K8s The connection to the server 192.168.56.120:6443 was refused报错解决
- 背景说明
- 环境说明
- 部署信息
- 场景复现
- 问题排查
- 基础环境排查
- 组件服务排查
- 根因定位
- 问题解决
- 安装go环境
- 下载k8s源码
- 修改CA有效期
- 修改证书有效期
- 编译 kubeadm
- 更新证书
- 检查结果
背景说明
自己本地虚拟机有一套使用kuebadm部署的3节点k8s集群,因为很长时间不使用了,今天登陆后在使用kubectl命令时一直报The connection to the server 192.168.56.120:6443 was refused - did you specify the right host or port?错误,接下来就将解决的整个过程分享给大家。
环境说明
操作系统信息以及k8s集群版本信息请看下面
[root@k8s-master][/usr/local]
$cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)[root@k8s-master][/usr/local]
$kubectl version
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.0", GitCommit:"ab69524f795c42094a6630298ff53f3c3ebab7f4", GitTreeState:"clean", BuildDate:"2021-12-07T18:16:20Z", GoVersion:"go1.17.3", Compiler:"gc", Platform:"linux/amd64"}
部署信息
| 序号 | ip | 角色 |
|---|---|---|
| 1 | 192.168.56.120 | k8s-master |
| 2 | 192.168.56.121 | k8s-node1 |
| 3 | 192.168.56.122 | k8s-node2 |
场景复现
[root@k8s-master][/usr/local]
$kubectl get node
The connection to the server 192.168.56.120:6443 was refused - did you specify the right host or port?
问题排查
基础环境排查
#1 基础环境排查
#1.0 端口排查(端口已经不存在)
[root@k8s-master][~]
$ss -antpl |grep 6443#1.1 查看内存(都够用)
[root@k8s-master][~]
$free -htotal used free shared buff/cache available
Mem: 4.7G 1.2G 366M 58M 3.1G 3.1G
Swap: 0B 0B 0B#1.2 查看存储(也没问题)
[root@k8s-master][~]
$df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 2.4G 0 2.4G 0% /dev
tmpfs 2.4G 0 2.4G 0% /dev/shm
tmpfs 2.4G 58M 2.3G 3% /run
tmpfs 2.4G 0 2.4G 0% /sys/fs/cgroup
/dev/mapper/centos-root 37G 22G 16G 59% /#1.3 查看防火墙(防火墙是关闭的)
[root@k8s-master][~]
$systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemonLoaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)Active: inactive (dead)Docs: man:firewalld(1)组件服务排查
#2 排查组件
#2.1 查看docker信息(没有报错信息)
[root@k8s-master][~]
$systemctl status docker#2.2 查看kubelet(发现master节点丢失的信息,但是内容不详细)
[root@k8s-master][/usr/local]
$systemctl status kubeletJul 17 10:45:45 k8s-master kubelet[14485]: E0717 10:45:45.603977 14485 kubelet.go:2422] "Error getting node" err="node \"k8s-master\" not found"
Jul 17 10:45:45 k8s-master kubelet[14485]: E0717 10:45:45.634017 14485 controller.go:144] failed to ensure lease exists, will retry in 7s, error: Get "https://192.168....ion refused#3 查看etcd情况
[root@k8s-master][~]
$docker ps |grep k8s_etcd_etcd#从以下的信息可以看出证书已经过期了,在确认一遍
[root@k8s-master][~]
$docker logs dc2c0e42972e
{"level":"warn","ts":"2024-07-17T02:42:22.385Z","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"127.0.0.1:34074","server-name":"","error":"remote error: tls: bad certificate"}
{"level":"warn","ts":"2024-07-17T02:43:33.346Z","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"127.0.0.1:34428","server-name":"","error":"tls: failed to verify client certificate: x509: certificate has expired or is not yet valid: current time 2024-07-17T02:43:33Z is after 2024-03-14T07:34:55Z"}#4 查看证书过期情况(发现已经过期了,到此找到报错根因)
[root@k8s-master][~]
$kubeadm certs check-expiration根因定位
#从以下的信息可以看出证书过期,导致api-server服务未启动
[root@k8s-master][~]
$docker logs dc2c0e42972e
{"level":"warn","ts":"2024-07-17T02:42:22.385Z","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"127.0.0.1:34074","server-name":"","error":"remote error: tls: bad certificate"}
{"level":"warn","ts":"2024-07-17T02:43:33.346Z","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"127.0.0.1:34428","server-name":"","error":"tls: failed to verify client certificate: x509: certificate has expired or is not yet valid: current time 2024-07-17T02:43:33Z is after 2024-03-14T07:34:55Z"}问题解决
既然已经定位到是证书过期的问题,那接下来就针对证书过期进行解决。
安装go环境
# 如果 k8s 版本较高,则需要 go 语言版本 1.19 以上(尽量使用和k8s版本一致的go版本,要不会报很多错误)
kubectl version
[root@k8s-master][~]
$kubectl version
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.0", GitCommit:"ab69524f795c42094a6630298ff53f3c3ebab7f4", GitTreeState:"clean", BuildDate:"2021-12-07T18:16:20Z", GoVersion:"go1.17.3", Compiler:"gc", Platform:"linux/amd64"}#1 下载 go 语言软件包
mkdir -p /root/pac
cd /root/pac
wget https://studygolang.com/dl/golang/go1.17.3.linux-amd64.tar.gz#2 解压并配置环境变量
tar xf go1.19.1.linux-amd64.tar.gz -C /usr/localvim /etc/profile
export GOROOT=/usr/local/go
export PATH=$PATH:/usr/local/go/bin
export GOPATH=/gosource /etc/profile#3 验证
[root@k8s-master][~]
$go version
go version go1.17.3 linux/amd64下载k8s源码
