k8s查看证书期限

 

openssl x509 -in kubernetes.pem  -text -noout
openssl x509 -in etcd.pem  -text -noout
openssl x509 -in kubernetes.pem  -text -noout
openssl x509 -in kube-proxy.pem  -text -noout

 

查看所有证书

 

[root@master ~]# kubeadm  certs check-expiration     
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 05, 2023 10:53 UTC   364d            ca                      no      
apiserver                  Mar 05, 2023 10:53 UTC   364d            ca                      no      
apiserver-etcd-client      Mar 05, 2023 10:53 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Mar 05, 2023 10:53 UTC   364d            ca                      no      
controller-manager.conf    Mar 05, 2023 10:53 UTC   364d            ca                      no      
etcd-healthcheck-client    Mar 05, 2023 10:53 UTC   364d            etcd-ca                 no      
etcd-peer                  Mar 05, 2023 10:53 UTC   364d            etcd-ca                 no      
etcd-server                Mar 05, 2023 10:53 UTC   364d            etcd-ca                 no      
front-proxy-client         Mar 05, 2023 10:53 UTC   364d            front-proxy-ca          no      
scheduler.conf             Mar 05, 2023 10:53 UTC   364d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 02, 2032 10:53 UTC   9y              no      
etcd-ca                 Mar 02, 2032 10:53 UTC   9y              no      
front-proxy-ca          Mar 02, 2032 10:53 UTC   9y              no

 

更新证书操作

手动导出集群配置(证书还未过期)

 kubeadm config print init-defaults > kube-config.yaml

 

如果证书过期了, 在当前目录下编辑配置文件kube-config.yaml

apiVersion: kubeadm.k8s.io/v1beta1
kind: ClusterConfiguration
kubernetesVersion: v1.19.7
imageRepository: registry.aliyuncs.com/google_containers

 

备份原有的证书文件

cp -r  /etc/kubernetes/pki   /etc/kubernetes/pki_backup

 

更新证书

kubeadm certs  renew all  --config=kube-config.yaml

 

覆盖.kube/config文件

mv /root/.kube/config  /root/.kube/config.old
cp -i /etc/kubernetes/admin.conf /root/.kube/config

 

注意kubelet.conf 需要重新生产, 否则重启kubelet会有问题

mv /etc/kubernetes/kubelet.conf  /etc/kubernetes/kubelet.conf.old

kubeadm  init  phase  kubeconfig  kubelet --kubernetes-version v1.23.4

systemctl  restart kubelet

systemctl status kubelet

 

重启 etcd scheduler control apiserver

docker  restart `docker ps | grep etcd | awk '{print $1}'`

docker  restart `docker ps | grep kube-apiserver| awk '{print $1}'`

docker  restart `docker ps | grep kube-controller | awk '{print $1}'`

docker  restart `docker ps | grep kube-scheduler | awk '{print $1}'`

 

 

 

kubeadmin 下载源码

cd  /data
git clone https://github.com/kubernetes/kubernetes.git

 

修改kubeadmin 源码包更新证书策略

 

 

更新kubeadmin

cp  /usr/bin/kubeadm  /usr/bin/kubeadm.old

 

备份各个节点pki

cp -r /etc/kubernetes/pki   /etc/kubernetes/pki.old

 

 

重新生成证书

kubeadmin alpha certs  renew all  --config=/usr/local/install-k8s/core/kubeadmin-config.yaml

 

posted @ 2022-02-25 15:23  fengjian1585  阅读(5605)  评论(0编辑  收藏  举报