\nTDH6.x\u548cTOS1.9.x\u7248\u672c\u4e0akubelet\u76ee\u524d\u6ca1\u6709\u914d\u7f6e\u81ea\u52a8\u66f4\u65b0\u8bc1\u4e66\uff0c\u5bfc\u81f4\u4e00\u5e74\u65f6\u95f4\u8bc1\u4e66\u4f1a\u8fc7\u671f\uff0c\u8fdb\u800c\u5bfc\u81f4\u8282\u70b9\u72b6\u6001NotReady\uff08\u6b63\u5e38\u8282\u70b9\u6267\u884c
kubectl get nodes<\/code>\u67e5\u770b\uff09\uff0c\u670d\u52a1\u4e0d\u53ef\u7528\uff1b<\/p>\n![\"file\"](\"\/wp-content\/uploads\/2021\/12\/image-1640079409260.png\")
<\/p>\n
kubelet\u65e5\u5fd7\u62a5\u9519\u4fe1\u606f\uff1a<\/p>\n
12\u6708 19 12:43:15 km4-hcb-compute-01 hyperkube[90772]: E1219 12:43:15.809165 90772 reflector.go:205] k8s.io\/kubernetes\/pkg\/kubelet\/kubelet.go:492: Failed to list *v1.Node: Unauthorized\n12\u6708 19 12:43:15 km4-hcb-compute-01 hyperkube[90772]: I1219 12:43:15.809432 90772 reflector.go:240] Listing and watching *v1.ConfigMap from k8s.io\/kubernetes\/pkg\/kubelet\/kubelet.go:500\n12\u6708 19 12:43:15 km4-hcb-compute-01 hyperkube[90772]: I1219 12:43:15.809937 90772 round_trippers.go:436] GET https:\/\/127.0.0.1:6443\/api\/v1\/pods?fieldSelector=spec.nodeName%3Dkm4-hcb-compute-01&limit=500&resourceVersion=0 401 Unauthorized in 1 milliseconds\n12\u6708 19 12:43:15 km4-hcb-compute-01 hyperkube[90772]: E1219 12:43:15.810063 90772 reflector.go:205] k8s.io\/kubernetes\/pkg\/kubelet\/config\/apiserver.go:47: Failed to list *v1.Pod: Unauthorized\n12\u6708 19 12:43:15 km4-hcb-compute-01 hyperkube[90772]: I1219 12:43:15.810517 90772 reflector.go:240] Listing and watching *v1.Service from k8s.io\/kubernetes\/pkg\/kubelet\/kubelet.go:483\n12\u6708 19 12:43:15 km4-hcb-compute-01 hyperkube[90772]: I1219 12:43:15.810933 90772 round_trippers.go:436] GET https:\/\/127.0.0.1:6443\/api\/v1\/namespaces\/kube-system\/configmaps?limit=500&resourceVersion=0 401 Unauthorized in 1 milliseconds\n12\u6708 19 12:43:15 km4-hcb-compute-01 hyperkube[90772]: E1219 12:43:15.811035 90772 reflector.go:205] k8s.io\/kubernetes\/pkg\/kubelet\/kubelet.go:500: Failed to list *v1.ConfigMap: Unauthorized\n12\u6708 19 12:43:15 km4-hcb-compute-01 hyperkube[90772]: I1219 12:43:15.811850 90772 round_trippers.go:436] GET https:\/\/127.0.0.1:6443\/api\/v1\/services?limit=500&resourceVersion=0 401 Unauthorized in 1 milliseconds\n12\u6708 19 12:43:15 km4-hcb-compute-01 hyperkube[90772]: E1219 12:43:15.812001 90772 reflector.go:205] k8s.io\/kubernetes\/pkg\/kubelet\/kubelet.go:483: Failed to list *v1.Service: Unauthorized\n12\u6708 19 12:43:15 km4-hcb-compute-01 hyperkube[90772]: I1219 12:43:15.822999 90772 volume_host.go:218] using default mounter\/exec for kubernetes.io\/secret<\/code><\/pre>\n![\"file\"](\"\/wp-content\/uploads\/2021\/12\/image-1640079365545.png\")
