kubernetes apiserver systemd service is not activate
Văd mai jos un mesaj de eroare când este pornit serverul kube-apiserver systemd.
nu poate valida certificat pentru 192.168.101.101 deoarece nu conține nici un IP SAN ". Reconectarea ...
Următorii sunt parametrii dați pentru binarul kube-apiserver.
kube_apiserver_params:
- "- admission-control = {{apiserver_admission_controllers | join (',')}}"
- " --advertise-address = 192.168.101.101 "
- " - allow-privileged = true "
- " - anonymous-auth = false "
- " - apiserver-count = 3 "
- " --audit-log-format = json "
- " - audit-log-maxsize = 100 "
- " - audit-log-path = / var / log / audit / kube_apiserver / kube-apiserver-audit .log "
- " - autorizare-mod = Nod, RBAC "
- " - bind-address = 192.168.101.101 "
- " - client-ca-file = / etc / openssl / ca. pem "
- " - enable-bootstrap-token-auth = true "
- " - etcd-cafile = / etc / etcd / ssl / ca.pem "
- " - etcd-certfile = / etc / etcd / ssl / etcd.pem "
- " --etcd-keyfile = / etc / etcd / ssl / etcd-key.pem "
- " --etcd-servers = https: // 192.168.101.101:2379[11101124["
- "--experimental-encryption-provider-config=/etc/kubernetes/ssl/secrets.conf"
- "--insecure-port=0"
- " --kubelet-certificate-Authority = / etc /openssl/ca.pem"
- "--kubelet-client-certificate=/etc/kubernetes/ssl/kubelet-server.pem"
- "--kubelet-client-key=/etc/kubernetes/ssl /kubelet-server-key.pem"
- "--kubelet-https=true"
- "--max-requests-inflight=1000"
- "--proxy-client-cert-file=/ etc / kubernetes / ssl / metrics.crt "
- " - proxy-client-key-file = / etc / kubernetes / ssl / metrics.key "
- " - requestheader-client-ca-file = / etc / openssl / ca.pem "
- " - requestheader-extra-headers-prefix = X-Remote-Extra - "
- " - requestheader-group-headers = X-Remote-Group "
- "--requestheader-username-headers = X-Remote-User"
- "- secure-port = 6443"
- "- service-account-key-file = / etc / kubernetes / ssl / service- account.pem "
- " - service-account-lookup = true "
- " - service-cluster-ip-range = 10.254.0.0 / 16 "
- " - tls-cert-file = /etc/kubernetes/ssl/tls-cert.pem"
- "--tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem"
- "--token-auth- file = token.csv "
Toate certificatele sunt create folosind mai jos openssl co nfigurare.
# cat /etc/openssl/node.conf
[req]
req_extensions = req_ext
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.101.101
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=critical,CA:FALSE
keyUsage=critical,nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage=clientAuth,serverAuth
subjectKeyIdentifier=hash
Ieșirea fișierului apiserver.pem.
