k8s自签证书过期x509: certificate has expired or is not yet valid报错

问题表现

使用kubelet get node后报错,x509: certificate has expired or is not yet valid,提示证书过期。

[root@master ~]# kubectl get node
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-02-17T09:56:22+08:00 is after 2023-01-12T10:42:07Z

问题排查

集群是由kubeadm创建。但是它创建的apiserver、controller-manager等证书默认只有一年的有效期，同时kubelet 证书也只有一年有效期，一年之后kubernetes将停止服务。

官方文档:
https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/

问题解决

#查看证书到期时间
kubeadm certs check-expiration

#更新自签证书
kubeadm certs renew all

#复制配置
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

#之后重启kubelet,docker（master与node都要重启）
systemctl restart docker
systemctl restart kubelet