4
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

Kubernetes(kubelet)でcertificate_managerがCNログを大量に吐き出した話

Posted at

事象

Kubernetesのワーカーノードでjournalctlsystemctl status kubeletでこんな感じのログが大量発生しました。

Current certificate CN (kubelet) does not match requested CN (system:node:xxx)

対処方

CSR名を洗い出し

kubectl get csr | grep Pending

承認する

kubectl certificate approve csr-xxxxx

※PendingのCSRが出なくなるまで繰り返し

原因

多分、kubeletの--rotate-server-certificatesパラメータが原因。
CSR承認しろって書いてあった。

Requires the RotateKubeletServerCertificate feature gate to be enabled, and approval of the submitted CertificateSigningRequest objects.

余談

ApproveしたCSRはしばらくするとkubectl get csrで見られなくなるので、エビデンス求められるなら早めにとった方が良さげ

確認した環境

OKE v1.27.2
デフォルトでは--rotate-server-certificates入っていないが、カスタムして入れました

4
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
4
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?