由未知权威Kubernetes签署的x509证书
我在https://coreos.com/kubernetes/docs/latest/getting-started.html中描述了在coreos中configurationKubernetes集群的2个节点。 两台服务器都在同一个networking中。
但是我得到:x509:在工作中运行kubelet时, 由未知权限签名的证书(可能是因为“crypto / rsa:verification error”而尝试validation候选权限证书“kube-ca”) 。
我在文档中讨论过在两台服务器上正确configurationTLS文件。
主节点工作正常。 而kubectl能够在主人身上发射容器和豆荚。
问题1:何解决这个问题?
问题2:有没有办法configuration没有TLS证书的群集?
Coreos version: VERSION=899.15.0 VERSION_ID=899.15.0 BUILD_ID=2016-04-05-1035 PRETTY_NAME="CoreOS 899.15.0" Etcd conf:
$ etcdctl member list ce2a822cea30bfca: name=78c2c701d4364a8197d3f6ecd04a1d8f peerURLs=http://localhost:2380,http://localhost:7001 clientURLs=http://172.24.0.67:2379
主人:kubelet.service:
[Service] ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests Environment=KUBELET_VERSION=v1.2.2_coreos.0 ExecStart=/opt/bin/kubelet-wrapper \ --api-servers=http://127.0.0.1:8080 \ --register-schedulable=false \ --allow-privileged=true \ --config=/etc/kubernetes/manifests \ --hostname-override=172.24.0.67 \ --cluster-dns=10.3.0.10 \ --cluster-domain=cluster.local Restart=always RestartSec=10 [Install] WantedBy=multi-user.target
主人:kube-controller.yaml
apiVersion: v1 kind: Pod metadata: name: kube-controller-manager namespace: kube-system spec: hostNetwork: true containers: - name: kube-controller-manager image: quay.io/coreos/hyperkube:v1.2.2_coreos.0 command: - /hyperkube - controller-manager - --master=http://127.0.0.1:8080 - --leader-elect=true - --service-account-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem - --root-ca-file=/etc/kubernetes/ssl/ca.pem livenessProbe: httpGet: host: 127.0.0.1 path: /healthz port: 10252 initialDelaySeconds: 15 timeoutSeconds: 1 volumeMounts: - mountPath: /etc/kubernetes/ssl name: ssl-certs-kubernetes readOnly: true - mountPath: /etc/ssl/certs name: ssl-certs-host readOnly: true volumes: - hostPath: path: /etc/kubernetes/ssl name: ssl-certs-kubernetes - hostPath: path: /usr/share/ca-certificates name: ssl-certs-host
主人:kube-proxy.yaml
apiVersion: v1 kind: Pod metadata: name: kube-proxy namespace: kube-system spec: hostNetwork: true containers: - name: kube-proxy image: quay.io/coreos/hyperkube:v1.2.2_coreos.0 command: - /hyperkube - proxy - --master=http://127.0.0.1:8080 securityContext: privileged: true volumeMounts: - mountPath: /etc/ssl/certs name: ssl-certs-host readOnly: true volumes: - hostPath: path: /usr/share/ca-certificates name: ssl-certs-host
主人:kube-apiserver.yaml
apiVersion: v1 kind: Pod metadata: name: kube-apiserver namespace: kube-system spec: hostNetwork: true containers: - name: kube-apiserver image: quay.io/coreos/hyperkube:v1.2.2_coreos.0 command: - /hyperkube - apiserver - --bind-address=0.0.0.0 - --etcd-servers=http://172.24.0.67:2379 - --allow-privileged=true - --service-cluster-ip-range=10.3.0.0/24 - --secure-port=443 - --advertise-address=172.24.0.67 - --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota - --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem - --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem - --client-ca-file=/etc/kubernetes/ssl/ca.pem - --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem ports: - containerPort: 443 hostPort: 443 name: https - containerPort: 8080 hostPort: 8080 name: local volumeMounts: - mountPath: /etc/kubernetes/ssl name: ssl-certs-kubernetes readOnly: true - mountPath: /etc/ssl/certs name: ssl-certs-host readOnly: true volumes: - hostPath: path: /etc/kubernetes/ssl name: ssl-certs-kubernetes - hostPath: path: /usr/share/ca-certificates name: ssl-certs-host
主人:kube-scheduler.yaml
apiVersion: v1 kind: Pod metadata: name: kube-scheduler namespace: kube-system spec: hostNetwork: true containers: - name: kube-scheduler image: quay.io/coreos/hyperkube:v1.2.2_coreos.0 command: - /hyperkube - scheduler - --master=http://127.0.0.1:8080 - --leader-elect=true livenessProbe: httpGet: host: 127.0.0.1 path: /healthz port: 10251 initialDelaySeconds: 15 timeoutSeconds: 1
奴隶:kubelet.service
[Service] ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests Environment=KUBELET_VERSION=v1.2.2_coreos.0 ExecStart=/opt/bin/kubelet-wrapper \ --api-servers=https://172.24.0.67:443 \ --register-node=true \ --allow-privileged=true \ --config=/etc/kubernetes/manifests \ --hostname-override=172.24.0.63 \ --cluster-dns=10.3.0.10 \ --cluster-domain=cluster.local \ --kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml \ --tls-cert-file=/etc/kubernetes/ssl/worker.pem \ --tls-private-key-file=/etc/kubernetes/ssl/worker-key.pem Restart=always RestartSec=10 [Install] WantedBy=multi-user.target
奴隶:kube-proxy.yaml
apiVersion: v1 kind: Pod metadata: name: kube-proxy namespace: kube-system spec: hostNetwork: true containers: - name: kube-proxy image: quay.io/coreos/hyperkube:v1.2.2_coreos.0 command: - /hyperkube - proxy - --master=https://172.24.0.67:443 - --kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml - --proxy-mode=iptables securityContext: privileged: true volumeMounts: - mountPath: /etc/ssl/certs name: "ssl-certs" - mountPath: /etc/kubernetes/worker-kubeconfig.yaml name: "kubeconfig" readOnly: true - mountPath: /etc/kubernetes/ssl name: "etc-kube-ssl" readOnly: true volumes: - name: "ssl-certs" hostPath: path: "/usr/share/ca-certificates" - name: "kubeconfig" hostPath: path: "/etc/kubernetes/worker-kubeconfig.yaml" - name: "etc-kube-ssl" hostPath: path: "/etc/kubernetes/ssl"
那么回答你的第一个问题,我认为你必须做一些事情来解决你的问题。首先运行这个链接给出的命令(kubernetes.io/docs/setup/independent/create-cluster-kubeadm / …),然后几个命令:1)mkdir -p $ HOME / .kube 2)sudo cp -i /etc/kubernetes/admin.conf $ HOME / .kube / config 3)sudo chown $(id -u):$(id -g)$ HOME / .kube / config。这个admin.conf应该知道kubectl才能正常工作。