kubectl It's an interview k8s Command line tools for clustering , It's really just through kubecofng Come and join us apiserver Conduct identity authentication , And then call apiserver The interface of , Get the corresponding information .tke Each node of the cluster will be installed by default kubectl Ordered , You can log in to a node at will kubectl Command to access the cluster , But when you create a new cluster or add new nodes to the cluster , The new node will be executed after a period kubectl The problem of command error reporting , The specific errors are as follows ：

# kubectl get node
error: You must be logged in to the server (Unauthorized)

$ kubectl get node
The connection to the server localhost:8080 was refused - did you specify the right host or port?

Why did this error occur , In fact, for specific reasons and solutions, please refer to the documentation https://cloud.tencent.com/document/product/457/48164 . Here we just describe the operation steps in detail .

perform kubectl The general reason for the command error is for node security , The node will no longer issue admin The user is permanent kubeconfig, It's going to be admin The user certificate and private key are changed to 12 Hours validity , It is only used to ensure that nodes can successfully join the cluster , Therefore, the error is reported because of the node $HOME/.kube/config The user's certificate and private key in this file have expired , Cause and apiserver Authentication failed .

Here we can base on the current kubecofig To query whether the certificate validity time is 12 Hours , You can view kubecofig The validity period of the client certificate of is really only 12 Hours , To 2021 year 4.16 Number 19:11:42 It's expired. .

[[email protected] .kube]# cd $HOME/.kube
[[email protected] .kube]# cat config |grep client-certificate-data | awk -F ' ' '{print $2}' |base64 -d > client-cert.pem
[[email protected] .kube]# openssl x509 -in client-cert.pem -noout -dates
notBefore=Apr 16 07:11:42 2021 GMT
notAfter=Apr 16 19:11:42 2021 GMT

Now that you know why , Then the solution will be known , Let's find a certificate and private key that don't expire kubeconfig Just go , So how to get it ？ In fact, the basic information of the cluster contains kubecofig, You can see your sub account UIN The generated one kubeconfig, This kubeconfig Your secret key is valid forever .

But there is another problem , you UIN The account number corresponds to kubeconfig Inside apiserver The address of is the configured domain name , If you do not open the intranet or public network access , It means that the domain name cannot be resolved to the corresponding clb Upper , Public network and intranet access are actually using clb To load balance to the backend apiserver.

Because on the node kubectl Access within the cluster apiserver, Here we can use it directly apiserver Corresponding ClusterIP Type of service To access the backend apiserver, Many people are hosting clusters ,master Components are inaccessible , How can I get apiserver Of service, Actually tke The cluster was created in defalut A namespace named kubernetes Of service, This service You can directly access the cluster apiserver Of . It means that in the cluster, we can directly go through kubernetes This service To visit apiserver.

Since the domain name cannot be resolved , We only need to access within the cluster apiserver, Here, the console's kubecofig file clusters.cluster.server Replace field with kubernetes This service Of ip and 443 Just port , Because and apiserver Communications are https, So here we use 443 port , Let's talk about how to configure nodes kubecofng file .

1. The console gets kubeconfig

Log in to Tencent cloud console , Enter the container service , Click to the cluster , Find... In the basic information kubeconfig, Click to download or copy the file

2. Get the cluster's kubernetes service ip

tke Cluster console , Click Service for routing , Click on service, And then choose default Namespace , Record kubernetes This service Service for ip.

3. Login node replacement kubeconfig

$ vi $HOME/.kube/config

Log in here cvm Edit the next node $HOME/.kube/config file , Then copy the kubecofig Replace the contents of the file , And modify the file clusters.cluster.server This field is kubernetes Of service ip and 443 port ,https:// service ip:443, As shown in the figure above .

Press... After the modification ESC Key then :wq Save and exit , And then execute kubectl Command can be accessed normally apiserver.

-