0

刚刚使用kubespray. 3 master节点和3 worker节点 +2 haproxy主节点前面的节点,带有keepalived.

除了一件事,一切都完美无缺。当我尝试更新 pod 上alpineubuntu内部的软件包时:

Ign:1 https://security.debian.org/debian-security buster/updates InRelease          
Ign:2 https://deb.debian.org/debian buster InRelease                                
Err:4 https://security.debian.org/debian-security buster/updates Release                            
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected.

快速调试显示我正在从 K8s 中的代理获取自签名 Traefik 默认证书

echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text

输出:

       Issuer: CN = TRAEFIK DEFAULT CERT
        Validity
            Not Before: Jun 15 14:08:39 2020 GMT
            Not After : Jun 15 14:08:39 2021 GMT
        Subject: CN = TRAEFIK DEFAULT CERT

有没有办法禁用 SSL 终止?

kubespray我的安装是从master分支全新安装

Kubernetes 版本:v1.18.5

4

1 回答 1

3

在 中发现了一个问题/etc/resolv.confsearchlist 有一个指向带有 traefik 的服务器的域。该域的 DNS 区域中有*.domain.com记录。所以这就是问题所在。

于 2020-07-07T02:49:06.253 回答