巡检时发现一些节点报以下错误,发现证书过期
kubelet: I1107 11:23:12.857909 23311 bootstrap.go:239] Failed to connect to apiserver: the server has asked for the client to provide credentials
1、删除过期节点的kubelet证书
rm -f /etc/kubernetes/kubelet.kubeconfig
rm -f /etc/kubernetes/cert/kubelet.*
rm -rf /etc/kubernetes/kubelet-bootstrap.kubeconfig
2、创建bootstrap:
# 要过期的kubelet节点
export NODE_NAMES=(kube-node5)
for node_name in ${NODE_NAMES[@]}
do
echo ">>> ${node_name}"
# 创建 token
export BOOTSTRAP_TOKEN=$(kubeadm token create \
--description kubelet-bootstrap-token \
--groups system:bootstrappers:${node_name} \
--kubeconfig ~/.kube/config)
# 设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/cert/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kubelet-bootstrap-${node_name}.kubeconfig
# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
--token=${BOOTSTRAP_TOKEN} \
--kubeconfig=kubelet-bootstrap-${node_name}.kubeconfig
# 设置上下文参数
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=kubelet-bootstrap-${node_name}.kubeconfig
# 设置默认上下文
kubectl config use-context default --kubeconfig=kubelet-bootstrap-${node_name}.kubeconfig
done
3、查看 kubeadm 为各节点创建的 token:
kubeadm token list --kubeconfig ~/.kube/config
4、将bootstrap分发到要过期的节点上
export NODE_NAMES=(kube-node5)
for node_name in ${NODE_NAMES[@]}
do
echo ">>> ${node_name}"
scp kubelet-bootstrap-${node_name}.kubeconfig k8s@${node_name}:/etc/kubernetes/kubelet-bootstrap.kubeconfig
done
5、重新启动kubelet
systemctl restart kubelet
systemctl status kubelet