k8s证书问题

简介

需要在本地连接远程的一个k8s集群,所以直接把config文件拉取到本地,然后执行kubectl get pods

直接报错

Unable to connect to the server: x509: certificate is valid for 127.0.0.1, 192.168.1.101, 192.168.1.102, 192.168.1.103, 192.168.1.200, 10.254.0.1, not 199.11.11.11

这就很有意思了,百度了一下发现是证书的问题

操作

登录到远程的k8s主节点

之后在/etc/kubernetes/ssl/kubernetes-csr.json加入你要远程连接到k8s的ip,比如我的是199.11.11.11

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
{
  "CN": "kubernetes",
  "hosts": [
    "127.0.0.1",
    "192.168.1.101",
    "192.168.1.102",
    "192.168.1.103",
    "192.168.1.200",
    "199.11.11.11",
    "10.254.0.1",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "ShangHai",
      "L": "ShangHai",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

接着重新生成证书

cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem -ca-key=/etc/kubernetes/ssl/ca-key.pem -config=/etc/kubernetes/ssl/ca-config.json -profile=kubernetes /etc/kubernetes/ssl/kubernetes-csr.json | cfssljson -bare kubernetes

之后重启apiserver

systemctl restart kube-apiserver

接着每一个主节点都要操作一遍上面的步骤

欢迎关注我的博客 www.bboy.app

Have Fun