工作节点无法加入 kubernetes 中的主节点
Worker node unable to join master node in kubernetes
我的主节点有两个网络接口 -
192.168.56.118
10.0.3.15
在主节点上执行 kubeadm init 时,我得到了以下命令来添加工作节点
kubeadm join --token qr1czu.5lh1nt34ldiauc1u 192.168.56.118:6443 --discovery-token-ca-cert-hash sha256:e5d90dfa0fff67589551559c443762dac3f1e5c7a5d2b4a630e4c0156ad0e16c
如您所见,它显示了 192.168.56.118 IP 以从 worker 连接。
但是在工作节点上执行相同的操作时,出现以下错误。
[root@k8s-worker ~]# kubeadm join --token qr1czu.5lh1nt34ldiauc1u 192.168.56.118:6443 --discovery-token-ca-cert-hash sha256:e5d90dfa0fff67589551559c443762dac3f1e5c7a5d2b4a630e4c0156ad0e16c
[preflight] Running pre-flight checks
[discovery] Trying to connect to API Server "192.168.56.118:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://192.168.56.118:6443"
[discovery] Requesting info from "https://192.168.56.118:6443" again to validate TLS against the pinned public key
[discovery] Failed to request cluster info, will try again: [Get https://192.168.56.118:6443/api/v1/namespaces/kube-public/configmaps/cluster-info: x509: certificate is valid for 10.96.0.1, 10.0.3.15, not 192.168.56.118]
我尝试使用其他 IP - 10.0.3.15。但它 returns 连接被拒绝错误,尽管防火墙在 master 中被禁用。
[root@k8s-worker ~]# kubeadm join --token qr1czu.5lh1nt34ldiauc1u 10.0.3.15:6443 --discovery-token-ca-cert-hash sha256:e5d90dfa0fff67589551559c443762dac3f1e5c7a5d2b4a630e4c0156ad0e16c
[preflight] Running pre-flight checks
[WARNING Service-Kubelet]: kubelet service is not enabled, please run 'systemctl enable kubelet.service'
[discovery] Trying to connect to API Server "10.0.3.15:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://10.0.3.15:6443"
[discovery] Failed to request cluster info, will try again: [Get https://10.0.3.15:6443/api/v1/namespaces/kube-public/configmaps/cluster-info: dial tcp 10.0.3.15:6443: connect: connection refused]
如何强制证书使 192.168.56.118 有效?或者知道如何解决这个问题?
您需要提供额外的 api 服务器证书 SAN (--apiserver-cert-extra-sans <ip_address>) 和 api 服务器广告地址 (--apiserver-advertise-address),同时使用 [=13= 初始化集群].您的 kubeadm init 命令将如下所示:
kubeadm init --apiserver-cert-extra-sans 192.168.56.118 --apiserver-advertise-address 192.168.56.118
一旦您使用上述命令初始化集群,您就不会在加入集群时遇到证书问题
我的主节点有两个网络接口 -
192.168.56.118
10.0.3.15
在主节点上执行 kubeadm init 时,我得到了以下命令来添加工作节点
kubeadm join --token qr1czu.5lh1nt34ldiauc1u 192.168.56.118:6443 --discovery-token-ca-cert-hash sha256:e5d90dfa0fff67589551559c443762dac3f1e5c7a5d2b4a630e4c0156ad0e16c
如您所见,它显示了 192.168.56.118 IP 以从 worker 连接。 但是在工作节点上执行相同的操作时,出现以下错误。
[root@k8s-worker ~]# kubeadm join --token qr1czu.5lh1nt34ldiauc1u 192.168.56.118:6443 --discovery-token-ca-cert-hash sha256:e5d90dfa0fff67589551559c443762dac3f1e5c7a5d2b4a630e4c0156ad0e16c
[preflight] Running pre-flight checks
[discovery] Trying to connect to API Server "192.168.56.118:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://192.168.56.118:6443"
[discovery] Requesting info from "https://192.168.56.118:6443" again to validate TLS against the pinned public key
[discovery] Failed to request cluster info, will try again: [Get https://192.168.56.118:6443/api/v1/namespaces/kube-public/configmaps/cluster-info: x509: certificate is valid for 10.96.0.1, 10.0.3.15, not 192.168.56.118]
我尝试使用其他 IP - 10.0.3.15。但它 returns 连接被拒绝错误,尽管防火墙在 master 中被禁用。
[root@k8s-worker ~]# kubeadm join --token qr1czu.5lh1nt34ldiauc1u 10.0.3.15:6443 --discovery-token-ca-cert-hash sha256:e5d90dfa0fff67589551559c443762dac3f1e5c7a5d2b4a630e4c0156ad0e16c
[preflight] Running pre-flight checks
[WARNING Service-Kubelet]: kubelet service is not enabled, please run 'systemctl enable kubelet.service'
[discovery] Trying to connect to API Server "10.0.3.15:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://10.0.3.15:6443"
[discovery] Failed to request cluster info, will try again: [Get https://10.0.3.15:6443/api/v1/namespaces/kube-public/configmaps/cluster-info: dial tcp 10.0.3.15:6443: connect: connection refused]
如何强制证书使 192.168.56.118 有效?或者知道如何解决这个问题?
您需要提供额外的 api 服务器证书 SAN (--apiserver-cert-extra-sans <ip_address>) 和 api 服务器广告地址 (--apiserver-advertise-address),同时使用 [=13= 初始化集群].您的 kubeadm init 命令将如下所示:
kubeadm init --apiserver-cert-extra-sans 192.168.56.118 --apiserver-advertise-address 192.168.56.118
一旦您使用上述命令初始化集群,您就不会在加入集群时遇到证书问题