问题
I've installed my kubernetes cluster (two nodes) with kubespray. Now I have added an third node. And I get the error from kubelet server on the new node:
Failed to list *v1.Service: Get https://94.130.25.248:6443/api/v1/services?limit=500&resourceVersion=0: x509: certificate is valid for 10.233.0.1, 94.130.25.247, 94.130.25.247, 10.233.0.1, 127.0.0.1, 94.130.25.247, 144.76.14.131, not 94.130.25.248
The IP 94.130.25.248 is the ip of new node.
I've found this post, where was wrote about recreating the apicert. But the new version of kubeadm (v1.13.1) don't have this option.
Also I've try to renew the certificates with command:
kubeadm alpha certs renew all --config /etc/kubernetes/kubeadm-config.yaml
This command regenerate the certificates, but with the same ips and dns.
My kubeadmin-config.yml (certSANs):
certSANs:
- kubernetes
- kubernetes.default
- kubernetes.default.svc
- kubernetes.default.svc.cluster.local
- 10.233.0.1
- localhost
- 127.0.0.1
- heku1
- heku4
- heku2
- 94.130.24.247
- 144.76.14.131
- 94.130.24.248
Can someone tell me how can I added the ip to apicert?
回答1:
hm... I've removed the apiserver.* and apiserver-kubelet-client.* and recreated this with command:
kubeadm init phase certs apiserver --config=/etc/kubernetes/kubeadm-config.yaml
kubeadm init phase certs apiserver-kubelet-client --config=/etc/kubernetes/kubeadm-config.yaml
systemctl stop kubelet
delete the docker container with kubelet
systemctl restart kubelet
来源:https://stackoverflow.com/questions/54303469/kubelet-x509-certificate-is-valid-for-10-233-0-1-not-for-ip