Kubernetes kubeadm

公网IP不在信任IP列表中的问题

报错内容:couldn’t validate the identity of the API Server: certificate is valid for 10.96.0.1, 172.17.157.248, not 47.100.195.253

error execution phase preflight: couldn’t validate the identity of the API Server: Get “https://47.100.195.253:6443/api/v1/namespaces/kube-public/configmaps/cluster-info?timeout=10s”: x509: certificate is valid for 10.96.0.1, 172.17.157.248, not 47.100.195.253
image.png

解决方案

公网IP未添加至信任IP中,Master Node需要重置启动,在启动时需要添加公网IP的参数--apiserver-cert-extra-sans=120.79.23.226

ConfigMap获取失败的问题

报错内容:unable to fetch the kubeadm-config ConfigMap: failed to get config map

error execution phase preflight: unable to fetch the kubeadm-config ConfigMap: failed to get config map: Get “https://172.17.157.248:6443/api/v1/namespaces/kube-system/configmaps/kubeadm-config?timeout=10s”: dial tcp 172.17.157.248:6443: connect: no route to host
image.png

解决方案

Token失效的问题

报错内容:couldn’t validate the identity of the API Server: could not find a JWS signature in the cluster-info ConfigMap for token ID “1t8xr4”

  1. kubeadm join 47.100.195.253:6443 --token 1t8xr4.eqlezpou8dm8mpcy         --discovery-token-ca-cert-hash sha256:9170e19223b6ba70aedef919f2198467278e67e11826f8d92dc4d1cba5b93873
  2. [preflight] Running pre-flight checks
  3. error execution phase preflight: couldn't validate the identity of the API Server: could not find a JWS signature in the cluster-info ConfigMap for token ID "1t8xr4"
  4. To see the stack trace of this error execute with --v=5 or higher

image.png

解决方案(一)

查看Master节点的Token

  1. kubeadm token list

image.png

创建新Token

  1. [root@iZuf68qk0bio1l786kylamZ ~]# kubeadm token create
  2. htpca1.bjmrvnfl2mojtvmc
  3. [root@iZuf68qk0bio1l786kylamZ ~]# kubeadm token list
  4. TOKEN                     TTL         EXPIRES                USAGES                   DESCRIPTION                                                EXTRA GROUPS
  5. htpca1.bjmrvnfl2mojtvmc   23h         2021-12-25T09:31:34Z   authentication,signing   <none>                                                     system:bootstrappers:kubeadm:default-node-token
  6. [root@iZuf68qk0bio1l786kylamZ ~]# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
  7. 9170e19223b6ba70aedef919f2198467278e67e11826f8d92dc4d1cba5b93873

image.png

替换新的Token和sha256再执行Work Node的添加操作

  1. kubeadm join 172.17.157.248:6443 --token 1t8xr4.eqlezpou8dm8mpcy \
  2.         --discovery-token-ca-cert-hash sha256:9170e19223b6ba70aedef919f2198467278e67e11826f8d92dc4d1cba5b93873

解决方案(二)

  1. # 生成一个新的 token 令牌(比上面的方便)
  2. $ kubeadm token generate
  4. # 直接生成 join 命令(比上面的方便)
  5. $ kubeadm token create <token_generate> --print-join-command --ttl=0