20. k8s证书过期

x509: certificate has expired or is not yet valid

当对一正常运行中的k8s集群某个node kubelet重启后,发现kubelet启动失败,报错为

E1224 13:55:55.339147   46610 reflector.go:125] k8s.io/kubernetes/pkg/kubelet/config/apiserver.go:47: Failed to list *v1.Pod: Get https://192.168.177.224:6443/api/v1/pods?fieldSelector=spec.nodeName%3Dtes
t-node1&limit=500&resourceVersion=0: x509: certificate has expired or is not yet valid

原因

k8s证书已过期,可通过下述命令查看证书详细信息

[root@test-node2 k8s]# openssl x509 -in ca.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=192.168.177.224@1544090516
        Validity
            Not Before: Dec  6 10:01:56 2018 GMT
            Not After : Dec  6 10:01:56 2019 GMT
        Subject: CN=192.168.177.224@1544090516
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d3:8e:76:00:74:70:97:10:87:f2:64:b8:8d:46:
                    15:37:e7:0d:9f:64:2c:85:87:40:53:fd:c7:c6:62:
                    03:55:c4:2c:06:df:ca:34:94:a0:ae:d2:5a:0a:7e:
                    6b:6e:fc:a3:92:2c:dd:72:41:60:60:ec:3f:9c:04:
                    ef:26:da:b3:af:68:5d:58:60:7a:60:5a:6d:6b:22:
                    ed:89:4b:af:dd:5e:06:60:6b:93:1a:66:50:b1:26:
                    20:83:46:e0:ff:0b:aa:b9:76:ff:b2:4e:6a:a9:ee:
                    05:e9:d2:82:05:ba:11:9d:6e:f9:93:ae:9a:ef:8a:
                    0e:ae:30:5a:5a:b5:b7:d7:20:33:1c:85:a9:47:02:
                    e4:1e:0e:54:ea:4c:ec:ba:34:1c:75:cf:71:29:dc:
                    b4:43:9d:27:f7:f4:68:21:cb:89:c4:aa:1d:33:28:
                    f2:a9:82:52:36:09:de:8f:75:1e:73:97:76:8c:25:
                    82:90:6a:e7:78:b8:19:32:9a:99:65:4e:4a:e9:11:
                    cd:58:a3:dc:4f:9d:8f:63:63:00:24:06:fd:ce:07:
                    c9:3d:8c:84:55:7b:31:49:81:a0:ca:3e:b2:06:e3:
                    bd:07:4a:f2:b7:c3:4c:d2:92:45:1a:9d:56:38:7e:
                    ab:15:31:16:85:fb:d1:41:3e:89:31:45:cc:d1:80:
                    81:3f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Alternative Name:
                DNS:kubernetes.default.svc, DNS:kubernetes.default, DNS:kubernetes, DNS:localhost, IP Address:192.168.177.224, IP Address:169.169.0.1
    Signature Algorithm: sha256WithRSAEncryption
         99:cd:d4:8a:54:d4:63:69:af:20:7e:1b:dc:03:a9:eb:14:99:
         5a:50:15:6d:e7:6d:42:60:53:7d:41:87:29:a0:7a:34:61:21:
         60:e7:18:f3:25:83:75:f7:53:ba:d9:03:05:f5:1c:93:ec:53:
         76:6d:7c:50:fa:1a:ce:2a:31:f5:26:1d:03:2c:63:2d:9d:e9:
         ab:1d:d1:61:8f:e0:46:f6:5c:cc:8d:93:70:dd:24:ee:fa:90:
         e9:29:cb:88:61:e5:99:0d:87:0b:b5:55:91:cc:6c:aa:d8:e3:
         1b:f2:d3:4e:9a:59:fe:ce:7e:a2:75:e4:73:b8:1f:e5:63:ae:
         55:25:37:82:15:b3:5f:e7:14:f7:37:a4:ed:ca:a8:f7:0c:b7:
         dc:9c:de:a0:6c:00:fa:00:b7:fe:94:14:9d:d8:91:7b:d4:1b:
         50:89:2a:ab:92:9b:1b:3d:b0:cb:83:55:b1:47:ff:ce:5e:a8:
         ef:73:8d:0b:ff:1d:ff:4c:8d:fc:e1:e8:30:27:89:d4:39:78:
         2d:a8:c7:06:68:e0:57:bb:67:3c:c0:6b:55:02:3b:75:c8:2c:
         37:ff:93:08:d1:a5:7b:f1:93:ec:7a:cd:c4:1f:39:cc:4b:65:
         b4:02:3a:ae:ad:06:a3:68:5c:d1:c0:77:89:a3:c1:0b:00:6a:
         bb:ba:99:cb

解决方案,升级证书

  • 删除服务端证书
rm /var/run/kubernetes/apiserver.crt
rm /var/run/kubernetes/apiserver.key
  • 重启apiserver
systemctl restart kube-apiserver

重启后,发现重新生成了服务端证书,并且证书有效

  • 查看账号对应的证书
kubectl get secret kube-node-token-wz588 -o json
cat ca.source |base64 -d > ca.crt
  • 替换kube-config中的crt

token不变

启动node节点的 kubelet 报以下错误

[invalid bearer token, [invalid bearer token, crypto/rsa: verification error]]

这个问题是在master节点生成了不同的 server.key 引起,由于 server.key 需要在 apiserver 启动时指定,在生成 service account 时会采用公钥认证。
在pod创建后,默认会在目录/var/run/secrets/kubernetes.io/serviceaccount/生成token及 ca.crt 等

解决方案,然后替换 token及crt文件

删除sa 重新创建