安裝了一個新k8s環境在安裝完kube-router網絡插件之後發現coredns始終沒法啓動。經過命令查看發現報錯
kubectl describe pod -n kube-system coredns-757569d647-qj8ts
日誌:Failed to create pod sandbox: rpc error: code = Unknown desc = [failed to set up sandbox container "b7ea16c5b21e06069d1418b322e04bd2da482acdf21f863f47c96a80c551eab5" network for pod "coredns-757569d647-qj8ts": networkPlugin cni failed to set up pod "coredns-757569d647-qj8ts_kube-system" network: error getting ClusterInformation: Get https://[10.31.0.1]:443/apis/crd.projectcalico.org/v1/clusterinformations/default: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes"), failed to clean up sandbox container "b7ea16c5b21e06069d1418b322e04bd2da482acdf21f863f47c96a80c551eab5" network for pod "coredns-757569d647-qj8ts": networkPlugin cni failed to teardown pod "coredns-757569d647-qj8ts_kube-system" network: error getting ClusterInformation: Get https://[10.31.0.1]:443/apis/crd.projectcalico.org/v1/clusterinformations/default: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")]
使用了各類辦法對比了coredns生成的密文
kubectl get secrets -n kube-system coredns-token-xc8kc -o yaml
發現和主機上的/etc/kubernetes/admin.conf文件中記錄的ca密文是如出一轍。不知爲什麼就是沒法正常訪問到kube-apiserver的服務。
使用ipvsadm -Ln命令查看並無發現什麼問題。
最後解決的辦法是,把admin.conf中的ca密文解密。
certificate-authority-data: 後面的內容複製到一個文本中。
好比ca.txt,而後使用base64 -d ./ca.txt命令還原證書。
而後把證書保存到/etc/pki/ca-trust/source/anchors/kube.pem中。
修改coredns的deploy掛載目錄。
添加pki掛載
api
volumeMounts:
- name: config-volume
mountPath: /etc/coredns
readOnly: true
- name: etc-pki
mountPath: /etc/pki
readOnly: true
volumes:
- name: config-volume
configMap:
name: coredns
items:
- key: Corefile
path: Corefile
- key: NodeHosts
path: NodeHosts
- hostPath:
path: /etc/pki
type: DirectoryOrCreate
name: etc-pki
保存之後就會發現coredns能夠正常使用了。網絡
若是你們有更好的解決辦法歡迎留言分享,謝謝!!ide