【发布时间】:2021-10-12 10:12:46
【问题描述】:
几天以来,在环境没有任何变化的情况下,其中一个运行 kubernetes 1.19.9 on-prem 的集群显示了一些关于 kubelet 证书的错误。
由于证书过期,节点处于 NON-READY 状态。调查了一下,我发现 CSR 处于挂起状态。我可以手动批准它们,但根本没有发出。
我尝试将这些节点重新加入集群,但在获得 CSR 批准后我面临同样的情况。
例子:
NAME AGE SIGNERNAME REQUESTOR CONDITION
csr-4dc9x 3m28s kubernetes.io/kube-apiserver-client-kubelet system:node:vm-k8s-ctrl-prod-1 Pending
csr-4xljn 18m kubernetes.io/kube-apiserver-client-kubelet system:node:vm-k8s-wk-stage-9 Pending
csr-6jdmg 3m19s kubernetes.io/kube-apiserver-client-kubelet system:node:vm-k8s-wk-stage-6 Pending
csr-9lr8n 18m kubernetes.io/kube-apiserver-client-kubelet system:node:vm-k8s-wk-stage-6 Pending
csr-g2pjt 3m35s kubernetes.io/kube-apiserver-client-kubelet system:node:vm-k8s-ctrl-prod-2 Pending
企业社会责任示例:
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
creationTimestamp: "2021-08-08T10:10:19Z"
generateName: csr-
managedFields:
- apiVersion: certificates.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:generateName: {}
f:spec:
f:request: {}
f:signerName: {}
f:usages: {}
manager: kubelet
operation: Update
time: "2021-08-08T10:10:19Z"
name: csr-4dc9x
resourceVersion: "775314577"
selfLink: /apis/certificates.k8s.io/v1/certificatesigningrequests/csr-4dc9x
uid: 8c51be15-4ec4-4dc7-8a7a-486e27c74607
spec:
groups:
- system:nodes
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlIN01JR2lBZ0VBTUVBeEZUQVRCZ05WQkFvVERITjVjM1JsYlRwdWIyUmxjekVuTUNVR0ExVUVBeE1lYzNsegpkR1Z0T201dlpHVTZkbTB0YXpoekxXTjBjbXd0Y0hKdlpDMHhNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBECkFRY0RRZ0FFazNESFh2cTloVkZxZzB3bW5VeWd6Z3VGdmFRdDZFUkFCcHcrUmhRNHFCRlRqdkxTSGo3ZUxVK1oKT3JGaThaOGpYUjZqRE5nekVpUkxRQTloS1pxR0c2QUFNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJUURObFJBcAphT0hFZWRteENDajZiK2tLMWJrNjVYVDc0aC9Nd1VCenVDSnBrUUlnU2F0U0Z3Rkp5ekNQaWtFZTRKQys0QStqClVtVUVWUzhlOWZRbkdXdjROTms9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
signerName: kubernetes.io/kube-apiserver-client-kubelet
usages:
- digital signature
- key encipherment
- client auth
username: system:node:vm-k8s-ctrl-prod-1
status: {}
有没有人遇到过同样的情况?我检查了集群中的所有证书,对我来说一切都很好。
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jun 10, 2022 22:17 UTC 306d no
apiserver Jun 10, 2022 22:16 UTC 306d ca no
apiserver-kubelet-client Jun 10, 2022 22:16 UTC 306d ca no
controller-manager.conf Jun 10, 2022 22:17 UTC 306d no
front-proxy-client Jun 10, 2022 22:16 UTC 306d front-proxy-ca no
scheduler.conf Jun 10, 2022 22:17 UTC 306d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Apr 07, 2029 17:39 UTC 7y no
front-proxy-ca Apr 07, 2029 17:39 UTC 7y no
提前致谢
【问题讨论】:
-
你好@trookam。需要明确的是,手动批准 CSR 没有帮助?
-
不,还是不行
标签: ssl kubernetes certificate kubelet