1.7.2. 鉴别问题: 重新导入集群失败并显示未知颁发机构错误

在重新导入受管集群后,运行以下命令在 Red Hat Advanced Cluster Management hub 集群上获取导入控制器日志:

kubectl -n multicluster-engine logs -l app=managedcluster-import-controller-v2 -f

如果出现以下错误日志,受管集群 API 服务器证书可能会改变:

ERROR Reconciler error {"controller": "clusterdeployment-controller", "object": {"name":"awscluster1","namespace":"awscluster1"}, "namespace": "awscluster1", "name": "awscluster1", "reconcileID": "a2cccf24-2547-4e26-95fb-f258a6710d80", "error": "Get \"": x509 s/nn/nn/nn-26-95fb-f258a6710d80", "error": "awscluster1", "reconcileID": "a2cccf24-2547-4e26-95fb-f258a6710d80", "error": "awscluster1", "reconcileID": "a2cccf24-2547-4e26-95fb-f258a6710d80", "error": "awscluster1", "awscluster1", "reconcileID": "a2cccf24e26-95fb4e26-95fb-f258a6710d80", "error": "awscluster1", "reconcileID": "a2cccf24-2547-4e26-95fbc6710d80", "error": "awscluster1", "reconcileID": "a2cccf24-

要确定受管集群 API 服务器证书是否已更改,请完成以下步骤:

  1. 运行以下命令,将 your-managed-cluster-name 替换为受管集群的名称来指定受管集群名称:

    cluster_name=<your-managed-cluster-name>
  2. 运行以下命令获取受管集群 kubeconfig secret 名称:

    kubeconfig_secret_name=$(oc -n ${cluster_name} get clusterdeployments ${cluster_name} -ojsonpath='{.spec.clusterMetadata.adminKubeconfigSecretRef.name}')
  3. 运行以下命令,将 kubeconfig 导出到新文件:

    oc -n ${cluster_name} get secret ${kubeconfig_secret_name} -ojsonpath={.data.kubeconfig} | base64 -d > kubeconfig.old
    export KUBECONFIG=kubeconfig.old
  4. 运行以下命令,使用 kubeconfig 从受管集群获取命名空间:

    oc get ns

如果您收到类似以下消息的错误,您的集群 API 服务器符已更改,且 kubeconfig 文件无效。

无法连接到服务器:x509: certificate signed by unknown authority