kubeadm更新ca证书
转载是谁的,已经忘记
# 查看过期时间
kubeadm alpha certs check-expiration
# 或者直接使用openssl查看
openssl x509 -in ca.crt -noout -dates
# 方法1,使用 kubeadm 升级集群自动轮换证书
kubeadm upgrade apply --certificate-renewal v1.15.2
# 方法2: 使用 kubeadm 手动生成并替换证书
# 备份旧证书
mkdir /etc/kubernetes.bak
cp -r /etc/kubernetes/pki/ /etc/kubernetes.bak
cp /etc/kubernetes/*.conf /etc/kubernetes.bak
# 重新生成证书
kubeadm alpha certs renew all --config kubeadm.yaml
# 修改所有配置文件kubeconfigs
kubeadm alpha kubeconfig user --client-name=admin
kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin > /etc/kubernetes/admin.conf
kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf
kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > /etc/kubernetes/kubelet.conf
kubeadm alpha kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf
# 另外一种方式 kubeconfigs
# kubeadm init phase kubeconfig all --config kubeadm.yaml
# Step 4): Copy certs/kubeconfigs and restart Kubernetes services
补充
# 查看帮助
kubeadm alpha certs -h
# 查看证书过期时间, 经过验证,。 1.17.3版本的默认ca证书为10年
kubeadm alpha certs check-expiration
# 查看替换证书命令
kubeadm alpha certs renew -h
# 替换所有证书
kubeadm alpha certs renew all
# 直接查看证书过期时间
openssl x509 -in ca.crt -noout -dates