k8s集群证书过期,重新生成证书
Kubernetes集群证书过期后,使用kubeadm重新颁发证书
默认情况下部署kubernetes集群的证书一年内便过期,如果不及时升级证书导致证书过期,Kubernetes控制节点便会不可用,所以需要升级Kubernetes集群版本或者及时更新Kubernetes证书,避免因证书过期导致集群不可用问题
1、查看证书过期时间
$ kubeadm alpha certs check-expiration
2、备份现有证书
备份原有证书
$ cp -r /etc/kubernetes/ /data/k8s/
备份etcd证书
$ cp -r /var/lib/etcd /data/k8s/
3、更新证书
获取集群信息,如果获取到的信息和当前集群不一致,则需要修改
$ kubeadm config view > cluster.yaml
$ kubeadm config view
Command "view" is deprecated, This command is deprecated and will be removed in a future release, please use 'kubectl get cm -o yaml -n kube-system kubeadm-config' to get the kubeadm config directly.
apiServer:
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.19.2
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
scheduler: {}
通过提取的信息更新证书和配置文件。注意:如果是多个master节点,需要同步证书到其他master节点上,或者每个master节点都执行上面步骤。
$ kubeadm alpha certs renew all --config=cluster.yaml
$ kubeadm alpha certs renew all --config=cluster.yaml
W0705 14:44:06.009866 41023 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
再次查看过期时间
$ kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jul 05, 2023 06:44 UTC 364d no
apiserver Jul 05, 2023 06:44 UTC 364d ca no
apiserver-etcd-client Jul 05, 2023 06:44 UTC 364d etcd-ca no
apiserver-kubelet-client Jul 05, 2023 06:44 UTC 364d ca no
controller-manager.conf Jul 05, 2023 06:44 UTC 364d no
etcd-healthcheck-client Jul 05, 2023 06:44 UTC 364d etcd-ca no
etcd-peer Jul 05, 2023 06:44 UTC 364d etcd-ca no
etcd-server Jul 05, 2023 06:44 UTC 364d etcd-ca no
front-proxy-client Jul 05, 2023 06:44 UTC 364d front-proxy-ca no
scheduler.conf Jul 05, 2023 06:44 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jun 29, 2031 08:03 UTC 8y no
etcd-ca Jun 29, 2031 08:03 UTC 8y no
front-proxy-ca Jun 29, 2031 08:03 UTC 8y no
修改config文件
$ cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ chown $(id -u):$(id -g) $HOME/.kube/config
4、重启kube-system下的apiserver,controller,scheduler的Po
$ systemctl restart kubelet.service