#1 查看当前环境 k8s 版本
kubectl version#2 下载源码
cd /root/pac
wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.23.0.tar.gz#2 解压
tar xf v1.23.0.tar.gz
修改CA有效期
#1 进入到指定目录
[root@k8s-master][~/xxx/go/kubernetes-1.23.0/staging/src/k8s.io/client-go/util/cert]
# cd /root/xxx/go/kubernetes-1.23.0/staging/src/k8s.io/client-go/util/cert#2 备份cert.go
[root@k8s-master][~/xxx/go/kubernetes-1.23.0/staging/src/k8s.io/client-go/util/cert]
# cp cert.go{,.bak}#3 修改cert.go
[root@k8s-master][~/xxx/go/kubernetes-1.23.0/staging/src/k8s.io/client-go/util/cert]
# vim cert.go// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {now := time.Now()tmpl := x509.Certificate{SerialNumber: new(big.Int).SetInt64(0),Subject: pkix.Name{CommonName: cfg.CommonName,Organization: cfg.Organization,},DNSNames: []string{cfg.CommonName},NotBefore: now.UTC(),//NotAfter: now.Add(duration365d * 10).UTC(),// 修改为 100 年,默认为 10 年NotAfter: now.Add(duration365d * 100).UTC(),KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,BasicConstraintsValid: true,IsCA: true,}certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)if err != nil {return nil, err}return x509.ParseCertificate(certDERBytes)
}修改证书有效期
[root@k8s-master][~/xxx/go/kubernetes-1.23.0/staging/src/k8s.io/client-go/util/cert]
# cd /root/xxx/go/kubernetes-1.23.0/cmd/kubeadm/app/constants#2 备份constants.go
[root@k8s-master][~/xxx/go/kubernetes-1.23.0/cmd/kubeadm/app/constants]
# cp constants.go{,.bak}#3 修改文件
[root@k8s-master][~/xxx/go/kubernetes-1.23.0/cmd/kubeadm/app/constants]
# vim constants.goconst (// KubernetesDir is the directory Kubernetes owns for storing various configuration filesKubernetesDir = "/etc/kubernetes"// ManifestsSubDirName defines directory name to store manifestsManifestsSubDirName = "manifests"// TempDirForKubeadm defines temporary directory for kubeadm// should be joined with KubernetesDir.TempDirForKubeadm = "tmp"// CertificateValidity defines the validity for all the signed certificates generated by kubeadm//CertificateValidity = time.Hour * 24 * 365//修改为 100 年,默认为 1 年CertificateValidity = time.Hour * 24 * 365 * 100// DefaultCertificateDir defines default certificate directoryDefaultCertificateDir = "pki"// CACertAndKeyBaseName defines certificate authority base nameCACertAndKeyBaseName = "ca"// CACertName defines certificate nameCACertName = "ca.crt"// CAKeyName defines certificate name
编译 kubeadm
# 提前装rsync
yum install rsync -y#1 重新编译kubeadm
[root@k8s-master][~/xxx/go/kubernetes-1.23.0]
# pwd
/root/xxx/go/kubernetes-1.23.0[root@k8s-master][~/xxx/go/kubernetes-1.23.0]
# make all WHAT=cmd/kubeadm GOFLAGS=-v#2 替换原来的 kubeadm
[root@k8s-master][~]
# mv /usr/bin/kubeadm{,.bak}[root@k8s-master][~/xxx/go/kubernetes-1.23.0]
# pwd
/root/xxx/go/kubernetes-1.23.0[root@k8s-master][~/xxx/go/kubernetes-1.23.0]
# ll _output/local/bin/linux/amd64/kubeadm
-rwxr-xr-x. 1 root root 43667456 Mar 6 11:26 _output/local/bin/linux/amd64/kubeadm[root@k8s-master][~/xxx/go/kubernetes-1.23.0]
# cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm[root@k8s-master][~/xxx/go/kubernetes-1.23.0]
# chmod +x /usr/bin/kubeadm
更新证书
#1 备份原文件
[root@k8s-master][~]
# cp -a /etc/kubernetes{,.bak_20240717}#2 更新证书
[root@k8s-master][/etc/kubernetes]
# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewedDone renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
检查结果
[root@k8s-master][~]
$kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jun 23, 2124 02:49 UTC 99y no
apiserver Jun 23, 2124 02:49 UTC 99y ca no
apiserver-etcd-client Jun 23, 2124 02:49 UTC 99y etcd-ca no
apiserver-kubelet-client Jun 23, 2124 02:49 UTC 99y ca no
controller-manager.conf Jun 23, 2124 02:49 UTC 99y no
etcd-healthcheck-client Jun 23, 2124 02:49 UTC 99y etcd-ca no
etcd-peer Jun 23, 2124 02:49 UTC 99y etcd-ca no
etcd-server Jun 23, 2124 02:49 UTC 99y etcd-ca no
front-proxy-client Jun 23, 2124 02:49 UTC 99y front-proxy-ca no
scheduler.conf Jun 23, 2124 02:49 UTC 99y no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Mar 12, 2033 07:34 UTC 8y no
etcd-ca Mar 12, 2033 07:34 UTC 8y no
front-proxy-ca Mar 12, 2033 07:34 UTC 8y no
再次使用kubectl命令,看看问题是否解决
[root@k8s-master][~]
$kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master Ready control-plane,master 489d v1.23.0
k8s-node1 Ready <none> 489d v1.23.0
k8s-node2 Ready <none> 489d v1.23.0
至此,问题得到解决。
