配置。

  • 重启 kubelet
systemctl restart kubelet
  • 更新 admin 配置

将新生成的 admin.conf 文件拷贝,替换 ~/.kube 目录下的 config 文件。

cp /etc/kubernetes/admin.conf ~/.kube/config

至此master节点就恢复好了

 

恢复node节点

关于token失效, 重新生成

master集群初始化后,token24小时后就会失效,如果到了token失效时间,node再加入集群,需要重新生产token:

[root@master ~]# kubeadm token list
[root@master ~]# 

token没有了

重新生产token

[root@master ~]# kubeadm token create
W0708 11:48:22.716513   15630 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
aju641.rs9sumbg24v80hld
获取--discovery-token-ca-cert-hash值
[root@master ~]# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | \
openssl dgst -sha256 -hex | sed 's/^.* //'
bb184b9cab8543539620b7736017514058ffe925ea04a8bed4c38465aaa004ae
加入集群命令--在node节点执行

kubeadm join 192.168.122.200:6443 --token gkdzsa.xhh13svso84zie2p \
--discovery-token-ca-cert-hash sha256:bb184b9cab8543539620b7736017514058ffe925ea04a8bed4c38465aaa004ae
重启node的kubelet服务
systemctl restart kubelet

https://blog.csdn.net/a1308422754/article/details/107157009/

https://blog.csdn.net/Ahri_J/article/details/107466921

posted @ 2022-07-09 00:23  风吹过的绿洲  阅读(3385)  评论(0编辑  收藏  举报