Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubectl exec 操作提示x509: certificate is not valid for any names #1225

Closed
surel9 opened this issue Feb 2, 2023 · 14 comments
Closed

kubectl exec 操作提示x509: certificate is not valid for any names #1225

surel9 opened this issue Feb 2, 2023 · 14 comments
Labels
stale

Comments

@surel9
Copy link

surel9 commented Feb 2, 2023
edited
Loading

Kubeasz Version:3.3.3
Kubernetes Version:1.24.10
ContainerRuntime:containerd 1.6.14
OS To Ubuntu: 20.04.5

kubeasz节点执行kubectl exec进入容器内部操作提示【Error from server: error dialing backend: x509: certificate is not valid for any names, but wanted to match worker-02】
@surel9 surel9 changed the title kubectl exec 操作提示向09 kubectl exec 操作提示x509: certificate is not valid for any names Feb 2, 2023
@surel9 surel9 closed this as completed Feb 2, 2023
@surel9 surel9 closed this as not planned Won't fix, can't repro, duplicate, stale Feb 2, 2023
@surel9 surel9 reopened this Feb 2, 2023
@wxh512
Copy link

wxh512 commented Feb 3, 2023

Kubeasz Version:3.4.4
Kubernetes Version:1.25.6
ContainerRuntime:containerd 1.6.14
OS To Centos: 7.9
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
Error from server: error dialing backend: x509: certificate is not valid for any names, but wanted to match worker-01

@gjmzj
Copy link
Collaborator

gjmzj commented Feb 5, 2023

安装步骤有没有其他特别的地方,怎么安装的过程,或者复现的过程贴一下

@gjmzj
Copy link
Collaborator

gjmzj commented Feb 5, 2023

Kubeasz Version:3.4.4 Kubernetes Version:1.25.6 ContainerRuntime:containerd 1.6.14 OS To Centos: 7.9 kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. Error from server: error dialing backend: x509: certificate is not valid for any names, but wanted to match worker-01

安装步骤有没有其他特别的地方,怎么安装的过程,或者复现的过程贴一下

@wangxian776
Copy link

wangxian776 commented Feb 5, 2023
edited
Loading

Kubeasz Version:3.4.4 Kubernetes Version:1.25.6 ContainerRuntime:containerd 1.6.14 OS To Centos: 7.9 kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. Error from server: error dialing backend: x509: certificate is not valid for any names, but wanted to match worker-01

我遇到同样的问题,版本信息如下:
Kubeasz Version:3.5.1
Kubernetes Version:1.26.1
ContainerRuntime:containerd 1.6.14
OS Ubuntu: 20.04

我尝试修改了node节点的kubelet证书签发文件

root@master-01:~# cat /etc/kubeasz/roles/kube-node/templates/kubelet-csr.json.j2
{
  "CN": "system:node:{{ K8S_NODENAME }}",
  "hosts": [
    "127.0.0.1",
    "{{ inventory_hostname }}",
    "{{ K8S_NODENAME }}"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "HangZhou",
      "L": "XS",
      "O": "system:nodes",
      "OU": "System"
    }
  ]
}

然后清理之前的证书,重新部署环境,现在kubectl exec可以进入Pod了,希望对你有所帮助

@gjmzj
Copy link
Collaborator

gjmzj commented Feb 6, 2023

Kubeasz Version:3.4.4 Kubernetes Version:1.25.6 ContainerRuntime:containerd 1.6.14 OS To Centos: 7.9 kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. Error from server: error dialing backend: x509: certificate is not valid for any names, but wanted to match worker-01

怎么复现,操作过程贴一下

@gjmzj
Copy link
Collaborator

gjmzj commented Feb 6, 2023

Kubeasz Version:3.4.4 Kubernetes Version:1.25.6 ContainerRuntime:containerd 1.6.14 OS To Centos: 7.9 kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. Error from server: error dialing backend: x509: certificate is not valid for any names, but wanted to match worker-01

我遇到同样的问题,版本信息如下: Kubeasz Version:3.5.1 Kubernetes Version:1.26.1 ContainerRuntime:containerd 1.6.14 OS Ubuntu: 20.04

