报错详情:Internal error occurred: failed calling webhook “rancherauth.cattle.io”: Post https://rancher-webhook.cattle-system.svc:443/v1/webhook/validation?timeout=10s: x509: certificate has expired or is not yet valid 其他:k8s集群证书前段时间才通过界面轮换过,然后使用正常,这几天需要新加用户和角色,添加不了,一直报上面错误
这个问题是因为bug 导致 webhook 证书没有自动轮转,导致webhook证书过期。
只要操作RBAC相关的功能就会报错
详细的解决方案参考:https://github.com/rancher/rancher/issues/35068#issuecomment-949053479
错误信息:
Internal error occurred: failed calling webhook “rancherauth.cattle.io”: Post “https://rancher-webhook.cattle-system.svc:443/v1/webhook/validation?timeout=10s”: dial tcp 10.43.65.217:443: connect: connection refused
组件版本:
组件 版本
Rancher v2.5.15
用户界面 v2.5.14
Helm v2.16.8-rancher1
主机 v0.15.0-rancher55
参考文档:
kubectl delete secret -n cattle-system cattle-webhook-tls
kubectl delete mutatingwebhookconfigurations.admissionregistration.k8s.io --ignore-not-found=true rancher.cattle.io
kubectl delete pod -n cattle-system -l app=rancher-webhook
查询结果:
[root@prd04:~]# kubectl get secrets -n cattle-system cattle-webhook-tls
Error from server (NotFound): secrets “cattle-webhook-tls” not found
[root@prd04:~]# kubectl get secrets -n cattle-system
NAME TYPE DATA AGE
cattle-credentials-b314a94 Opaque 3 424d
cattle-private-registry kubernetes.io/dockerconfigjson 1 424d
cattle-token-stb7h kubernetes.io/service-account-token 3 424d
default-token-j4wm5 kubernetes.io/service-account-token 3 424d
kontainer-engine-token-2lkc5 kubernetes.io/service-account-token 3 424d
[root@prd04:~]# kubectl get pods -n cattle-system
NAME READY STATUS RESTARTS AGE
cattle-cluster-agent-648d8fdc8-j6v62 1/1 Running 0 424d
cattle-node-agent-4dktq 1/1 Running 6 424d
cattle-node-agent-5zmxg 1/1 Running 0 424d
cattle-node-agent-9ptjt 1/1 Running 0 424d
cattle-node-agent-chx2r 1/1 Running 0 424d
kube-api-auth-5v49n 1/1 Running 0 424d
kube-api-auth-8qjdk 1/1 Running 0 424d
kube-api-auth-szjcv 1/1 Running 0 424d
问题:
没有查询到文档中的cattle-webhook-tls,需要怎么进一步操作。谢谢!