您的位置: 首页  >  技术问答  >  是什么导致Kubernetes API服务器无法编写客户端CA configmap?

是什么导致Kubernetes API服务器无法编写客户端CA configmap?

分类: 技术问答 2022-03-07 21:45:18
问题描述:

I'm experiencing that the Kubernetes API server fails to start during cluster bootstrapping with the following error log, apparently due to being unable to initialize its "client CA configmap": 

E1029 14:35:56.211083       5 client_ca_hook.go:78] Timeout: request did not complete within allowed duration
F1029 14:35:56.211121       5 hooks.go:126] PostStartHook “ca-registration” failed: unable to initialize client CA configmap: timed out waiting for the condition

It seems to happen here in the Kubernetes source code. What might cause this error?

See the full log here.

Update: It seems that my etcd cluster isn't accessible from master nodes, even though the same command works from etcd member machines:

$ sudo ETCDCTL_API=3 etcdctl --cacert=/opt/tectonic/tls/etcd-client-ca.crt \
--cert=/opt/tectonic/tls/etcd-client.crt --key=/opt/tectonic/tls/etcd-client.key \
--endpoints=https://coreos-testing-etcd-0.socialfoodie.club:2379 \
endpoint health
https://coreos-testing-etcd-0.socialfoodie.club:2379 is unhealthy: failed to connect: grpc: timed out when dialing
Error:  unhealthy cluster

我在集群引导过程中遇到以下错误日志,导致Kubernetes API服务器无法启动: 无法初始化其“客户端CA configmap”: p> 

  E1029 14:35:56.211083 5 client_ca_hook.go:78]超时:请求未在允许的时间内完成
F1029 14  :35:56.211121 5 hooks.go:126] PostStartHook“ ca-registration”失败:无法初始化客户端CA configmap:等待该条件超时
  code>  pre> 
 
 
 It 似乎在Kubernetes源文件中的此处 码。 可能导致此错误的原因是什么? p> 
 
 


请参阅完整日志此处 。 p> 
 
 


 更新 strong>:看来,即使在etcd成员计算机上可以使用相同的命令,也无法从主节点访问我的etcd集群:   p> 
 
 
  $ sudo ETCDCTL_API = 3 etcdctl --cacert = / opt / tectonic / tls / etcd-client-ca.crt \
--cert = / opt / tectonic /  tls / etcd-client.crt --key = / opt / tectonic / tls / etcd-client.key \
--endpoints = https://coreos-testing-etcd-0.socialfoodie.club:2379 \
endpoint 健康
https://coreos-testing-etcd-0.socialfoodie.club:2379不健康:连接失败:grpc:拨号时超时
错误:不健康群集
  code>  pre>

I found out that despite the cryptic error message in the API server, the cause is that it can't write to the etcd cluster. The reason was that the API server was configured with a different client certificate authority than what the etcd cluster was using, due to a timing issue wrt. copying certificates in my Terraform cluster setup. I figured out that the CA was the problem by using curl to contact the etcd cluster instead of etcdctl, as it gave a clear error message.

Thanks to @johnharris85 for suggesting etcd connectivity being an issue!

相关推荐