# openssl x509 -noout -text -in apiserver.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f0:64:2c:27:6e:24:b1:15
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IN, ST = KA, L = Bangalore, O = NA, OU = MN, CN = ABCD
Validity
Not Before: May 6 21:48:04 2019 GMT
Not After : May 4 21:48:04 2024 GMT
Subject: CN = system:apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:4f:a9:ca:b4:0e:5c:99:d0:9e:8d:94:aa:85:
3b:ea:4b:74:2a:41:f1:ea:37:87:a4:1a:6b:89:00:
aa:c8:03:c8:cf:34:15:de:21:f6:26:6c:92:b2:5f:
5b:d9:0d:4f:f9:1f:67:1d:4b:6e:3d:84:76:60:28:
be:0d:33:64:92:3c:0b:ee:bd:4d:bd:3b:9a:1e:3d:
87:a8:3d:87:ae:d3:ea:ab:24:dc:46:6c:1d:99:72:
fc:4c:ca:89:fb:9d:68:9d:0a:2e:81:4e:b0:d4:c9:
47:96:60:22:e4:46:47:5f:f5:78:e0:34:15:b6:9e:
cd:b5:e1:4a:fc:5d:1d:2d:0b:b9:c2:cb:5c:71:50:
2b:9c:48:53:65:5b:70:af:04:c6:b7:ca:80:f7:f7:
b1:ee:ce:dc:ae:c4:28:d9:45:b0:87:2f:aa:92:84:
1c:5a:4e:e7:e8:23:c1:b0:63:a0:89:70:67:45:bc:
20:1a:8b:8b:8f:81:54:95:ae:8e:b1:4c:95:1c:15:
a1:52:c7:d1:a1:63:4a:8c:8e:c3:8d:ea:b6:40:e1:
cf:c8:13:90:ca:40:fc:60:f1:20:9e:85:b9:1a:45:
f7:08:eb:1a:f9:a6:f4:f9:1c:b3:a5:b3:09:7f:72:
73:87:fa:93:03:e3:d2:5d:ec:76:75:d2:95:af:76:
95:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:27:77:CC:16:D1:C3:40:D3:E8:29:49:59:34:30:30:EE:F3:7E:3B:8E
DirName:/C=IN/ST=KA/L=Bangalore/O=NA/OU=MN/CN=ABCD
serial:3A:1E:45:AB:A4:0E:B9:C0:28:81:AA:77:44:FF:4C:27:3D:63:0E:4F
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
4C:8E:91:B4:1F:A2:88:F8:4D:D5:F9:CE:2B:AA:07:7F:5D:95:F9:18
Signature Algorithm: sha256WithRSAEncryption
84:86:82:78:53:a7:f2:6a:a1:21:2b:d5:53:26:2d:c7:33:17:
7a:d4:33:70:be:36:50:42:aa:a0:52:5a:91:1d:0c:c2:31:72:
11:0b:56:31:27:c5:fa:dc:99:de:9d:db:02:69:5a:37:7c:0c:
8d:b9:7d:3d:75:c8:69:18:32:db:3a:f4:82:c1:3e:7e:e6:b5:
fc:0f:3b:bd:e3:0f:1c:b0:e2:33:fe:e4:99:e7:df:9a:1e:68:
41:8e:b0:16:56:18:8b:7c:14:50:d5:08:ec:96:61:03:55:19:
51:48:8d:17:a0:b9:90:6e:e3:ca:c7:de:75:b5:22:84:f2:4d:
0e:e4:c6:fa:4e:25:f5:20:68:03:ae:5c:43:a8:ce:9e:0e:fe:
e0:c7:ab:16:f1:87:fc:a9:d3:4a:f6:41:90:51:f7:57:01:34:
6f:aa:8f:a4:5d:9c:4c:1e:8d:97:8f:e7:66:5c:3e:dd:b3:83:
f0:84:74:26:37:8b:c4:e2:a6:66:89:ef:db:30:8e:1f:4b:85:
ee:0a:52:46:0c:50:6f:8e:97:68:89:63:60:0e:cc:e6:f2:73:
e8:f4:16:34:37:c3:3e:63:d2:7d:c7:cb:2d:1f:ae:05:e0:30:
0d:ea:af:6a:0f:89:35:cc:1f:6a:af:2b:19:5a:eb:45:1b:24:
b2:ad:fc:71
Nu am multe cunoștințe despre generarea certificatelor și este prima dată când configurez, Ar putea cineva să clarifice ce îmi lipsește?
0
задан sandeep nagendra
14 October 2019 в 22:57
Ссылка
1 ответ
Фактически, ваш сертификат не имеет расширения subjectAltName (в разделе «Расширения X509v3»). Вы ссылаетесь на раздел alt_names в разделе v3_req в openssl.cnf , который может или не может быть эффективным, в зависимости от того, как вы создавали сертификат. . Я бы посоветовал найти лучший источник инструкций по созданию сертификата, содержащего расширение subjectAltName.
0