Openshift 4.4 -不能'oc日志\exec‘荚运行在工作节点上
Openshift 4.4 -不能'oc日志\exec‘荚运行在工作节点上
提问于 2021-02-28 16:34:07
Openshift 4.4.17集群(3个主服务器和3个工作人员)。
当试图查看在工作节点上运行的那些吊舱上的日志(或exec终端)时出错。Openshift GUI也是如此。在尝试对主节点上运行的荚执行同样的操作时,没有问题。
示例1:在worker上运行的pods
$ oc whoami
kube:admin
$ oc get pod -n lamp
NAME READY STATUS RESTARTS AGE
lamp-lamp-6c7d9f467d-jsn4t 3/3 Running 0 108d
$ oc logs lamp-lamp-6c7d9f467d-jsn4t httpd -n lamp
error: You must be logged in to the server (the server has asked for the client to provide credentials ( pods/log lamp-lamp-6c7d9f467d-jsn4t))示例2:在主节点上运行的
$ oc get pod -n openshift-apiserver
NAME READY STATUS RESTARTS AGE
apiserver-6d64545f-5lmb8 1/1 Running 0 2d19h
apiserver-6d64545f-hktqd 1/1 Running 0 2d19h
apiserver-6d64545f-kb4qt 1/1 Running 0 2d19h
$ oc logs apiserver-6d64545f-5lmb8 -n openshift-apiserver
Copying system trust bundle
I0225 20:41:39.989689 1 requestheader_controller.go:243] (..output omitted..)调查工作节点上的kubelet:
在每个工作节点上,kubelet服务正在运行,但是
journalctl -u kubelet 显示这两行:
Unable to authenticate the request due to an error: x509: certificate signed by unknown authority
logging error output: "Unauthorized"关于工人节点上的kubeconfig的:
查看/etc/kubernetes/kubeconfig文件的内容。
- kubelet connects to api-server --> https://api-int.ocs-cls1.mycompany.lab
- the server passes valid certificate signed by --> kube-apiserver-lb-signer
- certificate-authority-data carries --> kube-apiserver-lb-signer rootCA库比孔图看起来是正确的。
更新:
还注意到这些日志行报告了错误的证书:
$ oc -n openshift-apiserver logs apiserver-6d64545f-5lmb8
log.go:172] http: TLS handshake error from 10.128.0.12:47078: remote error: tls: bad certificate
...UPDATE2:
还检查了apiserver-循环-客户端证书:
$ curl --resolve apiserver-loopback-client:6443:{IP_MASTER} -v -k https://apiserver-loopback-client:6443/healthz
server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: apiserver-loopback-client@1614330374 (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=apiserver-loopback-client@1614330374
* start date: Fri, 26 Feb 2021 08:06:13 GMT
* expire date: Sat, 26 Feb 2022 08:06:13 GMT
* issuer: CN=apiserver-loopback-client-ca@1614330374回答 1
Stack Overflow用户
发布于 2021-06-09 11:46:16
尝尝这个
while :;do
sleep 2
oc get csr -o name | xargs -r oc adm certificate approve
done使用另一个终端,并对任意主节点执行ssh,运行以下命令:
crictl ps -a | awk '/Running/&&/-cert-syncer/{print $1}' | xargs -r crictl stop页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/66411328
复制相关文章
相似问题
腾讯云开发者
