节点状态正常,kubelet正常,证书未到期,master节点重启过,
执行kubectl create -f deployment.yaml
报错:
x509: certificate has expired or is not yet valid: current time 2022-06-11T17:02:00+08:00 is before 2022-06-11T14:55:41Z
kube-apiserver日志报错
[root@localhost tmp]# systemctl status kube-apiserver -l
● kube-apiserver.service - Kubernetes API Server
Loaded: loaded (/usr/lib/systemd/system/kube-apiserver.service; enabled; vendor preset: disabled)
Active: active (running) since Sa 2022-06-11 16:26:21 CST; 40min ago
Docs: https://github.com/kubernetes/kubernetes
Main PID: 773 (kube-apiserver)
Tasks: 9
Memory: 474.4M
CGroup: /system.slice/kube-apiserver.service
└─773 /opt/kubernetes/bin/kube-apiserver --logtostderr=false --v=2 --log-dir=/opt/kubernetes/logs --etcd-servers=https://192.100.30.164:2379,https://192.100.30.165:2379,https://192.100.30.166:2379 --bind-address=192.100.30.164 --secure-port=6443 --advertise-address=192.100.30.164 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NodeRestriction --authorization-mode=RBAC,Node --enable-bootstrap-token-auth=true --token-auth-file=/opt/kubernetes/cfg/token.csv --service-node-port-range=30000-32767 --kubelet-client-certificate=/opt/kubernetes/ssl/server.pem --kubelet-client-key=/opt/kubernetes/ssl/server-key.pem --tls-cert-file=/opt/kubernetes/ssl/server.pem --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem --client-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem --etcd-cafile=/opt/kubernetes/ssl/etcd/ca.pem --etcd-certfile=/opt/kubernetes/ssl/etcd/server.pem --etcd-keyfile=/opt/kubernetes/ssl/etcd/server-key.pem --service-account-issuer=api --service-account-signing-key-file=/opt/kubernetes/ssl/ca-key.pem --requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem --proxy-client-cert-file=/opt/kubernetes/ssl/server.pem --proxy-client-key-file=/opt/kubernetes/ssl/server-key.pem --requestheader-allowed-names=kubernetes --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --enable-aggregator-routing=true --audit-log-maxage=30 --audit-log-maxbackup=3 --audit-log-maxsize=100 --audit-log-path=/opt/kubernetes/logs/k8s-audit.log
Jun 11 17:07:08 kubernetesM01 kube-apiserver[773]: E0611 17:07:08.383843 773 reflector.go:138] k8s.io/client-go/informers/factory.go:134: Failed to watch *v1.RuntimeClass: failed to list *v1.RuntimeClass: Get "https://192.100.30.164:6443/apis/node.k8s.io/v1/runtimeclasses?resourceVersion=20397493": x509: certificate has expired or is not yet valid: current time 2022-06-11T17:07:08+08:00 is before 2022-06-11T14:55:41Z
Jun 11 17:07:08 kubernetesM01 kube-apiserver[773]: E0611 17:07:08.828235 773 reflector.go:138] k8s.io/client-go/informers/factory.go:134: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: Get "https://192.100.30.164:6443/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas?resourceVersion=20397493": x509: certificate has expired or is not yet valid: current time 2022-06-11T17:07:08+08:00 is before 2022-06-11T14:55:41Z
Jun 11 17:07:09 kubernetesM01 kube-apiserver[773]: E0611 17:07:09.813265 773 reflector.go:138] k8s.io/client-go/informers/factory.go:134: Failed to watch *v1.Role: failed to list *v1.Role: Get "https://192.100.30.164:6443/apis/rbac.authorization.k8s.io/v1/roles?resourceVersion=20397493": x509: certificate has expired or is not yet valid: current time 2022-06-11T17:07:09+08:00 is before 2022-06-11T14:55:41Z
Jun 11 17:07:10 kubernetesM01 kube-apiserver[773]: E0611 17:07:10.452480 773 reflector.go:138] k8s.io/client-go/informers/factory.go:134: Failed to watch *v1.PriorityClass: failed to list *v1.PriorityClass: Get "https://192.100.30.164:6443/apis/scheduling.k8s.io/v1/priorityclasses?resourceVersion=20397493": x509: certificate has expired or is not yet valid: current time 2022-06-11T17:07:10+08:00 is before 2022-06-11T14:55:41Z
Jun 11 17:07:10 kubernetesM01 kube-apiserver[773]: E0611 17:07:10.826251 773 reflector.go:138] k8s.io/client-go/informers/factory.go:134: Failed to watch *v1.ServiceAccount: failed to list *v1.ServiceAccount: Get "https://192.100.30.164:6443/api/v1/serviceaccounts?resourceVersion=20397493": x509: certificate has expired or is not yet valid: current time 2022-06-11T17:07:10+08:00 is before 2022-06-11T14:55:41Z
Jun 11 17:07:11 kubernetesM01 kube-apiserver[773]: E0611 17:07:11.185799 773 reflector.go:138] k8s.io/client-go/informers/factory.go:134: Failed to watch *v1.ClusterRole: failed to list *v1.ClusterRole: Get "https://192.100.30.164:6443/apis/rbac.authorization.k8s.io/v1/clusterroles?resourceVersion=20397493": x509: certificate has expired or is not yet valid: current time 2022-06-11T17:07:11+08:00 is before 2022-06-11T14:55:41Z
Jun 11 17:07:12 kubernetesM01 kube-apiserver[773]: E0611 17:07:12.178550 773 reflector.go:138] k8s.io/client-go/informers/factory.go:134: Failed to watch *v1.MutatingWebhookConfiguration: failed to list *v1.MutatingWebhookConfiguration: Get "https://192.100.30.164:6443/apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations?resourceVersion=20397493": x509: certificate has expired or is not yet valid: current time 2022-06-11T17:07:12+08:00 is before 2022-06-11T14:55:41Z
Jun 11 17:07:14 kubernetesM01 kube-apiserver[773]: E0611 17:07:14.647991 773 controller.go:223] unable to sync kubernetes service: Post "https://192.100.30.164:6443/api/v1/namespaces": x509: certificate has expired or is not yet valid: current time 2022-06-11T17:07:14+08:00 is before 2022-06-11T14:55:41Z
Jun 11 17:07:17 kubernetesM01 kube-apiserver[773]: E0611 17:07:17.375322 773 reflector.go:138] k8s.io/kubernetes/pkg/controlplane/controller/clusterauthenticationtrust/cluster_authentication_trust_controller.go:444: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: Get "https://192.100.30.164:6443/api/v1/namespaces/kube-system/configmaps?resourceVersion=20397493": x509: certificate has expired or is not yet valid: current time 2022-06-11T17:07:17+08:00 is before 2022-06-11T14:55:41Z
Jun 11 17:07:17 kubernetesM01 kube-apiserver[773]: E0611 17:07:17.516529 773 reflector.go:138] k8s.io/client-go/informers/factory.go:134: Failed to watch *v1.ClusterRoleBinding: failed to list *v1.ClusterRoleBinding: Get "https://192.100.30.164:6443/apis/rbac.authorization.k8s.io/v1/clusterrolebindings?resourceVersion=20397493": x509: certificate has expired or is not yet valid: current time 2022-06-11T17:07:17+08:00 is before 2022-06-11T14:55:41Z
解决: 重启kube-apiserver
systemctl restart kube-apiserver