Kubeadm 无法在升级时签署证书
Kubeadm is unable to sign certificate on upgrade
在使用 kubespray 将 Kubernetes 从 1.14 升级到 1.15 期间,我的团队在 "Upgrade first master" 步骤中遇到以下消息的阻塞问题:
[upgrade/apply] FATAL: couldn''t upgrade control plane.
kubeadm has tried to recover everything into the earlier state.
Errors faced: [failed to renew certificates for component "kube-apiserver":
failed to renew certificate apiserver-kubelet-client:
unable to sign certificate:
must specify at least one ExtKeyUsage,
rename /etc/kubernetes/tmp/kubeadm
-backup-manifests-2019-09-19-09-06-27/kube-apiserver.yaml /etc/kubernetes/manifests/kube-apiserver.yaml: no such file or directory]'
尝试隔离任务并手动 运行 kubeadm 命令行导致相同的错误消息:
#/usr/local/bin/kubeadm upgrade apply -y v1.15.3 --config=/etc/kubernetes/kubeadm-config.yaml --ignore-preflight-errors=all --allow-experimental-upgrades --allow-release-candidate-upgrades --etcd-upgrade=false -v 6
甚至尝试手动续订证书:
/etc/kubernetes/pki# kubeadm alpha certs renew apiserver-kubelet-client -v 9
I0919 14:42:11.515503 18597 initconfiguration.go:105] detected and using CRI socket: /var/run/dockershim.sock
I0919 14:42:11.515897 18597 interface.go:384] Looking for default routes with IPv4 addresses
I0919 14:42:11.515916 18597 interface.go:389] Default route transits interface “eth0”
I0919 14:42:11.516284 18597 interface.go:196] Interface eth0 is up
(...)
I0919 14:42:11.516835 18597 feature_gate.go:216] feature gates: &{map[]}
failed to renew certificate apiserver-kubelet-client: unable to sign certificate: must specify at least one ExtKeyUsage
最终找到解决方案并发布在下面。
问题来自 kubeadm,它在必须更新旧证书时使用旧证书。但是当这些初始证书太旧或手动生成时,它们可能不包含一些需要存在的必填字段。
在错误消息中,ExtKeyUsage
指的是 X509v3 Extended Key Usage
字段。
您可以通过查看您的证书来检查:涉及 2 个证书:apiserver-kubelet-client.crt
和 front-proxy-client.crt
它们位于 /etc/kubernetes/pki
的主控主机上。
您可以使用
查看它们
# openssl x509 -in apiserver-kubelet-client.crt -text -noout
如果它们不包含以下内容(接近尾声),那么 kubeadm 将完全无法更新证书
(...)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
TL;DR;
解决方案就是使用以下过程创建全新的证书
######### Backup your certificates (just in case)
master01:/etc/kubernetes/pki# cp -a /etc/kubernetes/pki /root/backup_cert/
######### Delete incomplete certificates
master01:/etc/kubernetes/pki# rm apiserver-kubelet-client.*
master01:/etc/kubernetes/pki# rm front-proxy-client.*
######### Then recreate them
master01:/etc/kubernetes/pki# kubeadm init phase certs apiserver-kubelet-client
master01:/etc/kubernetes/pki# kubeadm init phase certs front-proxy-client
您现在可以重新启动升级程序,这应该没问题。 (注意:如果您的集群处于第一个 master 处于 SchedulingDisabled 状态的状态,那么不要忘记取消对主机的封锁,因为 kubespray playbook 不会解决这个问题)
在使用 kubespray 将 Kubernetes 从 1.14 升级到 1.15 期间,我的团队在 "Upgrade first master" 步骤中遇到以下消息的阻塞问题:
[upgrade/apply] FATAL: couldn''t upgrade control plane.
kubeadm has tried to recover everything into the earlier state.
Errors faced: [failed to renew certificates for component "kube-apiserver":
failed to renew certificate apiserver-kubelet-client:
unable to sign certificate:
must specify at least one ExtKeyUsage,
rename /etc/kubernetes/tmp/kubeadm
-backup-manifests-2019-09-19-09-06-27/kube-apiserver.yaml /etc/kubernetes/manifests/kube-apiserver.yaml: no such file or directory]'
尝试隔离任务并手动 运行 kubeadm 命令行导致相同的错误消息:
#/usr/local/bin/kubeadm upgrade apply -y v1.15.3 --config=/etc/kubernetes/kubeadm-config.yaml --ignore-preflight-errors=all --allow-experimental-upgrades --allow-release-candidate-upgrades --etcd-upgrade=false -v 6
甚至尝试手动续订证书:
/etc/kubernetes/pki# kubeadm alpha certs renew apiserver-kubelet-client -v 9
I0919 14:42:11.515503 18597 initconfiguration.go:105] detected and using CRI socket: /var/run/dockershim.sock
I0919 14:42:11.515897 18597 interface.go:384] Looking for default routes with IPv4 addresses
I0919 14:42:11.515916 18597 interface.go:389] Default route transits interface “eth0”
I0919 14:42:11.516284 18597 interface.go:196] Interface eth0 is up
(...)
I0919 14:42:11.516835 18597 feature_gate.go:216] feature gates: &{map[]}
failed to renew certificate apiserver-kubelet-client: unable to sign certificate: must specify at least one ExtKeyUsage
最终找到解决方案并发布在下面。
问题来自 kubeadm,它在必须更新旧证书时使用旧证书。但是当这些初始证书太旧或手动生成时,它们可能不包含一些需要存在的必填字段。
在错误消息中,ExtKeyUsage
指的是 X509v3 Extended Key Usage
字段。
您可以通过查看您的证书来检查:涉及 2 个证书:apiserver-kubelet-client.crt
和 front-proxy-client.crt
它们位于 /etc/kubernetes/pki
的主控主机上。
您可以使用
查看它们# openssl x509 -in apiserver-kubelet-client.crt -text -noout
如果它们不包含以下内容(接近尾声),那么 kubeadm 将完全无法更新证书
(...)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
TL;DR;
解决方案就是使用以下过程创建全新的证书
######### Backup your certificates (just in case)
master01:/etc/kubernetes/pki# cp -a /etc/kubernetes/pki /root/backup_cert/
######### Delete incomplete certificates
master01:/etc/kubernetes/pki# rm apiserver-kubelet-client.*
master01:/etc/kubernetes/pki# rm front-proxy-client.*
######### Then recreate them
master01:/etc/kubernetes/pki# kubeadm init phase certs apiserver-kubelet-client
master01:/etc/kubernetes/pki# kubeadm init phase certs front-proxy-client
您现在可以重新启动升级程序,这应该没问题。 (注意:如果您的集群处于第一个 master 处于 SchedulingDisabled 状态的状态,那么不要忘记取消对主机的封锁,因为 kubespray playbook 不会解决这个问题)