0
極力打造3個節點集羣Kubernetes運行到和問題上CoreOS,我不能加入任何節點羣集API服務器保持拋出關於TLS證書的錯誤。Kubernetes節點不能從10.123.146.55:48344加入集羣-TLS握手錯誤:遠程錯誤:壞證書
I1128 23:08:47.715663 1 logs.go:41] http: TLS handshake error from 10.123.146.55:48344: remote error: bad certificate
I1128 23:08:47.829082 1 logs.go:41] http: TLS handshake error from 10.123.146.55:48346: remote error: bad certificate
I1128 23:08:47.881655 1 logs.go:41] http: TLS handshake error from 10.123.146.54:40896: remote error: bad certificate
I1128 23:08:47.923955 1 logs.go:41] http: TLS handshake error from 10.123.146.54:40898: remote error: bad certificate
證書上的工人是有效的 - 驗證使用
curl --key worker-key.pem -k https://10.123.146.53/api/v1/nodes --cert worker.pem --cacert ca.pem
只有相關的錯誤,我可以看到的是控制器啓動失敗證書控制器:
I1128 22:45:12.452293 1 controllermanager.go:462] Starting certificates.k8s.io/v1alpha1 apis
I1128 22:45:12.452989 1 controllermanager.go:464] Starting certificate request controller
E1128 22:45:12.454607 1 controllermanager.go:474] Failed to start certificate controller: open /etc/kubernetes/ca/ca.pem: no such file or directory
從我可以告訴的/ etc/kubernetes從下面包括/:
$ cat /etc/kubernetes/manifests/kube-controller-manager.yaml
apiVersion: v1
kind: Pod
metadata:
name: kube-controller-manager
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-controller-manager
image: quay.io/coreos/hyperkube:v1.4.3_coreos.0
command:
- /hyperkube
- controller-manager
- --master=http://127.0.0.1:8080
- --leader-elect=true
- --service-account-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
- --root-ca-file=/etc/kubernetes/ssl/ca.pem
livenessProbe:
httpGet:
host: 127.0.0.1
path: /healthz
port: 10252
initialDelaySeconds: 15
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/kubernetes/ssl
name: ssl-certs-kubernetes
readOnly: true
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
volumes:
- hostPath:
path: /etc/kubernetes/ssl
name: ssl-certs-kubernetes
- hostPath:
path: /usr/share/ca-certificates
name: ssl-certs-host
我認爲這個問題是「開放/etc/kubernetes/ca/ca.pem:沒有這樣的文件或目錄」 – rjdkolb