个人中心
gpt4 book ai didi

ssl - Kubernetes CSR 处于待处理状态

转载 作者:行者123 更新时间:2023-12-04 22:40:00 32 4
gpt4 key购买 nike

几天以来,环境没有任何变化,其中一个运行 kubernetes 1.19.9 on-prem 的集群显示了一些关于 kubelet 证书的错误。
由于证书过期,节点处于 NON-READY 状态。调查了一下,我发现 CSR 处于挂起状态。我可以手动批准它们,但根本没有发出。
我试图将这些节点重新加入集群,但在 CSR 批准后我面临同样的情况。
例子:

NAME        AGE     SIGNERNAME                                    REQUESTOR                        CONDITION
csr-4dc9x   3m28s   kubernetes.io/kube-apiserver-client-kubelet   system:node:vm-k8s-ctrl-prod-1   Pending
csr-4xljn   18m     kubernetes.io/kube-apiserver-client-kubelet   system:node:vm-k8s-wk-stage-9    Pending
csr-6jdmg   3m19s   kubernetes.io/kube-apiserver-client-kubelet   system:node:vm-k8s-wk-stage-6    Pending
csr-9lr8n   18m     kubernetes.io/kube-apiserver-client-kubelet   system:node:vm-k8s-wk-stage-6    Pending
csr-g2pjt   3m35s   kubernetes.io/kube-apiserver-client-kubelet   system:node:vm-k8s-ctrl-prod-2   Pending
企业社会责任示例: 
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  creationTimestamp: "2021-08-08T10:10:19Z"
  generateName: csr-
  managedFields:
  - apiVersion: certificates.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:generateName: {}
      f:spec:
        f:request: {}
        f:signerName: {}
        f:usages: {}
    manager: kubelet
    operation: Update
    time: "2021-08-08T10:10:19Z"
  name: csr-4dc9x
  resourceVersion: "775314577"
  selfLink: /apis/certificates.k8s.io/v1/certificatesigningrequests/csr-4dc9x
  uid: 8c51be15-4ec4-4dc7-8a7a-486e27c74607
spec:
  groups:
  - system:nodes
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlIN01JR2lBZ0VBTUVBeEZUQVRCZ05WQkFvVERITjVjM1JsYlRwdWIyUmxjekVuTUNVR0ExVUVBeE1lYzNsegpkR1Z0T201dlpHVTZkbTB0YXpoekxXTjBjbXd0Y0hKdlpDMHhNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBECkFRY0RRZ0FFazNESFh2cTloVkZxZzB3bW5VeWd6Z3VGdmFRdDZFUkFCcHcrUmhRNHFCRlRqdkxTSGo3ZUxVK1oKT3JGaThaOGpYUjZqRE5nekVpUkxRQTloS1pxR0c2QUFNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJUURObFJBcAphT0hFZWRteENDajZiK2tLMWJrNjVYVDc0aC9Nd1VCenVDSnBrUUlnU2F0U0Z3Rkp5ekNQaWtFZTRKQys0QStqClVtVUVWUzhlOWZRbkdXdjROTms9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  signerName: kubernetes.io/kube-apiserver-client-kubelet
  usages:
  - digital signature
  - key encipherment
  - client auth
  username: system:node:vm-k8s-ctrl-prod-1
status: {}
有没有人遇到过同样的情况?我检查了集群中的所有证书,对我来说一切都很好。 

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jun 10, 2022 22:17 UTC   306d                                    no
apiserver                  Jun 10, 2022 22:16 UTC   306d            ca                      no
apiserver-kubelet-client   Jun 10, 2022 22:16 UTC   306d            ca                      no
controller-manager.conf    Jun 10, 2022 22:17 UTC   306d                                    no
front-proxy-client         Jun 10, 2022 22:16 UTC   306d            front-proxy-ca          no
scheduler.conf             Jun 10, 2022 22:17 UTC   306d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Apr 07, 2029 17:39 UTC   7y              no
front-proxy-ca          Apr 07, 2029 17:39 UTC   7y              no
提前致谢

最佳答案

以防万一其他人面临这种​​情况。问题是主节点上 kubelet 的旧配置。
https://serverfault.com/questions/1065444/how-can-i-find-which-kubernetes-certificate-has-expired
手动重新配置 Controller 上的 kubelet.conf 并重新启动控制平面,解决了这个问题。
谢谢

关于ssl - Kubernetes CSR 处于待处理状态,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/68699835/

32 4 0
文章推荐: ssl - Hyperledger Fabric - 来自 fabric-ca 的带有 TLS 的外部链码
文章推荐: ssl - 在 GCP Composer Airflow 中使用 AWS SES SMTP 服务器时出现 "SSL: WRONG_VERSION_NUMBER"
文章推荐: ssl - Kafka 分区领导者 -1 仅通过 SSL
文章推荐: ssl - 由于 Heroku 的空服务器响应,Cloudflare 返回 520
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com