我尝试修改了node节点的kubelet证书签发文件

root@master-01:~# cat /etc/kubeasz/roles/kube-node/templates/kubelet-csr.json.j2
{
  "CN": "system:node:{{ K8S_NODENAME }}",
  "hosts": [
    "127.0.0.1",
    "{{ inventory_hostname }}",
    "{{ K8S_NODENAME }}"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "HangZhou",
      "L": "XS",
      "O": "system:nodes",
      "OU": "System"
    }
  ]
}

然后清理之前的证书,重新部署环境,现在kubectl exec可以进入Pod了,希望对你有所帮助

复现过程能贴一下吗?我自己环境一直无法复现啊

@wangxian776
Copy link

Kubeasz Version:3.4.4 Kubernetes Version:1.25.6 ContainerRuntime:containerd 1.6.14 OS To Centos: 7.9 kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. Error from server: error dialing backend: x509: certificate is not valid for any names, but wanted to match worker-01

我遇到同样的问题,版本信息如下: Kubeasz Version:3.5.1 Kubernetes Version:1.26.1 ContainerRuntime:containerd 1.6.14 OS Ubuntu: 20.04
我尝试修改了node节点的kubelet证书签发文件

root@master-01:~# cat /etc/kubeasz/roles/kube-node/templates/kubelet-csr.json.j2
{
  "CN": "system:node:{{ K8S_NODENAME }}",
  "hosts": [
    "127.0.0.1",
    "{{ inventory_hostname }}",
    "{{ K8S_NODENAME }}"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "HangZhou",
      "L": "XS",
      "O": "system:nodes",
      "OU": "System"
    }
  ]
}

然后清理之前的证书,重新部署环境,现在kubectl exec可以进入Pod了,希望对你有所帮助

复现过程能贴一下吗?我自己环境一直无法复现啊

我就是按照正常的步骤去安装的,我贴一下安装步骤和hosts文件、config.yml文件,你看下

 ./ezctl setup cluster-1 01
 ./ezctl setup cluster-1 02
 ./ezctl setup cluster-1 03
 ./ezctl setup cluster-1 04
 ./ezctl setup cluster-1 04
 ./ezctl setup cluster-1 05
 ./ezctl setup cluster-1 06
 ./ezctl setup cluster-1 07

kubectl run client-pod --image=ubuntu:20.04 --command -- sleep 3600
kubectl exec -it pods/client-pod -- bash

config-file.zip

@gjmzj
Copy link
Collaborator

gjmzj commented Feb 6, 2023

谢谢,我自己也复现问题了,临时解决方案需要两步:1是增加/etc/hosts解析,2是修改node节点的kubelet证书签发文件

root@master-01:~# cat /etc/kubeasz/roles/kube-node/templates/kubelet-csr.json.j2
{
"CN": "system:node:{{ K8S_NODENAME }}",
"hosts": [
"127.0.0.1",
"{{ inventory_hostname }}",
"{{ K8S_NODENAME }}"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "HangZhou",
"L": "XS",
"O": "system:nodes",
"OU": "System"
}
]
}

我尽快发布修复版本

@gjmzj
Copy link
Collaborator

gjmzj commented Feb 6, 2023
edited
Loading

已修复 a5b012e

@wxh512
Copy link

wxh512 commented Feb 13, 2023

Kubeasz Version:3.5.2
Kubernetes Version:1.26.1
ContainerRuntime:containerd 1.6.14
OS To Centos: 7.9

