Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

failed to run Kubelet: cannot create certificate signing request: Unauthorized #809

Closed
imedaouidene opened this issue May 14, 2018 · 3 comments
Closed

failed to run Kubelet: cannot create certificate signing request: Unauthorized #809

imedaouidene opened this issue May 14, 2018 · 3 comments
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/support Categorizes issue or PR as a support question. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.

Comments

@imedaouidene
Copy link

I have a K8s cluster running under an OpenStack cloud provider.

The cluster is set up using kubeadm tool which contains a master node and slave node .

I'm trying to add an other worker node by using the kubeadm join command, the command shows a positive response telling that the node is successfully added, But I can't find it using kubectl get nodes command.

I investigated and I've found that kubelet on the new slave node is not running showing cannot create certificate signing request: Unauthorized.

-- The start-up result is done.
May 14 12:15:33 vm1 kubelet[17678]: W0514 12:15:33.715964   17678 cni.go:171] Unable to update cni config: No networks found in /etc/cni/net.d
May 14 12:15:33 vm1 kubelet[17678]: W0514 12:15:33.738398   17678 hostport_manager.go:68] The binary conntrack is not installed, this can cause failures in network connection cleanup.
May 14 12:15:33 vm1 kubelet[17678]: I0514 12:15:33.738669   17678 server.go:376] Version: v1.10.1
May 14 12:15:33 vm1 kubelet[17678]: I0514 12:15:33.738913   17678 feature_gate.go:226] feature gates: &{{} map[]}
May 14 12:15:33 vm1 kubelet[17678]: I0514 12:15:33.739222   17678 plugins.go:89] No cloud provider specified.
May 14 12:15:33 vm1 kubelet[17678]: F0514 12:15:33.784257   17678 server.go:233] failed to run Kubelet: cannot create certificate signing request: Unauthorized
May 14 12:15:33 vm1 systemd[1]: kubelet.service: Main process exited, code=exited, status=255/n/a
May 14 12:15:33 vm1 systemd[1]: kubelet.service: Unit entered failed state.
May 14 12:15:33 vm1 systemd[1]: kubelet.service: Failed with result 'exit-code'.

version on worker node : kubeadm version kubeadm version: &version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.1", GitCommit:"d4ab47518836c750f9949b9e0d387f20fb92260b", GitTreeState:"clean", BuildDate:"2018-04-12T14:14:26Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

version on master node :

kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"10", 
GitVersion:"v1.10.1", 
GitCommit:"d4ab47518836c750f9949b9e0d387f20fb92260b", 
GitTreeState:"clean", BuildDate:"2018-04-12T14:14:26Z", 
GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

command used to make the join :

  • get the token : kubeadm token list | awk '/The default bootstrap token/ { print $1; }'

  • get the hash : openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'

  • join command: kubeadm join --skip-preflight-checks --token {{token}} --discovery-token-ca-cert-hash sha256:{{hash}} master_ip:6443
@timothysc timothysc added kind/bug Categorizes issue or PR as related to a bug. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. labels May 17, 2018
@qianyong-2005
Copy link

qianyong-2005 commented May 23, 2018
edited

I have same problem,now is ok.

token default life time is 24 hours, need create new token, then kubeadm join
https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-token/

@luxas luxas added kind/support Categorizes issue or PR as a support question. and removed kind/bug Categorizes issue or PR as related to a bug. labels May 23, 2018
@luxas
Copy link
Member

luxas commented May 23, 2018

Yeah, I guess your token just had expired at the point you tried to join. I'm closing this as solved.
If that wasn't the case, please reopen.

@luxas luxas closed this as completed May 23, 2018
@digglife
Copy link

@qianyong-2005

Same problem here. Thanks for the link!

kubeadm token create --print-join-command

@bartjkdp bartjkdp mentioned this issue Oct 17, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/support Categorizes issue or PR as a support question. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@timothysc @digglife @luxas @imedaouidene @qianyong-2005