openshift node NotReady & kubelet http: TLS handshake error

文章目录

问题现象

openshift 集群 node 节点 notready

bash 复制代码
$ oc get node
NAME                        STATUS     ROLES                  AGE     VERSION
master1.ocp4.demo.com   Ready      control-plane,master   4d14h   v1.29.7+6abe8a1
master2.ocp4.demo.com   Ready      control-plane,master   4d15h   v1.29.7+6abe8a1
master3.ocp4.demo.com   Ready      control-plane,master   4d14h   v1.29.7+6abe8a1
worker1.ocp4.demo.com   Ready      worker                 4d14h   v1.29.7+6abe8a1
worker2.ocp4.demo.com   NotReady   worker                 4d14h   v1.29.7+6abe8a1
worker3.ocp4.demo.com   Ready      worker                 4d14h   v1.29.7+6abe8a1

登陆worker2.ocp4.demo.com 检查 kubelet 日志

bash 复制代码
$ ssh core@worker2.ocp4.demo.com 
$ journalctl -b -f -u kubelet.service

输出:

bash 复制代码
Aug 27 06:51:56 worker2.ocp4.demo.com kubenswrapper[1562807]: I0827 06:51:56.776626 1562807 kubelet_node_status.go:402] "Setting node annotation to enable volume controller attach/detach"
Aug 27 06:51:56 worker2.ocp4.demo.com kubenswrapper[1562807]: I0827 06:51:56.777600 1562807 kubelet_node_status.go:729] "Recording event message for node" node="worker2.ocp4.demo.com" event="NodeHasSufficientMemory"
Aug 27 06:51:56 worker2.ocp4.demo.com kubenswrapper[1562807]: I0827 06:51:56.777630 1562807 kubelet_node_status.go:729] "Recording event message for node" node="worker2.ocp4.demo.com" event="NodeHasNoDiskPressure"
Aug 27 06:51:56 worker2.ocp4.demo.com kubenswrapper[1562807]: I0827 06:51:56.777640 1562807 kubelet_node_status.go:729] "Recording event message for node" node="worker2.ocp4.demo.com" event="NodeHasSufficientPID"
Aug 27 06:51:57 worker2.ocp4.demo.com kubenswrapper[1562807]: I0827 06:51:57.172065 1562807 log.go:245] http: TLS handshake error from 10.129.2.16:35748: no serving certificate available for the kubelet
Aug 27 06:51:57 worker2.ocp4.demo.com kubenswrapper[1562807]: E0827 06:51:57.734731 1562807 transport.go:123] "No valid client certificate is found but the server is not responsive. A restart may be necessary to retrieve new initial credentials." lastCertificateAvailabilityTime="2024-08-27 05:50:01.73440836 +0000 UTC m=+0.036890907" shutdownThreshold="5m0s"
Aug 27 06:51:57 worker2.ocp4.demo.com kubenswrapper[1562807]: I0827 06:51:57.766598 1562807 csi_plugin.go:880] Failed to contact API server when waiting for CSINode publishing: csinodes.storage.k8s.io "worker2.ocp4.demo.com" is forbidden: User "system:anonymous" cannot get resource "csinodes" in API group "storage.k8s.io" at the cluster scope
Aug 27 06:51:58 worker2.ocp4.demo.com kubenswrapper[1562807]: E0827 06:51:58.735454 1562807 transport.go:123] "No valid client certificate is found but the server is not responsive. A restart may be necessary to retrieve new initial credentials." lastCertificateAvailabilityTime="2024-08-27 05:50:01.73440836 +0000 UTC m=+0.036890907" shutdownThreshold="5m0s


$ oc login -u ocpadmin -p ocpadmin
Login successful.

You have access to 74 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".

$ for i in `oc get nodes -o jsonpath=$'{range .items[*]}{.metadata.name}\n{end}'`; do oc get --raw /api/v1/nodes/$i/proxy/healthz; echo -e "\t$i"; done
ok      master1.ocp4.demo.com
ok      master2.ocp4.demo.com
ok      master3.ocp4.demo.com
ok      worker1.ocp4.demo.com
Error from server (ServiceUnavailable): error trying to reach service: remote error: tls: internal error
        worker2.ocp4.demo.com
ok      worker3.ocp4.demo.com

解决方法

执行证书批准多次,直到所有pending 全部消失。

bash 复制代码
$ oc get csr | grep -i pending
$ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve

参考:

相关推荐
zhao32668575142 分钟前
2025年代理IP三强横评:LoongProxy、神龙海外动态IP代理、全民HTTP怎么选?看完这篇不踩坑
网络协议·tcp/ip·http
on the way 1231 小时前
多线程之HardCodedTarget(type=OssFileClient, name=file, url=http://file)异常
网络·网络协议·http
想睡hhh6 小时前
HTTPS协议——对于HTTP的协议的加密
http·https
福大大架构师每日一题8 小时前
go 1.25.1发布:重点修复net/http跨域保护安全漏洞(CVE-2025-47910)
开发语言·http·golang
Chan169 小时前
消息推送的三种常见方式:轮询、SSE、WebSocket
java·网络·websocket·网络协议·http·sse
司徒小夜1 天前
HTTP与HTTPS杂谈-HTTPS防御了什么
网络·http·https
一只游鱼1 天前
利用keytool实现https协议(生成自签名证书)
网络协议·http·https·keytool
码熔burning1 天前
RPC 和 HTTP 的区别
网络协议·http·rpc
吐个泡泡v1 天前
网络编程基础:一文搞懂 Socket、HTTP、HTTPS、TCP/IP、SSL 的关系
网络·网络协议·http·https·socket·ssl·tcp
liulilittle1 天前
HTTP简易客户端实现
开发语言·网络·c++·网络协议·http·编程语言