我的kubernetes PKI过期了(确切地说是API服务器),我找不到续订的方法。我收到的错误信息是
May 27 08:43:51 node1 kubelet[8751]: I0527 08:43:51.922595 8751 server.go:417] Version: v1.14.2
May 27 08:43:51 node1 kubelet[8751]: I0527 08:43:51.922784 8751 plugins.go:103] No cloud provider specified.
May 27 08:43:51 node1 kubelet[8751]: I0527 08:43:51.922800 8751 server.go:754] Client rotation is on, will bootstrap in background
May 27 08:43:51 node1 kubelet[8751]: E0527 08:43:51.925859 8751 bootstrap.go:264] Part of the existing bootstrap client certificate is expired: 2019-05-24 13:24:42 +0000 UTC
May 27 08:43:51 node1 kubelet[8751]: F0527 08:43:51.925894 8751 server.go:265] failed to run Kubelet: unable to load bootstrap
kubeconfig: stat /etc/kubernetes/bootstrap-kubelet.conf: no such file or directory
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/的文档介绍了如何更新证书,但仅当API服务器未过期时才有效。我尝试过进行更新,但发现API服务器已过期。kubeadm alpha cert renew all
然后我尝试重启,但这导致整个集群失败,因此我回滚到快照(我的集群运行在VMware上)。
集群正在运行,所有容器似乎都在工作,但我无法通过kubectl访问它,因此我无法部署或查询。
我的kubernetes版本是1.14.2。
/etc/kubernetes/pki/etcd/
中删除我的etcd .crt和.key文件,否则我会得到“error execution phase certs/etcd-peer: failed to write certificate "etcd-peer": failure loading etcd/peer certificate: failed to load certificate: the certificate has expired”错误提示。 - yee379kubeadm init phase certs all --apiserver-advertise-address <public ip> --apiserver-cert-extra-sans=<private ip1>,<private ip2>
替换第三行,并运行systemctl restart docker && system restart kubelet
代替reboot
。 - wizawu