-- The start-up result is done.
Feb 08 19:01:25 master-01 sshd[7153]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 08 19:01:28 master-01 kube-apiserver[7146]: W0208 19:01:28.678558 7146 logging.go:59] [core] [Channel #3 SubChannel #5] grpc: addrConn.createTransport failed to connect to {
Feb 08 19:01:28 master-01 kube-apiserver[7146]: "Addr": "192.168.176.130:2379",
Feb 08 19:01:28 master-01 kube-apiserver[7146]: "ServerName": "192.168.176.130",
Feb 08 19:01:28 master-01 kube-apiserver[7146]: "Attributes": null,
Feb 08 19:01:28 master-01 kube-apiserver[7146]: "BalancerAttributes": null,
Feb 08 19:01:28 master-01 kube-apiserver[7146]: "Type": 0,
Feb 08 19:01:28 master-01 kube-apiserver[7146]: "Metadata": null
Feb 08 19:01:28 master-01 kube-apiserver[7146]: }. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time
Feb 08 19:01:28 master-01 etcd[3608]: {"level":"warn","ts":"2023-02-08T19:01:28.678+0800","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"192.168.176.130:5
Feb 08 19:01:29 master-01 kube-apiserver[7146]: W0208 19:01:29.059553 7146 logging.go:59] [core] [Channel #4 SubChannel #6] grpc: addrConn.createTransport failed to connect to {
Feb 08 19:01:29 master-01 kube-apiserver[7146]: "Addr": "192.168.176.130:2379",
Feb 08 19:01:29 master-01 kube-apiserver[7146]: "ServerName": "192.168.176.130",
Feb 08 19:01:29 master-01 kube-apiserver[7146]: "Attributes": null,
Feb 08 19:01:29 master-01 kube-apiserver[7146]: "BalancerAttributes": null,
Feb 08 19:01:29 master-01 kube-apiserver[7146]: "Type": 0,
Feb 08 19:01:29 master-01 kube-apiserver[7146]: "Metadata": null
Feb 08 19:01:29 master-01 kube-apiserver[7146]: }. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time
Feb 08 19:01:29 master-01 etcd[3608]: {"level":"warn","ts":"2023-02-08T19:01:29.059+0800","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"192.168.176.130:5
Feb 08 19:01:30 master-01 etcd[3608]: {"level":"warn","ts":"2023-02-08T19:01:30.163+0800","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"192.168.176.130:5
Feb 08 19:01:30 master-01 kube-apiserver[7146]: W0208 19:01:30.163907 7146 logging.go:59] [core] [Channel #1 SubChannel #2] grpc: addrConn.createTransport failed to connect to {
Feb 08 19:01:30 master-01 kube-apiserver[7146]: "Addr": "192.168.176.130:2379",
Feb 08 19:01:30 master-01 kube-apiserver[7146]: "ServerName": "192.168.176.130",
Feb 08 19:01:30 master-01 kube-apiserver[7146]: "Attributes": null,
Feb 08 19:01:30 master-01 kube-apiserver[7146]: "BalancerAttributes": null,
Feb 08 19:01:30 master-01 kube-apiserver[7146]: "Type": 0,
Feb 08 19:01:30 master-01 kube-apiserver[7146]: "Metadata": null
Feb 08 19:01:30 master-01 kube-apiserver[7146]: }. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time
Feb 08 19:01:32 master-01 kube-apiserver[7146]: E0208 19:01:32.983306 7146 run.go:74] "command failed" err="context deadline exceeded"
Feb 08 19:01:32 master-01 systemd[1]: kube-apiserver.service: main process exited, code=exited, status=1/FAILURE
Feb 08 19:01:33 master-01 systemd[1]: Failed to start Kubernetes API Server.
-- Subject: Unit kube-apiserver.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

-- Unit kube-apiserver.service has failed.

-- The result is failed.
Feb 08 19:01:33 master-01 systemd[1]: Unit kube-apiserver.service entered failed state.
Feb 08 19:01:33 master-01 systemd[1]: kube-apiserver.service failed.

安装master出现的问题

@wxh512
Copy link

wxh512 commented Feb 13, 2023

已修复 a5b012e

帮忙看看这个问题3.5.2的版本安装master出的问题

@gjmzj
Copy link
Collaborator

gjmzj commented Feb 16, 2023

Feb 08 19:01:30 master-01 kube-apiserver[7146]: }. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time

@wxh512 已经提示你问题了,这个估计是因为节点之间时间不同步

@github-actions
Copy link

This issue is stale because it has been open for 30 days with no activity.

@github-actions github-actions bot added the stale label Mar 18, 2023
@github-actions
Copy link

This issue was closed because it has been inactive for 14 days since being marked as stale.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wxh512 @gjmzj @surel9 @wangxian776