1、问题现象
- 执行kubectl命令异常报告
[root@k8s-master1 ~]# kubectl get node
The connection to the server 192.168.227.131:6443 was refused - did you specify the right host or port?
[root@k8s-master1 ~]#
- 查看etcd的日志,报错信息如下
{"level":"warn","ts":"2023-09-21T07:50:38.870Z","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"127.0.0.1:49566","server-name":"","error":"tls: failed to verify client certificate: x509: certificate has expired or is not yet valid: current time 2023-09-21T07:50:38Z is after 2023-06-11T16:06:01Z"}
综上:通过异常日志分析应该是证书过期导致的问题。
2、解决方法:
# 备份k8s配置
cp -r /etc/kubernetes /etc/kubernetes_bak20230921
# 检测证书过期
kubeadm certs check-expiration
如上图所示,发现很多证书都是<invalid>的状态,
当前时间是2023-9-21 16:15:52,上图显示证书过期时间是:Jun 08, 2032 16:06 UTC
# 更新证书
kubeadm certs renew all
# 再次检测证书过期
kubeadm certs check-expiration
#执行kubectl命令测试一下效果:
[root@k8s-master1 etc]# kubectl get node
error: You must be logged in to the server (Unauthorized)
发现出现了新的问题,解决方案是
备份配置文件
cp -rp $HOME/.kube/config $HOME/.kube/config.bak
并生成新的配置文件
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
再次,执行kubectl get node查看解决结果
PS备注:以上都操作完毕,建议把kubelet、kube-apiserver、kube-controller-manage、kube-scheduler都重启一下!有条件的话可以重启主机来重启上面的服务,实在不行的就手动命令逐个服务重启接口。
