kube-apiserver 报错 Unable to authenticate the request“ err=“[x509: certificate signed by unknown ...

已于 2022-04-12 13:41:36 修改
阅读量8.2k 收藏 3
点赞数 1
分类专栏: kubernetes 文章标签: kubernetes docker 容器
于 2022-02-11 16:29:51 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/rockstics/article/details/122880590
版权

问题描述:

采用ansible 二进制方式部署kubernetes, 部署完成后kubectl get node 节点状态 NotReady
kubectl get pod -n kube-system 发现 calico 处于 Pending 状态
查看pod日志

kubectl logs -f calico-node-7fw9h -n kube-system

报错为:
Authorization error (user=kubernetes, verb=get, resource=nodes, subresource=proxy)

systemctl status kubelet  -l

发现报错
Feb 11 09:56:48 kubernetesM02 kubelet[20889]: E0211 09:56:48.153429 20889 kubelet_node_status.go:93] “Unable to register node with API server” err=“Unauthorized” node=“kubernetesm02”
Feb 11 09:56:50 kubernetesM02 kubelet[20889]: E0211 09:56:50.097095 20889 reflector.go:138] k8s.io/kubernetes/pkg/kubelet/config/apiserver.go:45: Failed to watch *v1.Pod: failed to list *v1.Pod: Unauthorized

怀疑是kube-apiserver 问题

systemctl status kube-apiserver -l

发现报错

Feb 11 14:34:11 kubernetesM02 kube-apiserver[16692]: E0211 14:34:11.507411 16692 authentication.go:63] “Unable to authenticate the request” err=“[x509: certificate signed by unknown authority (possibly because of “crypto/rsa: verification error” while trying to verify candidate authority certificate “kubernetes”), verifying certificate SN=223578824471382834555747287975620980748, SKID=, AKID=F4:9A:82:54:A9:67:BB:64:A7:F6:E9:33:A4:A0:C2:4B:6A:A8:D0:1B failed: x509: certificate signed by unknown authority (possibly because of “crypto/rsa: verification error” while trying to verify candidate authority certificate “kubernetes”)]”

百度后怀疑是证书问题

解决方法:

删除kubelet 的证书

rm  /etc/kubernetes/ssl/kubelet.*

重启kubelet
如果引入了 bootstrap 机制,会自动重新生成并颁发证书,否则需要手动颁发证书
kubectl get node 再次查看节点状态已正常
手动办法证书方法如下:

kubectl get csr #查看证书请求
NAME                                                   AGE    SIGNERNAME                                    REQUESTOR           CONDITION
node-csr-PJit5dDGv1tO3e3ELjBXu5ORF4NtL8K7qkS2AM2KE7g   3m6s   kubernetes.io/kube-apiserver-client-kubelet   kubelet-bootstrap   Approved,Issued

kubectl certificate approve node-csr-PJit5dDGv1tO3e3ELjBXu5ORF4NtL8K7qkS2AM2KE7g  #批准证书请求 
certificatesigningrequest.certificates.k8s.io/node-csr-PJit5dDGv1tO3e3ELjBXu5ORF4NtL8K7qkS2AM2KE7g approved

原因分析:

kubelet bootstrap 引导出错导致kube-apiserve 和 kubelet 之前自动证书审批未完成,导致两者之间未建立连接
删除kubelet证书并重启kubelet 让 kubelet bootstrap 重新引导完成自动证书审批工作 ,问题解决

