我正在使用我的 kubernetes 并收到错误
必须指定至少一个ExtKeyUsage
使用命令时
kubeadm certs renew all
像这样:
{Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
I1227 11:55:26.654811 77170 kubelet.go:74] attempting to download the KubeletConfiguration from ConfigMap "kubelet-config"
W1227 11:55:26.666806 77170 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]
I1227 11:55:26.669988 77170 certs.go:344] Overriding the cluster certificate directory with the value from command line flag --cert-dir: /etc/kubernetes/pki
I1227 11:55:26.670118 77170 certs.go:522] validating certificate period for CA certificate
I1227 11:55:26.670639 77170 certs.go:522] validating certificate period for ca certificate
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
must specify at least one ExtKeyUsage
k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil.NewCertAndKey
cmd/kubeadm/app/util/pkiutil/pki_helpers.go:103
k8s.io/kubernetes/cmd/kubeadm/app/phases/certs/renewal.(*FileRenewer).Renew
cmd/kubeadm/app/phases/certs/renewal/filerenewer.go:42
k8s.io/kubernetes/cmd/kubeadm/app/phases/certs/renewal.(*Manager).RenewUsingLocalCA
cmd/kubeadm/app/phases/certs/renewal/manager.go:241
k8s.io/kubernetes/cmd/kubeadm/app/cmd.renewCert
cmd/kubeadm/app/cmd/certs.go:319
k8s.io/kubernetes/cmd/kubeadm/app/cmd.getRenewSubCommands.func3
cmd/kubeadm/app/cmd/certs.go:284
github.com/spf13/cobra.(*Command).execute
vendor/github.com/spf13/cobra/command.go:856
github.com/spf13/cobra.(*Command).ExecuteC
vendor/github.com/spf13/cobra/command.go:974
github.com/spf13/cobra.(*Command).Execute
vendor/github.com/spf13/cobra/command.go:902
k8s.io/kubernetes/cmd/kubeadm/app.Run
cmd/kubeadm/app/kubeadm.go:50
main.main
cmd/kubeadm/kubeadm.go:25
runtime.main
/usr/local/go/src/runtime/proc.go:250
runtime.goexit
/usr/local/go/src/runtime/asm_amd64.s:1594
failed to renew certificate apiserver
k8s.io/kubernetes/cmd/kubeadm/app/phases/certs/renewal.(*Manager).RenewUsingLocalCA
cmd/kubeadm/app/phases/certs/renewal/manager.go:243
k8s.io/kubernetes/cmd/kubeadm/app/cmd.renewCert
cmd/kubeadm/app/cmd/certs.go:319
k8s.io/kubernetes/cmd/kubeadm/app/cmd.getRenewSubCommands.func3
cmd/kubeadm/app/cmd/certs.go:284
github.com/spf13/cobra.(*Command).execute
vendor/github.com/spf13/cobra/command.go:856
github.com/spf13/cobra.(*Command).ExecuteC
vendor/github.com/spf13/cobra/command.go:974
github.com/spf13/cobra.(*Command).Execute
vendor/github.com/spf13/cobra/command.go:902
k8s.io/kubernetes/cmd/kubeadm/app.Run
cmd/kubeadm/app/kubeadm.go:50
main.main
cmd/kubeadm/kubeadm.go:25
runtime.main
/usr/local/go/src/runtime/proc.go:250
runtime.goexit
/usr/local/go/src/runtime/asm_amd64.s:1594
}
目前我使用的是kubectl版本
感谢您的帮助。
无法为组件“kube-apiserver”续订证书时遇到错误,该组件存在于 ExtKeyUsage 中。
检查 PKI 证书 ExtKeyUsage 是指 X509v3 扩展密钥用法字段,该字段位于主主机上的 /etc/kubernetes/pki。必须指定至少一个 ExtKeyUsage
使用以下命令确保证书具有必要的 ExtKeyUsage 字段:
root@kube-master:~# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout
如果 ExtKeyUsage 字段丢失,您需要更新证书配置。您可以使用 openssl 生成具有所需密钥用法的新证书。来自kubernetes文档
openssl req -new -key /etc/kubernetes/pki/apiserver.key -out /etc/kubernetes/pki/apiserver.csr -subj "/CN=kubernetes"
openssl x509 -req -in /etc/kubernetes/pki/apiserver.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out /etc/kubernetes /pki/apiserver.crt -days 365 -extfile <(printf "extendedKeyUsage=serverAuth") -extensions extendedKeyUsage
更新证书配置后,使用命令 sudo systemctl restart kubelet 重新启动 Kubernetes 组件以应用更改。
再次运行 kubeadm certs renew all 命令以验证证书是否已成功续订。
注意: 更新证书后,必须重新启动安装了配置的 k8s 主服务器,尝试重新启动主服务器,然后重新启动 Kubelet 后一切正常。