未能 运行 Kubelet:无法创建证书签名请求:未经授权
failed to run Kubelet: cannot create certificate signing request: Unauthorized
我在 OpenStack 云提供商下有一个 K8s 集群 运行。
集群是使用kubeadm工具设置的,其中包含主节点和从节点。
我正在尝试使用 kubeadm join 命令添加另一个工作节点,该命令显示一个肯定的响应,告诉我该节点已成功添加,但我无法使用 kubectl get nodes 命令找到它.
我进行了调查,发现新从属节点上的 kubelet 未 运行 显示 cannot create certificate signing request: Unauthorized。
-- The start-up result is done.
May 14 12:15:33 vm1 kubelet[17678]: W0514 12:15:33.715964 17678 cni.go:171] Unable to update cni config: No networks found in /etc/cni/net.d
May 14 12:15:33 vm1 kubelet[17678]: W0514 12:15:33.738398 17678 hostport_manager.go:68] The binary conntrack is not installed, this can cause failures in network connection cleanup.
May 14 12:15:33 vm1 kubelet[17678]: I0514 12:15:33.738669 17678 server.go:376] Version: v1.10.1
May 14 12:15:33 vm1 kubelet[17678]: I0514 12:15:33.738913 17678 feature_gate.go:226] feature gates: &{{} map[]}
May 14 12:15:33 vm1 kubelet[17678]: I0514 12:15:33.739222 17678 plugins.go:89] No cloud provider specified.
May 14 12:15:33 vm1 kubelet[17678]: F0514 12:15:33.784257 17678 server.go:233] failed to run Kubelet: cannot create certificate signing request: Unauthorized
May 14 12:15:33 vm1 systemd[1]: kubelet.service: Main process exited, code=exited, status=255/n/a
May 14 12:15:33 vm1 systemd[1]: kubelet.service: Unit entered failed state.
May 14 12:15:33 vm1 systemd[1]: kubelet.service: Failed with result 'exit-code'.
工作节点上的版本:kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.1", GitCommit:"d4ab47518836c750f9949b9e0d387f20fb92260b", GitTreeState:"clean", BuildDate:"2018-04-12T14:14:26Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
主节点上的版本:
kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"10",
GitVersion:"v1.10.1",
GitCommit:"d4ab47518836c750f9949b9e0d387f20fb92260b",
GitTreeState:"clean", BuildDate:"2018-04-12T14:14:26Z",
GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
用于进行连接的命令:
获取令牌:kubeadm token list | awk '/The default bootstrap token/ { print ; }'
获取哈希:openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
加入命令:kubeadm join --skip-preflight-checks --token {{token}} --discovery-token-ca-cert-hash sha256:{{hash}} master_ip:6443
谢谢!
您的令牌似乎已过期,但您可以随时生成一个新令牌。
运行 在主机上执行以下命令:
kubeadm token generate
然后 运行 对新工人的下一个命令:
kubeadm join --token=<token> <master-ip>
示例:
kubeadm join --token=858698.51d1418b0490485a 192.168.0.13
我也遇到了这个问题,解决方案是重新创建令牌,因为它会在 24 小时后过期。所以:
主人:
kubeadm token create
<outputs NEWTOKEN>
工作人员:
kubeadm reset
kubeadm join --token NEWTOKEN --discovery-token-unsafe-skip-ca-verification MASTER:6443
我在 OpenStack 云提供商下有一个 K8s 集群 运行。
集群是使用kubeadm工具设置的,其中包含主节点和从节点。
我正在尝试使用 kubeadm join 命令添加另一个工作节点,该命令显示一个肯定的响应,告诉我该节点已成功添加,但我无法使用 kubectl get nodes 命令找到它.
我进行了调查,发现新从属节点上的 kubelet 未 运行 显示 cannot create certificate signing request: Unauthorized。
-- The start-up result is done.
May 14 12:15:33 vm1 kubelet[17678]: W0514 12:15:33.715964 17678 cni.go:171] Unable to update cni config: No networks found in /etc/cni/net.d
May 14 12:15:33 vm1 kubelet[17678]: W0514 12:15:33.738398 17678 hostport_manager.go:68] The binary conntrack is not installed, this can cause failures in network connection cleanup.
May 14 12:15:33 vm1 kubelet[17678]: I0514 12:15:33.738669 17678 server.go:376] Version: v1.10.1
May 14 12:15:33 vm1 kubelet[17678]: I0514 12:15:33.738913 17678 feature_gate.go:226] feature gates: &{{} map[]}
May 14 12:15:33 vm1 kubelet[17678]: I0514 12:15:33.739222 17678 plugins.go:89] No cloud provider specified.
May 14 12:15:33 vm1 kubelet[17678]: F0514 12:15:33.784257 17678 server.go:233] failed to run Kubelet: cannot create certificate signing request: Unauthorized
May 14 12:15:33 vm1 systemd[1]: kubelet.service: Main process exited, code=exited, status=255/n/a
May 14 12:15:33 vm1 systemd[1]: kubelet.service: Unit entered failed state.
May 14 12:15:33 vm1 systemd[1]: kubelet.service: Failed with result 'exit-code'.
工作节点上的版本:kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.1", GitCommit:"d4ab47518836c750f9949b9e0d387f20fb92260b", GitTreeState:"clean", BuildDate:"2018-04-12T14:14:26Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
主节点上的版本:
kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"10",
GitVersion:"v1.10.1",
GitCommit:"d4ab47518836c750f9949b9e0d387f20fb92260b",
GitTreeState:"clean", BuildDate:"2018-04-12T14:14:26Z",
GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
用于进行连接的命令:
获取令牌:
kubeadm token list | awk '/The default bootstrap token/ { print ; }'获取哈希:
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'加入命令:
kubeadm join --skip-preflight-checks --token {{token}} --discovery-token-ca-cert-hash sha256:{{hash}} master_ip:6443
谢谢!
您的令牌似乎已过期,但您可以随时生成一个新令牌。
运行 在主机上执行以下命令:
kubeadm token generate
然后 运行 对新工人的下一个命令:
kubeadm join --token=<token> <master-ip>
示例:
kubeadm join --token=858698.51d1418b0490485a 192.168.0.13
我也遇到了这个问题,解决方案是重新创建令牌,因为它会在 24 小时后过期。所以:
主人:
kubeadm token create
<outputs NEWTOKEN>
工作人员:
kubeadm reset
kubeadm join --token NEWTOKEN --discovery-token-unsafe-skip-ca-verification MASTER:6443