k8s的api证书添加域名和证书
问题
k8s版本: v1.14.3
线上环境的k8s部署是内网,现在需要把内网的apiserver映射到外网,但是采用config文件访问的收发现,域名和外网的ip不在证书列表里面,导致访问失败
#kubectl get node
unable to connect the server: x509: certificate is valid for k8s-master-01
分析
- 查看apiserver的证书
# openssl -in api-server.pem -text
这里查看dns选项,外网ip和域名是否在dns列表中。发现不在,所以我们需要手动添加域名到apiserver中
解决
- 备份kubernetes文件
#cp -rf /etc/kubernetes /etc/kubernetes.bak
- 备份kubeadm.conf文件
apiServer:
timeoutForControlPlane: 4m0s
certSANs:
- "k8s-master-01.novalocal"
- "k8s-master-02.novalocal"
- "kubernetes"
- "kubernetes.default"
- "kubernetes.default.svc"
- "kubernetes.default.svc.cluster.local"
- "172.96.0.1"
- "10.0.3.20"
- "localhost"
- "127.0.0.1"
- "10.0.3.200"
- "10.0.3.21"
- "10.0.3.22"
- "10.0.3.23"
- "10.0.3.24"
- "123.144.29.54" # 外网地址
- "kubeapi-sh.aaa.com" # 外网ip
- 删除证书
rm -rf /etc/kuernetes/apiserver.crt
rm -rf /etc/kuernetes/apiserver.key
- 初始化证书
kubeadm init phase certs apiserver --config=/etc/kubernetes/kubeadm.conf
- 重启apiserver
sudo kill -s SIGHUP $(pidof kube-apiserver)
sudo kill -s SIGHUP $(pidof kube-controller-manager)
sudo kill -s SIGHUP $(pidof kube-scheduler)
systemctl restart kubelet