无法使用 x509 证书设置 kubernetes:由未知授权机构签名的证书
can't setup kubernetes using a certificate as x509: certificate signed by unknown authority
我正在尝试保护 kubernetes,我有一个 master 和一个 minion 都可以工作,然后我按照 http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/
上的指南进行操作
我现在有了可以通过 https 访问的 运行 master,但是我遇到了 "Unauthorized" 错误,所以我通过为 minion 所做的相同过程为自己创建了一个证书,创建一个 p12 文件然后导入到 firefox,我重新启动浏览器并提示使用证书进行身份验证,我使用了我刚刚导入的那个并显示:
{
"major": "1",
"minor": "2",
"gitVersion": "v1.2.0",
"gitCommit": "ec7364b6e3b155e78086018aa644057edbe196e5",
"gitTreeState": "clean"
}
所以我现在可以通过浏览器连接,然后我去设置 minion 并重新启动服务,当我检查状态时,我得到的是
kubelet[1655]: E1019 14:53:26.962906 1655 event.go:202] Unable to write event: 'x509: certificate signed by unknown authority' (may retry after sleeping)
我尝试安装我在 master 和 minion 中创建的根 CA 证书,但这没有用,所以我认为证书可能已损坏,所以我使用了 minion 使用的相同证书
curl -k --key /srv/kubernetes/${HOSTNAME}.key --cert /srv/kubernetes/${HOSTNAME}.crt --cacert /srv/kubernetes/ca.crt https://kubernetes.master:6443/version
得到了相同的
{
"major": "1",
"minor": "2",
"gitVersion": "v1.2.0",
"gitCommit": "ec7364b6e3b155e78086018aa644057edbe196e5",
"gitTreeState": "clean"
}
所以主人显然出于其他原因拒绝了我的证书,因为在 curl 中使用证书工作得很好,我一直在谷歌搜索,但到目前为止我还没有能够解决这个问题,可以吗?有人指出我正确的方向吗?
我的设置是最小 os,用于生成配置文件的代码如下
kubectl config set-cluster my_cluster --server=https://kubernetes.master:6443 --insecure-skip-tls-verify=true
kubectl config unset clusters
kubectl config set-cluster my_cluster --certificate-authority=/srv/kubernetes/ca.crt --embed-certs=true --server=https://kubernetes.master:6443
kubectl config set-credentials minion --client-certificate=/srv/kubernetes/minion.one.crt --client-key=/srv/kubernetes/minion.one.key --embed-certs=true --token=59qbOTrcPcdSEgz1EZ0jOznJQ7uOYEsO
kubectl config set-context service-account-context --cluster=my_cluster --user=minion
kubectl config use-context service-account-context
[更新]
经过进一步检查,它甚至可能与证书或 tls 握手无关,我 运行
systemctl状态-l kubelet.service
并得到以下
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.683943 13120 manager.go:123] Starting to sync pod status with apiserver
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.683958 13120 kubelet.go:2372] Starting kubelet main sync loop.
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.683967 13120 kubelet.go:2381] skipping pod synchronization - [container runtime is down]
Oct 19 16:11:58 minion.one kubelet[13120]: E1019 16:11:58.687984 13120 event.go:202] Unable to write event: 'Post https://kubernetes.master:6443/api/v1/namespaces/default/events: x509: certificate signed by unknown authority' (may retry after sleeping)
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.930635 13120 factory.go:233] Registering Docker factory
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.930995 13120 factory.go:97] Registering Raw factory
Oct 19 16:11:59 minion.one kubelet[13120]: I1019 16:11:59.063535 13120 manager.go:1003] Started watching for new ooms in manager
Oct 19 16:11:59 minion.one kubelet[13120]: I1019 16:11:59.063556 13120 oomparser.go:198] OOM parser using kernel log file: "/var/log/messages"
Oct 19 16:11:59 minion.one kubelet[13120]: I1019 16:11:59.063885 13120 manager.go:256] Starting recovery of all containers
Oct 19 16:11:59 minion.one kubelet[13120]: I1019 16:11:59.090785 13120 manager.go:261] Recovery completed
会不会第一个错误
skipping pod synchronization - [container runtime is down]
是否会导致后来的证书问题?
