k8s 证书过期处理
问题
kubeadm 安装的集群默认签发的证书有效期为1年,到期后集群组件之间无法正常通信。控制面组件日志会有报错信息。
证书修复流程
1. 检查当前证书状态
$ kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [check-expiration] Error reading configuration from the Cluster. Falling back to default configuration CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Feb 16, 2024 14:06 UTC <invalid> no apiserver Jul 01, 2024 07:38 UTC 25d ca no apiserver-etcd-client Feb 16, 2024 14:06 UTC <invalid> etcd-ca no apiserver-kubelet-client Feb 16, 2024 14:06 UTC <invalid> ca no controller-manager.conf Feb 16, 2024 14:06 UTC <invalid> no etcd-healthcheck-client Feb 16, 2024 14:06 UTC <invalid> etcd-ca no etcd-peer Feb 16, 2024 14:06 UTC <invalid> etcd-ca no etcd-server Feb 16, 2024 14:06 UTC <invalid> etcd-ca no front-proxy-client Feb 16, 2024 14:06 UTC <invalid> front-proxy-ca no scheduler.conf Feb 16, 2024 14:06 UTC <invalid> no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Feb 13, 2033 14:06 UTC 8y no etcd-ca Feb 13, 2033 14:06 UTC 8y no front-proxy-ca Feb 13, 2033 14:06 UTC 8y no
2. 重新签发证书
$ kubeadm certs renew all [renew] Reading configuration from the cluster... [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [renew] Error reading configuration from the Cluster. Falling back to default configuration certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healthcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
重新配置kubectl证书:
cp /etc/kubernetes/admin.conf ~/.kube/config -f
3. 重启控制面组件
由于控制面组件是由静态pod方式启动,将 /etc/kubernetes/manifests重命名,一分钟后改回,空静态pod会自动重启。
mv /etc/kubernetes/manifests /tmp/ && sleep 60 && mv /tmp/manifests /etc/kubernetes/
重新检查有效期:
$ kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Jun 06, 2025 03:10 UTC 364d no apiserver Jun 06, 2025 03:10 UTC 364d ca no apiserver-etcd-client Jun 06, 2025 03:10 UTC 364d etcd-ca no apiserver-kubelet-client Jun 06, 2025 03:10 UTC 364d ca no controller-manager.conf Jun 06, 2025 03:10 UTC 364d no etcd-healthcheck-client Jun 06, 2025 03:10 UTC 364d etcd-ca no etcd-peer Jun 06, 2025 03:10 UTC 364d etcd-ca no etcd-server Jun 06, 2025 03:10 UTC 364d etcd-ca no front-proxy-client Jun 06, 2025 03:10 UTC 364d front-proxy-ca no scheduler.conf Jun 06, 2025 03:10 UTC 364d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Feb 13, 2033 14:06 UTC 8y no etcd-ca Feb 13, 2033 14:06 UTC 8y no front-proxy-ca Feb 13, 2033 14:06 UTC 8y no
纸上得来终觉浅,绝知此事要躬行
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
2021-06-06 NGINX配置文件详解
2021-06-06 nginx超时配置