Ora*_*bîg 1 kubernetes kubespray
在使用 kubespray 将 Kubernetes 从 1.14 升级到 1.15 期间,我的团队在“升级第一个 master”步骤中遇到了阻塞问题,并显示以下消息:
\n\n[upgrade/apply] FATAL: couldn\'\'t upgrade control plane.\nkubeadm has tried to recover everything into the earlier state.\nErrors faced: [failed to renew certificates for component "kube-apiserver":\nfailed to renew certificate apiserver-kubelet-client:\nunable to sign certificate:\nmust specify at least one ExtKeyUsage,\nrename /etc/kubernetes/tmp/kubeadm\n-backup-manifests-2019-09-19-09-06-27/kube-apiserver.yaml /etc/kubernetes/manifests/kube-apiserver.yaml: no such file or directory]\'\n尝试隔离任务并手动运行 kubeadm 命令行会导致相同的错误消息:
\n\n#/usr/local/bin/kubeadm upgrade apply -y v1.15.3 --config=/etc/kubernetes/kubeadm-config.yaml --ignore-preflight-errors=all --allow-experimental-upgrades --allow-release-candidate-upgrades --etcd-upgrade=false -v 6 \n或者甚至尝试手动更新证书:
\n\n/etc/kubernetes/pki# kubeadm alpha certs renew apiserver-kubelet-client -v 9\nI0919 14:42:11.515503 18597 initconfiguration.go:105] detected and using CRI socket: /var/run/dockershim.sock\nI0919 14:42:11.515897 18597 interface.go:384] Looking for default routes with IPv4 addresses\nI0919 14:42:11.515916 18597 interface.go:389] Default route transits interface \xe2\x80\x9ceth0\xe2\x80\x9d\nI0919 14:42:11.516284 18597 interface.go:196] Interface eth0 is up\n(...)\nI0919 14:42:11.516835 18597 feature_gate.go:216] feature gates: &{map[]}\nfailed to renew certificate apiserver-kubelet-client: unable to sign certificate: must specify at least one ExtKeyUsage\n最终找到了解决方案并发布在下面。
\n该问题来自 kubeadm,它在必须更新证书时使用旧证书。但是,当这些初始证书太旧或手动生成时,它们可能不包含一些需要存在的必填字段。
在错误消息中,ExtKeyUsage引用该X509v3 Extended Key Usage字段。
您可以通过查看您的证书来检查:涉及 2 个证书:apiserver-kubelet-client.crt以及front-proxy-client.crt
它们位于 的主主机上/etc/kubernetes/pki。
你可以用以下命令检查它们
# openssl x509 -in apiserver-kubelet-client.crt -text -noout
如果它们不包含以下内容(接近尾声),那么 kubeadm 将完全无法更新证书
(...)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
TL;博士;
解决方案只是通过以下过程创建全新的证书
######### Backup your certificates (just in case)
master01:/etc/kubernetes/pki# cp -a /etc/kubernetes/pki /root/backup_cert/
######### Delete incomplete certificates
master01:/etc/kubernetes/pki# rm apiserver-kubelet-client.*
master01:/etc/kubernetes/pki# rm front-proxy-client.*
######### Then recreate them
master01:/etc/kubernetes/pki# kubeadm init phase certs apiserver-kubelet-client
master01:/etc/kubernetes/pki# kubeadm init phase certs front-proxy-client
您现在可以重新启动升级过程,应该没问题。(注意:如果您的集群处于第一个主节点具有 SchedulingDisabled 状态的状态,那么不要忘记取消对主机的封锁,因为 kubespray playbook 不会修复该问题)
| 归档时间: |
|
| 查看次数: |
1130 次 |
| 最近记录: |