新建的集群就报证书过期
dotbalo opened this issue · 5 comments
dotbalo commented
您好,我新建的集群,上午还好好的。下午就报
[root@k8s-master01 ~]# kubectl get po
No resources found.
Unable to connect to the server: x509: certificate has expired or is not yet valid
然后我尝试用kubeadm alpha phase certs all --config /root/kubeadm-config.yaml重新生成证书,但是也报错
[root@k8s-master01 ~]# kubeadm alpha phase certs all --config /root/kubeadm-config.yaml
[endpoint] WARNING: port specified in api.controlPlaneEndpoint overrides api.bindPort in the controlplane address
failure loading ca certificate: the certificate is not valid yet
网上说是时间不同步的问题,但是我的时间是同步的。请问您有遇到过么?或者怎么更换证书呢
dotbalo commented
然后我看了一下证书,没有一个过期。。
[root@k8s-master01 pki]# for i in `find . -name "*.crt"`;do cfssl-certinfo -cert $i | grep not_after;done
"not_after": "2028-11-27T11:16:30Z",
"not_after": "2019-11-30T11:16:30Z",
"not_after": "2019-11-30T11:16:31Z",
"not_after": "2028-11-27T11:16:31Z",
"not_after": "2019-11-30T11:16:31Z",
"not_after": "2028-11-27T11:16:32Z",
"not_after": "2019-11-30T11:16:32Z",
"not_after": "2019-11-30T11:16:32Z",
"not_after": "2019-11-30T11:16:33Z",
"not_after": "2019-11-30T11:16:33Z",
cookeem commented
这个感觉是kubectl的客户端证书提示的错误。先检查一下kubelet的日志,看看是集群问题还是客户端证书问题?有没有设置KUBECONFIG环境变量?
dotbalo commented
您好,环境变量有设置的
[root@k8s-master01 ~]# cat .bashrc
# .bashrc
# User specific aliases and functions
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
export KUBECONFIG=/etc/kubernetes/admin.conf
这是今天上午刚搭建的集群,当时好好的,下午就不行了。
这是master的日志
这是node的日志
然后我发现所有的pod都是新启动的,一直是这个状态
cookeem commented
证书有问题,建议你重建一次。
dotbalo commented
好的,非常感谢