報錯資訊:
使用命令時:
Kubelet服務報錯:
報錯情況,在更新完k8s100年證書的時候,到最後重新啟動kubelet服務的時候,服務是可以重新啟動的,但是kubectl的命令是無法使用的,會等好長時間然後報出上面圖片第一個的錯誤。還請各位大佬給出一些解決辦法,實在是勞煩各位大佬了,自己找了好幾天沒有找到問題原因,萬分感謝。
以下是更新證書的操作步驟,望大佬參考:
更新k8s證書100年步驟:
檢視kubeadm版本:
[root@k8s-master01 ~]# kubeadm version kubeadm version: &version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.17", GitCommit:"953be8927218ec8067e1af2641e540238ffd7576", GitTreeState:"clean", BuildDate:"2023-02-22T13:33:14Z", GoVersion:"go1.19.6", Compiler:"gc", Platform:"linux/amd64"}
同步一下K8S倉庫的地址:
[root@k8s-master01 ~]# git clone https://gitee.com/mirrors/kubernetes.git Cloning into 'kubernetes'... remote: Enumerating objects: 1427037, done. remote: Counting objects: 100% (14341/14341), done. remote: Compressing objects: 100% (8326/8326), done. remote: Total 1427037 (delta 9201), reused 8548 (delta 5365), pack-reused 1412696 Receiving objects: 100% (1427037/1427037), 911.55 MiB | 16.42 MiB/s, done. Resolving deltas: 100% (1039605/1039605), done. Checking out files: 100% (23746/23746), done.
切換分支到自己的k8s版本:
[root@k8s-master01 kubernetes]# git checkout v1.23.17 Checking out files: 100% (17024/17024), done. Note: checking out 'v1.23.17'. You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by performing another checkout. If you want to create a new branch to retain commits you create, you may do so (now or later) by using -b with the checkout command again. Example: git checkout -b new_branch_name HEAD is now at 953be89... Release commit for Kubernetes v1.23.17
啟動一個Golang環境的容器:
[root@k8s-master01 kubernetes]# docker run -ti --rm -v `pwd`:/go/src/ registry.cn-beijing.aliyuncs.com/dotbalo/golang:kubeadm bash Unable to find image 'registry.cn-beijing.aliyuncs.com/dotbalo/golang:kubeadm' locally kubeadm: Pulling from dotbalo/golang f606d8928ed3: Pull complete 47db815c6a45: Pull complete bf4849400000: Pull complete a572f7a256d3: Pull complete 643043c84a42: Pull complete 4bbfdffcd51b: Pull complete 7bacd2cea1ca: Pull complete 4ca1c8393efa: Pull complete Digest: sha256:af620e3fb7f2a8ee5e070c2f5608cc6e1600ec98c94d7dd25778a67f1a0b792a Status: Downloaded newer image for registry.cn-beijing.aliyuncs.com/dotbalo/golang:kubeadm
進入到Golang的原始碼目錄:
root@85165a2f7d91:/go# cd /go/src/
root@85165a2f7d91:/go/src#
構建代理:
root@85165a2f7d91:/go/src# go env -w GOPROXY=https://goproxy.cn,direct root@85165a2f7d91:/go/src# go env -w GOSUMDB=off
過濾配置檔案證書有效時間:
root@85165a2f7d91:/go/src# grep "365" cmd/kubeadm/app/constants/constants.go CertificateValidity = time.Hour * 24 * 365
更改配置檔案證書有效時間:
root@85165a2f7d91:/go/src# sed -i 's#365#365 * 100#g' cmd/kubeadm/app/constants/constants.go
查詢一下是否更改:
root@85165a2f7d91:/go/src# grep "365" cmd/kubeadm/app/constants/constants.go CertificateValidity = time.Hour * 24 * 365 * 100
建立資料夾,它編譯完之後,會把二進位制檔案輸出到資料夾內:
root@85165a2f7d91:/go/src# mkdir -p _output/
更改一下許可權:
root@85165a2f7d91:/go/src# chmod 777 -R _output/
編譯一下,時間可能較長,耐心等待:
root@85165a2f7d91:/go/src# make WHAT=cmd/kubeadm
檢視一下編譯的目錄:
root@5592256d5bb3:/go/src# ls _output/bin/kubeadm
_output/bin/kubeadm
複製一下檔案到./kubeadm下:
root@5592256d5bb3:/go/src# cp _output/bin/kubeadm ./kubeadm
執行到這裡然後退出!!!
exit
複製一下我們的證書:
[root@k8s-master01 kubernetes]# cp kubeadm /opt/
這個使用要使用kubeadm去更新一下我們的證書:
[root@k8s-master01 kubernetes]# /opt/kubeadm certs renew all [renew] Reading configuration from the cluster... [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [renew] Error reading configuration from the Cluster. Falling back to default configuration certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healthcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
這裡我們檢視一下我們的kubeadm版本:
[root@k8s-master01 kubernetes]# /opt/kubeadm version kubeadm version: &version.Info{Major:"1", Minor:"23+", GitVersion:"v1.23.17-dirty", GitCommit:"953be8927218ec8067e1af2641e540238ffd7576", GitTreeState:"dirty", BuildDate:"2023-03-30T11:19:36Z", GoVersion:"go1.19.2", Compiler:"gc", Platform:"linux/amd64"}
所有master節點上面檢查是否更新了:
[root@k8s-master01 kubernetes]# kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [check-expiration] Error reading configuration from the Cluster. Falling back to default configuration CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Mar 06, 2123 13:46 UTC 99y ca no apiserver Mar 06, 2123 13:46 UTC 99y ca no apiserver-etcd-client Mar 06, 2123 13:46 UTC 99y etcd-ca no apiserver-kubelet-client Mar 06, 2123 13:46 UTC 99y ca no controller-manager.conf Mar 06, 2123 13:46 UTC 99y ca no etcd-healthcheck-client Mar 06, 2123 13:46 UTC 99y etcd-ca no etcd-peer Mar 06, 2123 13:46 UTC 99y etcd-ca no etcd-server Mar 06, 2123 13:46 UTC 99y etcd-ca no front-proxy-client Mar 06, 2123 13:46 UTC 99y front-proxy-ca no scheduler.conf Mar 06, 2123 13:46 UTC 99y ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Mar 20, 2033 03:14 UTC 9y no etcd-ca Mar 20, 2033 03:14 UTC 9y no front-proxy-ca Mar 20, 2033 03:14 UTC 9y no
所有master節點重啟kubelet:
[root@k8s-master01 kubernetes]# systemctl restart kubelet
到這裡就報了上述錯誤,還望大佬給出解決辦法,謝謝!