Unable to connect to the server: x509: certificate is valid for 10.96.0.1, xxx, not xxx
使用kubeadm搭建完K8S之后,需要给master设置代理,默认情况下因为证书不匹配,访问的话会报错
Unable to connect to the server: x509: certificate is valid for xxxx not xxx
那么怎么更新这个证书加上这个地址呢?
apiServer 下面有个属性certsSANs,执行如下命令先看下
[test@master-01 .kube]$ kubectl -n kube-system get configmap kubeadm-config -o yaml
默认情况如下
apiVersion: v1
data:
ClusterConfiguration: |
apiServer:
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns: {}
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
如果没有certsSANs的话增加,需要增加的地址添加在该属性下面
编辑下该文件
kubectl -n kube-system edit configmap kubeadm-config
apiVersion: v1
data:
ClusterConfiguration: |
apiServer:
certSANs:
- 10.96.0.1
- 10.1.2.240
- 10.1.2.243
- 10.1.2.245
- 188.188.150.11
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns: {}
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
然后
备份apiserver证书
mv apiserver.* /tmp
然后执行命令重新生成
kubeadm init phase certs apiserver
查看新生成的证书是否包含以上新加IP
[test@master-01 .kube]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text
网友评论