openshift遇到以下報錯,
Kubernetes API certificate is expiring in less than 7 days
但並不清楚是什麼證書過期引發的報警,網上的資料也查看了一些(https://github.com/kubernetes/kubernetes/issues/89611)。
最後通過以下方式解決,參照(https://docs.openshift.com/container-platform/3.11/install_config/redeploying_certificates.html):
- 檢查是否有CSR沒有審批,如沒有則全部審批。
oc get csr|grep Pending //檢查是否有pending csr
oc get csr|xargs oc adm certificate approve csr //批量approve所有pending csr
- 執行以下命令,檢查結果會保存在/root目錄下的html和json文件裏,檢查結果裏是否存在證書過期,如有過期參照上述鏈接更新。
cd /usr/share/ansible/openshift-ansible
ansible-playbook -i /etc/ansible/hosts -vv /usr/share/ansible/openshift-ansible/playbooks/openshift-checks/certificate_expiry/easy-mode.yaml
本次遇到的問題在approve全部csr後得到解決,但該報警也可由client證書過期引發,詳情可見https://access.redhat.com/support/cases/#/case/02601626
注:
- easy-mode.yaml文件內容如下,可以在上述鏈接裏獲取。
---
# This example playbook is great if you're just wanting to try the
# role out.
#
# This example enables HTML and JSON reports
#
# All certificates (healthy or not) are included in the results
- name: Initialize facts
import_playbook: ../../init/main.yml
vars:
l_init_fact_hosts: nodes:masters:etcd
l_openshift_version_set_hosts: nodes:masters:etcd
- name: Check cert expirys
hosts: nodes:masters:etcd
vars:
openshift_certificate_expiry_save_json_results: yes
openshift_certificate_expiry_generate_html_report: yes
openshift_certificate_expiry_show_all: yes
roles:
- role: openshift_certificate_expiry
- 設置csr自動審批
cd /etc/ansible //進入/etc/ansible目錄
vi hosts //編輯hosts文件
openshift_master_bootstrap_auto_approve=true //添加該配置項