<\/p>\n
\u5f71\u54cd\u7248\u672c<\/strong><\/p>\nTDH 6.X,TOS 1.9.X<\/p>\n
\u8be6\u7ec6\u8bf4\u660e<\/h3>\nworkround\u65b9\u6848<\/h4>\n
\u91cd\u542fkubelet<\/strong><\/p>\n\u6240\u6709\u8282\u70b9\u6267\u884c systemctl restart kubelet<\/code>\u3002<\/p>\n\u6c38\u4e45\u89e3\u51b3\u65b9\u6848<\/h4>\n\u6ce8\u610f\uff1a \u4ee5\u4e0b\u6b65\u9aa4\u9700\u8981\u5728\u96c6\u7fa4\u4e2d\u6240\u6709\u8282\u70b9\uff08\u6b63\u5e38\u8282\u70b9\u64cd\u4f5c\u662f\u4e3a\u4e86\u9632\u6b62\u540e\u7eed\u51fa\u73b0\u8bc1\u4e66\u8fc7\u671f\u95ee\u9898\uff09\u6267\u884c\u3002<\/code><\/pre>\n\n- \u67e5\u770b\u8d77\u6b62\u65f6\u95f4<\/li>\n<\/ol>\n
[root@jiujiu-tdh-70 ~]# openssl x509 -in \/var\/lib\/kubelet\/pki\/kubelet.crt -noout -text | grep 'Not'\n Not Before: Sep 29 16:36:48 2020 GMT\n Not After : Sep 29 16:36:48 2021 GMT<\/code><\/pre>\n\n- \u505c\u6b62kubelet\uff1b<\/li>\n<\/ol>\n
systemctl stop kubelet<\/code><\/pre>\n\n- \u4fee\u6539 kubelet \u914d\u7f6e\u6587\u4ef6<\/li>\n<\/ol>\n
\u5728\u8282\u70b9\u4e0a\u627e\u5230 \/usr\/lib\/systemd\/system\/kubelet.service <\/code>\u6587\u4ef6\uff0c\u5728\u6587\u4ef6\u91cc\u9762\u52a0\u4e0a--rotate-certificates \\<\/code> \u548c --feature-gates=<\/code> \u540e\u9762\u52a0\u4e0a RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true,<\/code> \uff0c\u4f7f\u4e4b\u53ef\u4ee5\u81ea\u52a8\u66f4\u65b0\u8bc1\u4e66<\/strong>\uff1b
\n\u4fee\u6539\u7684\u5730\u65b9\uff0c\u5982\u4e0b\u56fe
\n![\"file\"](\"\/wp-content\/uploads\/2021\/12\/image-1640081843892.png\")
<\/p>\n\n- \u5907\u4efd\u548c\u5220\u9664
\/var\/lib\/kubelet\/pki<\/code><\/li>\n<\/ol>\n# \u5907\u4efd\u5230tmp\u76ee\u5f55\u4e0b\uff1a\ncp -r \/var\/lib\/kubelet\/pki \/tmp\/<\/code><\/pre>\n# \u5220\u9664\nrm -rf \/var\/lib\/kubelet\/pki<\/code><\/pre>\n\n- \u91cd\u542fkubelet<\/li>\n<\/ol>\n
systemctl daemon-reload && systemctl restart kubelet\uff08\u82e5\u542f\u52a8\u5931\u8d25\uff0c\u8df3\u5230\u6b65\u9aa47\uff09<\/code><\/pre>\n\n- \u9a8c\u8bc1<\/li>\n<\/ol>\n
# \u9a8c\u8bc1\u53c2\u6570\u662f\u5426\u6dfb\u52a0\u6210\u529f\nsystemctl status kubelet -l | grep rotate-certificates<\/code><\/pre>\n![\"file\"](\"\/wp-content\/uploads\/2021\/12\/image-1640142393498.png\")
<\/p>\n