试图找出错误的来源
我最终使用了这个安装 1.4 版的脚本
rm -f /etc/hostname
rm -f /etc/hosts
rm -f /etc/sysconfig/network
cat <<EOF > /etc/hostname
${HOSTNAME}
EOF
cat <<EOF > /etc/sysconfig/network
HOSTNAME=${HOSTNAME}
EOF
cat <<EOF > /etc/hosts
127.0.0.1 ${HOSTNAME} localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
${KUBERMASTER} kubernetes.vetology.net
EOF
systemctl disable firewalld
systemctl stop firewalld
yum -y update
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://yum.kubernetes.io/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF
setenforce 0
yum install -y docker kubelet kubeadm kubectl kubernetes-cni
systemctl enable docker && systemctl start docker
systemctl enable kubelet && systemctl start kubelet
kubeadm init
现在一切正常。
我正在尝试保护 kubernetes,我有一个 master 和一个 minion 都可以工作,然后我按照 http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/
上的指南进行操作我现在有了可以通过 https 访问的 运行 master,但是我遇到了 "Unauthorized" 错误,所以我通过为 minion 所做的相同过程为自己创建了一个证书,创建一个 p12 文件然后导入到 firefox,我重新启动浏览器并提示使用证书进行身份验证,我使用了我刚刚导入的那个并显示:
{
"major": "1",
"minor": "2",
"gitVersion": "v1.2.0",
"gitCommit": "ec7364b6e3b155e78086018aa644057edbe196e5",
"gitTreeState": "clean"
}
所以我现在可以通过浏览器连接,然后我去设置 minion 并重新启动服务,当我检查状态时,我得到的是
kubelet[1655]: E1019 14:53:26.962906 1655 event.go:202] Unable to write event: 'x509: certificate signed by unknown authority' (may retry after sleeping)
我尝试安装我在 master 和 minion 中创建的根 CA 证书,但这没有用,所以我认为证书可能已损坏,所以我使用了 minion 使用的相同证书
curl -k --key /srv/kubernetes/${HOSTNAME}.key --cert /srv/kubernetes/${HOSTNAME}.crt --cacert /srv/kubernetes/ca.crt https://kubernetes.master:6443/version
得到了相同的
{
"major": "1",
"minor": "2",
"gitVersion": "v1.2.0",
"gitCommit": "ec7364b6e3b155e78086018aa644057edbe196e5",
"gitTreeState": "clean"
}
所以主人显然出于其他原因拒绝了我的证书,因为在 curl 中使用证书工作得很好,我一直在谷歌搜索,但到目前为止我还没有能够解决这个问题,可以吗?有人指出我正确的方向吗?
我的设置是最小 os,用于生成配置文件的代码如下
kubectl config set-cluster my_cluster --server=https://kubernetes.master:6443 --insecure-skip-tls-verify=true
kubectl config unset clusters
kubectl config set-cluster my_cluster --certificate-authority=/srv/kubernetes/ca.crt --embed-certs=true --server=https://kubernetes.master:6443
kubectl config set-credentials minion --client-certificate=/srv/kubernetes/minion.one.crt --client-key=/srv/kubernetes/minion.one.key --embed-certs=true --token=59qbOTrcPcdSEgz1EZ0jOznJQ7uOYEsO
kubectl config set-context service-account-context --cluster=my_cluster --user=minion
kubectl config use-context service-account-context
[更新]
经过进一步检查,它甚至可能与证书或 tls 握手无关,我 运行 systemctl状态-l kubelet.service 并得到以下
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.683943 13120 manager.go:123] Starting to sync pod status with apiserver
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.683958 13120 kubelet.go:2372] Starting kubelet main sync loop.
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.683967 13120 kubelet.go:2381] skipping pod synchronization - [container runtime is down]
Oct 19 16:11:58 minion.one kubelet[13120]: E1019 16:11:58.687984 13120 event.go:202] Unable to write event: 'Post https://kubernetes.master:6443/api/v1/namespaces/default/events: x509: certificate signed by unknown authority' (may retry after sleeping)
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.930635 13120 factory.go:233] Registering Docker factory
Oct 19 16:11:58 minion.one kubelet[13120]: I1019 16:11:58.930995 13120 factory.go:97] Registering Raw factory
Oct 19 16:11:59 minion.one kubelet[13120]: I1019 16:11:59.063535 13120 manager.go:1003] Started watching for new ooms in manager
Oct 19 16:11:59 minion.one kubelet[13120]: I1019 16:11:59.063556 13120 oomparser.go:198] OOM parser using kernel log file: "/var/log/messages"
Oct 19 16:11:59 minion.one kubelet[13120]: I1019 16:11:59.063885 13120 manager.go:256] Starting recovery of all containers
Oct 19 16:11:59 minion.one kubelet[13120]: I1019 16:11:59.090785 13120 manager.go:261] Recovery completed
会不会第一个错误
skipping pod synchronization - [container runtime is down]
是否会导致后来的证书问题?
试图找出错误的来源
我最终使用了这个安装 1.4 版的脚本
rm -f /etc/hostname
rm -f /etc/hosts
rm -f /etc/sysconfig/network
cat <<EOF > /etc/hostname
${HOSTNAME}
EOF
cat <<EOF > /etc/sysconfig/network
HOSTNAME=${HOSTNAME}
EOF
cat <<EOF > /etc/hosts
127.0.0.1 ${HOSTNAME} localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
${KUBERMASTER} kubernetes.vetology.net
EOF
systemctl disable firewalld
systemctl stop firewalld
yum -y update
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://yum.kubernetes.io/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF
setenforce 0
yum install -y docker kubelet kubeadm kubectl kubernetes-cni
systemctl enable docker && systemctl start docker
systemctl enable kubelet && systemctl start kubelet
kubeadm init
现在一切正常。