kubernetes
network_error
ai_generated
true
http: TLS 握手来自 10.0.0.1:54321 错误:远程错误:tls:证书错误
http: TLS handshake error from 10.0.0.1:54321: remote error: tls: bad certificate
ID: kubernetes/kubelet-http-healthz-failure
80%修复率
85%置信度
1证据数
2024-03-15首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| kubelet v1.28 | active | — | — | — |
| kubelet v1.29 | active | — | — | — |
| kubelet v1.30 | active | — | — | — |
根因分析
kubelet 用于 healthz 端点的 TLS 证书过期或不匹配,导致 API 服务器拒绝连接。
English
Kubelet's TLS certificate for healthz endpoint is expired or mismatched, causing API server to reject connection.
官方文档
https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/解决方案
-
Manually renew kubelet server certificate by running: `kubeadm init phase certs kubelet-server` and then restart kubelet.
-
Check certificate expiry: `openssl x509 -in /var/lib/kubelet/pki/kubelet-server-current.pem -text -noout | grep -A2 Validity`. If expired, delete old cert and let kubelet auto-renew via CSR.
-
Update kubelet configuration to use a valid certificate from a trusted CA by setting `--tls-cert-file` and `--tls-private-key-file` in /var/lib/kubelet/config.yaml.
无效尝试
常见但无效的做法:
-
Restart kubelet service without checking certificate renewal
90% 失败
Restarting does not regenerate expired certificates; they must be explicitly renewed or rotated.
-
Disable TLS verification in kubelet config (--tls-cert-file=none)
95% 失败
Disabling TLS breaks secure communication and is not supported in production.
-
Reinstall kubelet binary from scratch
85% 失败
Reinstallation does not fix certificate expiration; the certs are stored separately.