rockstics
关注
专栏目录
Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of
qq_46654855的博客
08-01 6038
kubeadm安装完k8s后,使用kubectl命令,报错
kubernetes 坑人的错误!!!Unable to connect to the server: x509: certificate signed by unknown authority
江晓龙的博客
01-02 2927
1.问题说明 搭建完k8s集群,k8s-master节点一开始还可以正常使用kubelet命令,过会后就不能正常使用率,真是气人 前一秒还能用,下一秒就不行 2.问题解决方式 在网上找遍了解决问题的博客,依然无法解决问题,写的一塌糊涂,都是抄袭,真的很狗 2.1.问题复现 在正常的k8s集群的master节点执行以下几个命令: mkdir -p $HOME/.kube cp -i /etc/kubernetes/admin.conf $HOME/.kube/config chown $(id
IOS证书:this certificate was signed by an unknown authority
小太阳GO
03-19 2512
iOS: this certificate was signed by an unknown authority  在 iOS开发中,使用证书时,会出现一些莫名其妙的问题。分明是一个有效的证书,导入到 Key Chain 后, 出现: this certificate was signed by an unknown authority。  如下图。
成功解决docker从本地私库push或pull镜像时报x509: certificate signed by unknown authority
weixin_44410358的博客
12-01 6067
成功解决docker从本地私库push或pull镜像时报x509: certificate signed by unknown authorityDockerQ:docker登录私库时提示 x509: certificate signed by unknown authorityA:解决办法Docker的配置文件 daemon.json 详解(当需要配置多个镜像地址怎么写的问题) Docker Q:docker登录私库时提示 x509: certificate signed by unknown autho
Kube-apiserver出现“Unable to authenticate the request”错误的解决方案
最新发布
总想试试,万一成了呢??
10-21 319
之前使用工具一键部署K8S集群,并在集群部署一些服务。某天突然发现服务无法访问。
kubeadm reset后安装遇到的错误:Unable to connect to the server: x509: certificate signed by unknown authority
qq_35448165的博客
01-30 1785
前面通过kubeadm reset重置k8s环境之后,执行了kubeadm init命令 [root@m ~]# kubeadm init --kubernetes-version=1.14.0 --apiserver-advertise-address=192.168.56.51 --pod-network-cidr=10.244.0.0/16 初始化完成后按照出现的提示执行了如下命令: ...
kubectl get node运行时出现:Unable to connect to the server: x509: certificate signed by unknown authority
koooooooo5的博客
04-15 1625
kubectl get nodes运行时出现:Unable to connect to the server: x509: certificate signed by unknown authority 原因:我们在运行kubeadm reset时,没有删除原先的$HOME/.kube文件导致新建的kubelet报错。实际上在kubeadm reset执行后,系统已经提示我们需要手动删除这个配置文件。 解决方法:在运行kubeadm reset之后,接着输入rm -rf $HOME/.kube删除原配置文
k8s.gcr.io/kube-apiserver:v1.17.3镜像包
03-06
kubernetes的k8s.gcr.io/kube-apiserver:v1.17.3镜像包,版本为v1.17.3。文件是kube-controller-manager_v_1_17.3.tar
Rancher入门到精通-2.0 Unable to connect to the server: x509: certificate is valid for ingress.local, not
隔壁老瓦的专栏
10-28 1万+
kubectl apply -f https://rancher.test.cn/v3/import/xlxwdf6fz6jtgrfcmscs79msn8dkmjbs87p42npgcktjkx2q7shpx5.yaml Unable to connect to the server: x509: certificate is valid for ingress.local, not ranch...
Unable to register node “xxx“ with API server: Unauthorized
以梦为马|越骑越傻
12-23 1万+
k8s二进制部署环境出现kubelet认证不了节点 出现这个情况的时候,第一个反应是先看apiserver证书是不是过期了 # 查看apiserver的service文件存储路径 systemctl status kube-apiserver | grep load # 查找apiserver的启动参数,查看ca证书的存储路径 cat /usr/lib/systemd/system/kube-apiserver.service # 查看EnviromentFile,或者直接可以看到启动参数,以实际的为准.
Tanzu:x509: certificate signed by unknown authority
随笔记录-分享&记忆
06-24 608
x509: certificate signed by unknown authority ERRO[0000] Error occurred during HTTP request: Get https://192.16.6.1/wcp/loginbanner: x509: certificate signed by unknown authority There was an error when trying to connect to the server 解决办法: 如果出于任何原因无法添加证书
Harbor/Docker: x509: certificate signed by unknown authority
热门推荐
tom_fans的博客
07-27 2万+
完成Harbor安装之后,我们使用docker login/push/pull去与Harbor打交道,上传下载镜像等。 但是发现出现x509: certificate signed by unknown authority之类的错误。 [root@test01 harbor.dev]# docker login harbor.dev Authenticating with existing credentials... Login did not succeed, error: Error respon
x509: certificate signed by unknown authority (harbor)
xiunai78的专栏
03-19 2万+
最近在做Docker相关的东西,发现只要一pull镜像,就出现如下的ERROR x509: certificate signed by unknown authority. 调查后发现,是公司IT把https证书换成了公司的证书(目的大家自己猜)。 解决思路: 把替换后的证书直接用openssl拉下来,然后加入到系统(我是Ubuntu)系统证书中,然后使用update-ca-certificate...
x509: certificate signed by unknown authority (possibly because of “crypto/rsa: verification error
johnhuster的专栏
10-29 7270
执行下面命令初始化k8s集群时 kubeadm init --pod-network-cidr 10.21.0.0/16 \ --image-repository registry.cn-hangzhou.aliyuncs.com/google_containers 通过 kubectl get pods -n kube-system 查看pods状态 发现coredns对应的pod状态为ContainerCreating, 通过kubectl describe pods -n kube-
certificate signed by unknown authority (possibly because of “crypto/rsa: verification error“ while
标准都是留给不爱的人,爱的本质是自由意志的沉沦
04-29 922
向集群添加新的工作节点报错certificate signed by unknown authority (possibly because of “crypto/rsa: verification error” while trying to verify candidate authority certificatekubernetes”)1、删除这个路径下的文件。
docker login 时报x509: certificate signed by unknown authority
qq_42325147的博客
03-21 797
docker login 时报x509: certificate signed by unknown authority
go get x509:certificate signed by unknown authority
qq_38189542的博客
03-14 1787
在arm设备上构建golang 1.22的Docker镜像,用来做程序的编译镜像,直接安装用ubuntu作为基础镜像,构建好的镜像,在编译的时候执行go get的时候,会报下面错误。
x509: certificate signed by unknown authority (golang http请求报错
D1124615130的博客
04-14 2374
client初始化时加上t.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
Unable to connect to the server: x509: certificate signed by unknown authority
06-10
当您在使用 kubectl 连接 Kubernetes API Server 时,如果遇到 "Unable to connect to the server: x509: certificate signed by unknown authority" 错误,这意味着您的客户端未能验证 Kubernetes API Server 的证书。 要解决此问题,您可以尝试以下几个步骤: 1. 确认您的 kubeconfig 文件是否正确配置。kubeconfig 文件包含用于连接 Kubernetes 集群的详细信息,包括证书。您可以通过运行以下命令来查看当前配置的集群、用户和上下文: ``` kubectl config view ``` 如果 kubeconfig 文件未正确配置,则需要更新文件以包含正确的集群、用户和上下文信息。 2. 如果您使用的是自签名证书,请将证书添加到系统的信任存储中。在 Linux 系统上,您可以将证书复制到 /usr/local/share/ca-certificates/ 目录中,并运行以下命令更新证书: ``` sudo update-ca-certificates ``` 在 Windows 系统上,您可以使用 certmgr.msc 程序来导入证书。 3. 如果您使用的是由第三方颁发的证书,请确保您的客户端已经信任该证书。 4. 如果以上步骤均未解决问题,请联系您的 Kubernetes 集群管理员,以确保证书签名机构(CA)已正确配置,并已在 kubeconfig 文件中配置正确的 CA 证书。
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值