問題描述
在跟着《每天五分鐘玩轉kubernets》這本書學習到K8S的網絡章節時,實驗中部署canal網絡以演示Network Policy。因爲最開始搭建k8s集羣是部署的Calico網絡(Calico也支持Network Policy,但是爲了和教程保持一致,還是切換了),所以這裏重新初始化了master,切換網絡。
按照書上指示,操作了下面的步驟:
1、首先在k8s集羣所有節點執行kubeadm reset命令銷燬當前集羣
2、在k8s的master上執行命令重新初始化了master:
kubeadm init --kubernetes-version=v1.14.0 --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=10.0.0.101
根據安裝k8s集羣時的步驟,初始化master之後,也又在master上執行了下面的配置kubectl的三條命令(這一步驟書上在這一環節沒有提,只說了要重新init,所以還是懷着忐忑的心情執行的):
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
3、然後執行canal部署命令:
kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/rbac.yaml
kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/canal.yaml
然後在執行第一條命令的時候發現報錯了:
[root@k8smaster ~]# kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/rbac.yaml
unable to recognize "https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/rbac.yaml": Get https://10.0.0.101:6443/api?timeout=32s: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
unable to recognize "https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/rbac.yaml": Get https://10.0.0.101:6443/api?timeout=32s: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
unable to recognize "https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/rbac.yaml": Get https://10.0.0.101:6443/api?timeout=32s: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
unable to recognize "https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/rbac.yaml": Get https://10.0.0.101:6443/api?timeout=32s: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
[root@k8smaster ~]#
嘗試了查看node,發現報錯一樣的:
[root@k8smaster ~]# kubectl get nodes
Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
解決方法
作爲k8s初學小白,還看不懂這個報錯,不知道啥原因。所以只有求助Google。
看到GitHub上一個類似問題的文章有一個回答:(鏈接:https://github.com/kubernetes/kubernetes/issues/48378 )
然後想到可能是舊的目錄$HOME/.kube和新的目錄有什麼衝突,於是試了一下把老的目錄刪除了,再重新配置kubectl(原文鏈接還有一些其他的解決方法可以嘗試,這裏用得比較簡單粗暴):
[root@k8smaster ~]# rm -rf $HOME/.kube
#重新配置kubectl:
[root@k8smaster ~]# mkdir -p $HOME/.kube
[root@k8smaster ~]# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@k8smaster ~]# sudo chown $(id -u):$(id -g) $HOME/.kube/config
接着再執行重新部署canal命令,就成功了:
[root@k8smaster ~]# kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/rbac.yaml
clusterrole.rbac.authorization.k8s.io/calico created
clusterrole.rbac.authorization.k8s.io/flannel created
clusterrolebinding.rbac.authorization.k8s.io/canal-flannel created
clusterrolebinding.rbac.authorization.k8s.io/canal-calico created
[root@k8smaster ~]# kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/canal.yaml
configmap/canal-config created
daemonset.extensions/canal created
serviceaccount/canal created
customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created
[root@k8smaster ~]#
查看node命令也正常了:
[root@k8smaster ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8smaster Ready master 27m v1.14.0
等把node節點重新加到集羣裏(一主一從)之後,再查看網絡,成功切換到了canal:
[root@k8smaster ~]# kubectl get --namespace=kube-system daemonset canal
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
canal 2 2 2 2 2 beta.kubernetes.io/os=linux 46m
[root@k8smaster ~]#
[root@k8smaster ~]#
[root@k8smaster ~]# kubectl get --namespace=kube-system pod -o wide|grep canal
canal-xwbps 3/3 Running 0 46m 10.0.0.101 k8smaster <none> <none>
canal-zwfqj 3/3 Running 0 2m5s 10.0.0.102 k8snode01 <none> <none>
[root@k8smaster ~]#