# \u5728\u672a\u4fee\u6539\u7684\u8282\u70b9\u6267\u884c\u4e0b\u9762\u547d\u4ee4\uff0c\u67e5\u770b\u4fee\u6539\u7684\u8282\u70b9\u72b6\u6001\u662f\u5426\u6b63\u5e38\uff08\u662f\u5426\u4e3aready\uff0c\u5982\u679c\u4e0d\u662f\u5219\u770b\u6b65\u9aa47\uff09\nkubectl get nodes -owide<\/code><\/pre>\n# \u662f\u5426\u53ef\u4ee5\u67e5\u770b\u8bc1\u4e66\u8d77\u6b62\u65f6\u95f4\uff08\u5982\u679c\u62a5\u9519\uff0c\u8bf7\u53c2\u89c1\u540e\u9762\u6b65\u9aa47\uff09\nopenssl x509 -in \/var\/lib\/kubelet\/pki\/kubelet.crt -noout -text | grep 'Not'<\/code><\/pre>\n\n- \u5176\u4ed6\u60c5\u51b5<\/li>\n<\/ol>\n
\u5982\u679c\u8282\u70b9not ready \u5e76\u4e14\u4f7f\u7528\u6b65\u9aa41\u7684\u67e5\u770b\u8bc1\u4e66\u547d\u4ee4\u62a5\u9519 No such file or directory<\/code>
\n\u4f8b\u5982\uff0c \u4fee\u6539\u4e86 jiujiu-tdh-72\u7684\u914d\u7f6e\uff0c\u5728\u6b63\u5e38\u7684jiujiu-tdh-70\u8282\u70b9\u6267\u884c kubectl get nodes<\/code>\u547d\u4ee4\u770b\u5230 72\u8282\u70b9 not ready\uff0c\u6267\u884c\u67e5\u770b\u8bc1\u4e66\u7684\u8d77\u6b62\u65f6\u95f4\u7684\u547d\u4ee4\uff0c\u62a5\u9519\u5982\u4e0b\u56fe\u3002
\n![\"file\"](\"\/wp-content\/uploads\/2021\/12\/image-1640153123871.png\")
<\/p>\n![\"file\"](\"\/wp-content\/uploads\/2021\/12\/image-1640153086389.png\")
<\/p>\n
\u6b64\u95ee\u9898\u89e3\u51b3\u65b9\u6848\uff1a<\/p>\n
\n- \n
\u5728\u6545\u969c\u8282\u70b9\u83b7\u53d6Pending<\/strong>\u72b6\u6001\u7684csr name<\/p>\nkubectl get csr<\/code><\/pre>\n![\"file\"](\"\/wp-content\/uploads\/2021\/12\/image-1640153383617.png\")
<\/p>\n<\/li>\n
- \n
\u624b\u52a8 approve CSR \u8bf7\u6c42<\/p>\n
kubectl certificate approve <\/code><\/pre>\n![\"file\"](\"\/wp-content\/uploads\/2021\/12\/image-1640154031852.png\")
<\/p>\n<\/li>\n
- \n
\u83b7\u53d6node\u7684\u72b6\u6001<\/p>\n
kubectl get nodes<\/code><\/pre>\n<\/li>\n- \n
approve \u540e \u67e5\u770b\u8bc1\u4e66\u65f6\u95f4\uff08\u4e0e\u6b65\u9aa46\u7684\u4e0d\u540c\uff09<\/p>\n
openssl x509 -in \/var\/lib\/kubelet\/pki\/kubelet-server-current.pem -noout -text | grep 'Not'<\/code><\/pre>\n<\/li>\n<\/ol>\n\u5176\u4ed6\u95ee\u9898\u8bf4\u660e<\/h3>\n
\n\u4e00. \u90e8\u5206TOS\u7248\u672c\u8fd8\u4f1a\u4e00\u76f4\u4ea7\u751fpending\u72b6\u6001\u7684csr<\/h4>\n
![\"file\"](\"\/wp-content\/uploads\/2021\/12\/image-1640157804062.png\")
<\/p>\n
\u95ee\u9898\u539f\u56e0<\/strong> <\/p>\n\u5927\u6982\u7387\u662f\u96c6\u7fa4\u7684rcba\u6743\u9650\u7f3a\u5931\u5bfc\u81f4\u7684\u3002<\/p>\n
\u89e3\u51b3\u65b9\u6848<\/strong><\/p>\n
![\"file\"](\"\/wp-content\/uploads\/2021\/12\/image-1640158008148.png\")
<\/p>\n<\/li>\n