问题场景:
我是因为虚拟机,挂起了几天,再打开join节点的时候报错:
-
证书过期报错
...其他输出
I0427 15:33:56.626776 93338 token.go:215] [discovery] Failed to request cluster-info, will try again: Get "https://192.168.1.100:6443/api/v1/namespaces/kube-public/configmaps/cluster-info?timeout=10s": x509: certificate has expired or is not yet valid: current time 2024-04-27T15:33:56+08:00 is before 2024-04-27T12:26:15Z
certificate has expired or is not yet valid: current time 就是指的证书过期,而且是master的证书过期。
解决办法:
检查各个证书是否真的过期
[root@master pki]# kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Apr 27, 2025 12:59 UTC 364d no
apiserver Apr 27, 2025 13:05 UTC 364d ca no
apiserver-etcd-client Apr 27, 2025 12:26 UTC 364d etcd-ca no
apiserver-kubelet-client Apr 27, 2025 12:59 UTC 364d ca no
controller-manager.conf Apr 27, 2025 12:59 UTC 364d no
etcd-healthcheck-client Apr 27, 2025 12:26 UTC 364d etcd-ca no
etcd-peer Apr 27, 2025 12:26 UTC 364d etcd-ca no
etcd-server Apr 27, 2025 12:26 UTC 364d etcd-ca no
front-proxy-client Apr 27, 2025 12:59 UTC 364d front-proxy-ca no
scheduler.conf Apr 27, 2025 12:59 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Apr 25, 2034 12:26 UTC 9y no
etcd-ca Apr 25, 2034 12:26 UTC 9y no
front-proxy-ca Apr 25, 2034 12:26 UTC 9y no
我这里显示是没有过期的
如果没有过期就同步各个服务器的时间,一般安装k8s都有装ntpdate没有的话自行安装
[root@master pki]# ntpdate time.windows.com
# 或者
[root@master pki]# ntpdate pool.ntp.org
如果过期了,就刷新重新刷新证书(全部)并重启Docker容器内容和K8S
[root@master pki]# kubeadm alpha certs renew all
[root@master pki]# docker ps |grep kube-apiserver|grep -v pause|awk '{print $1}'|xargs -i docker restart {}
[root@master pki]# docker ps |grep kube-controller-manage|grep -v pause|awk '{print $1}'|xargs -i docker restart {}
[root@master pki]# docker ps |grep kube-scheduler|grep -v pause|awk '{print $1}'|xargs -i docker restart {}
[root@master pki]# systemctl restart kubelet