本文最后更新于 2024-07-21,文章内容可能已经过时。

问题原因:

k8s的apiserver 需要暴露在公网给阿里云的云效托管使用,之前在部署K8S签发证书的时候,apiserver-advertise-address=172.16.10.185 写的是内网的地址,,默认情况下,kubernetes自建的CA会为apiserver签发一个证书,证书的默认可访问的是内网IP、kubernetes、kubernetes.default kubernetes.default.svc、kubernetes.default.svc.cluster.local,不包含设备的外网IP。所以直接通过admin.conf去访问kubernetes是不可能的。在使用映射后的公网地址访问时,报错Unable to connect to the server: x509: certificate is valid for XX.XX.XX.XX

解决方案:

列出所有被写在证书的地址列表:

cd /etc/kubernetes/pki
openssl x509 -noout -text -in apiserver.crt

[root@master pki]# openssl x509 -noout -text -in apiserver.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1783001947581901794 (0x18be7ed31772ebe2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = kubernetes
        Validity
            Not Before: Apr 30 06:31:34 2024 GMT
            Not After : Apr 30 07:49:47 2025 GMT
        Subject: CN = kube-apiserver
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c2:4b:42:1a:2f:96:84:c2:c2:c0:5d:2d:b6:11:
                    10:93
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:F0:DC:B1:59:35:FE:D9:6A:B6:FC:D9:2C:6B:F9:09:46:C0:11:88:02

            X509v3 Subject Alternative Name: 
                DNS: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:master, IP Address:10.96.0.1, IP Address:172.16.10.185
    Signature Algorithm: sha256WithRSAEncryption
         a1:a3:b0:41:97:cf:cd:4a:4f:45:16:6b:29:46:a9:f5:8b:ec:
         a3:6a:af:45:ba:16:57:6d:ce:ea:85:c4:92:e0:82:c6:cf:5e:
         d6:79:93:c8:ed:e4:3d:10:9f:34:a0:07:a4:90:2a:f9:bd:d3:
         ba:ea:98:3d:4e:46:2d:e2:ba:28:da:98:36:a5:dd:57:85:4f:
         0a:e3:fb:06:bc:19:c6:e4:63:83:a0:aa:74:7d:c4:b1:a6:6b:
         1b:e5:fa:99:25:09:c2:2b:e4:b8:ad:f7:95:08:9e:d6:c6:9b:
         14:97:a3:6d:a1:61:90:40:3f:53:26:c2:39:52:7a:9a:1c:46:
         2a:9a:af:a6

X509v3 Subject Alternative Name
image.png

删除当前kubernetes集群下的apiserver的cert和key

rm /etc/kubernetes/pki/apiserver.*

生成新的apiserver的cert和key

kubeadm init phase certs apiserver --apiserver-advertise-address ${原来的advertise ip} \
--apiserver-cert-extra-sans ${master的外网ip}

:::tips
添加新的IP 和域名
--apiserver-cert-extra-sans 222.222.222.1 k8s.srebro.cn
:::

kubeadm init phase certs apiserver --apiserver-advertise-address 172.16.10.185 \
--apiserver-cert-extra-sans 222.222.222.1 k8s.srebro.cn

刷新admin.conf

kubeadm alpha certs renew admin.conf

重启apiserver(docker restart XX)

[root@master kubernetes]# docker ps | grep kube-apiserver
48d0dd6c9b37   2b5e9c96248f                                        "kube-apiserver --ad…"   4 hours ago   Up 4 hours             k8s_kube-apiserver_kube-apiserver-master_kube-system_4a6f3f9b4b82ec73b37c8aea4a24e017_1

[root@master kubernetes]# docker restart 48d0dd6c9b37