查看证书有效期
# 查询api-server证书有效期 openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout | grep Not
# 查询所有证书有效期 for tls in `find /etc/kubernetes/pki -maxdepth 2 -name "*.crt"`; \ do echo ===============$tls===============; \ openssl x509 -in $tls -text| grep Not; \ done
===============/etc/kubernetes/pki/front-proxy-ca.crt=============== Not Before: Aug 7 06:10:58 2020 GMT Not After : Aug 5 06:10:58 2030 GMT ===============/etc/kubernetes/pki/etcd/server.crt=============== Not Before: Aug 7 06:10:57 2020 GMT Not After : Mar 10 02:49:33 2022 GMT ===============/etc/kubernetes/pki/etcd/healthcheck-client.crt=============== Not Before: Aug 7 06:10:57 2020 GMT Not After : Mar 10 02:49:33 2022 GMT ===============/etc/kubernetes/pki/etcd/ca.crt=============== Not Before: Aug 7 06:10:57 2020 GMT Not After : Aug 5 06:10:57 2030 GMT ===============/etc/kubernetes/pki/etcd/peer.crt=============== Not Before: Aug 7 06:10:57 2020 GMT Not After : Mar 10 02:49:34 2022 GMT ===============/etc/kubernetes/pki/apiserver-etcd-client.crt=============== Not Before: Aug 7 06:10:57 2020 GMT Not After : Mar 10 02:49:34 2022 GMT ===============/etc/kubernetes/pki/ca.crt=============== Not Before: Aug 7 06:10:58 2020 GMT Not After : Aug 5 06:10:58 2030 GMT ===============/etc/kubernetes/pki/apiserver-kubelet-client.crt=============== Not Before: Aug 7 06:10:58 2020 GMT Not After : Mar 10 02:49:35 2022 GMT ===============/etc/kubernetes/pki/front-proxy-client.crt=============== Not Before: Aug 7 06:10:58 2020 GMT Not After : Mar 10 02:49:33 2022 GMT ===============/etc/kubernetes/pki/apiserver.crt=============== Not Before: Aug 7 06:10:58 2020 GMT Not After : Mar 10 02:49:34 2022 GMT
################# master ###################
1、备份已有配置
cp -r /etc/kubernetes /etc/kubernetes_old
2、获取集配配置
# 证书即将过期(未过期),可以利用命令直接获取集群配置 kubeadm config view > kubeadm-upgrade.yaml # 如果证书已过期,可以手动编写集群配置 vim kubeadm-upgrade.yaml apiVersion: kubeadm.k8s.io/v1beta1 imageRepository: k8s.gcr.io kind: ClusterConfiguration kubernetesVersion: v1.13.0
3、更新所有证书
# 根据配置文件,更新所有证书 kubeadm alpha certs renew all --config kubeadm-upgrade.yaml # 再次查看证书有效期 openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '
4、更新集群配置
# 删除已有配置(已备份,无需担心) rm -rf /etc/kubernetes/*.conf # 根据配置文件,重新生成所有配置 kubeadm init phase kubeconfig all --config kubeadm-upgrade.yaml --node-name <节点名称> --apiserver-advertise-address <集群VIP> # 更新kubectl配置并赋予权限 \cp /etc/kubernetes/admin.conf $HOME/.kube/config chown $(id -u):$(id -g) $HOME/.kube/config
5、重启核心组件容器
docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart
systemctl restart kubelet # 查看节点和所有服务是否正常
kubectl get nodes
kubectl get pods --all-namespaces
注意:kubelet.conf 中 <nodeName> 的值 必须 与 kubelet 向 apiserver 注册时提供的节点名称的值完全匹配。(一种是传递参数--node-name指定节点名称,一种是修改hostname与nodename一致)
################# node ###################
1、备份kubelet配置
cp /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf_bak
2、更新kubelet配置
# 重新生成节点kubelet配置 kubeadm init phase kubeconfig kubelet --node-name <节点名称> --kubeconfig-dir /tmp/ --apiserver-advertise-address <集群VIP> # 更新节点kubelet配置 scp /tmp/kubelet.conf root@<节点名称>:/etc/kubernetes/ # 重启节点kubelet systemctl restart kubelet
################# crontab ###################
注意:在首次升级完证书后,证书到期需要手动重启kubelet,否则kubelet无法识别新证书,
并且在到期之前重启是无效的,这将要求我们必须卡在那个到期时间点重启,否则影响集群使用,
此问题目前还未找到问题源,所以使用临时方案添加定时任务crontab,注意事项:
1、证书有效期时间时区为+0000,我们设置定时任务需要根据系统时区计算实际时间
2、定时任务时间大于到期时间,最好就是到期后下一分钟
3、定时任务需要设置所有节点,并且核对所有节点系统时间
# 查看系统时间和时区 date -R && crontab -l # 计算并设置定时任务 crontab -e 42 13 21 5 5 systemctl restart kubelet
实战日志(以下通过更改系统时间,模拟证书过期)
[root@192 k8s]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep 'Not After' Not After : Apr 12 07:01:12 2022 GMT [root@192 k8s]# ls /etc/kubernetes admin.conf controller-manager.conf kubelet.conf manifests pki scheduler.conf [root@192 k8s]# date -s "2022-3-12" Sat Mar 12 00:00:00 PST 2022 [root@192 k8s]# kubectl get pod --all-namespaces NAMESPACE NAME READY STATUS RESTARTS AGE ingress-nginx nginx-ingress-controller-77b474c665-lh8tt 1/1 Running 0 334d kube-system coredns-86c58d9df4-7bq94 1/1 Running 0 334d kube-system coredns-86c58d9df4-dm6jb 1/1 Running 0 334d kube-system etcd-192.168.73.129 1/1 Running 0 334d kube-system heapster-7856548f99-2l8fp 1/1 Running 0 334d kube-system kube-apiserver-192.168.73.129 1/1 Running 0 334d kube-system kube-controller-manager-192.168.73.129 1/1 Running 0 334d kube-system kube-flannel-ds-amd64-qcmbq 1/1 Running 0 334d kube-system kube-proxy-kh7xn 1/1 Running 0 334d kube-system kube-scheduler-192.168.73.129 1/1 Running 0 334d kube-system nvidia-device-plugin-daemonset-6xzxj 1/1 Running 0 334d [root@192 k8s]# [root@192 k8s]# kubeadm config view > kubeadm-upgrade.yaml [root@192 k8s]# kubeadm alpha certs renew all --config kubeadm-upgrade.yaml [root@192 k8s]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep 'Not After' Not After : Mar 12 08:00:22 2023 GMT [root@192 k8s]# [root@192 k8s]# rm -rf /etc/kubernetes/*.conf [root@192 k8s]# kubeadm init phase kubeconfig all --config kubeadm-upgrade.yaml --node-name 192.168.73.129 [kubeconfig] Using kubeconfig folder "/etc/kubernetes" [kubeconfig] Writing "admin.conf" kubeconfig file [kubeconfig] Writing "kubelet.conf" kubeconfig file [kubeconfig] Writing "controller-manager.conf" kubeconfig file [kubeconfig] Writing "scheduler.conf" kubeconfig file [root@192 k8s]# [root@192 k8s]# \cp /etc/kubernetes/admin.conf $HOME/.kube/config [root@192 k8s]# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' 85a67efc7369 f1ff9b7e3d6e "kube-apiserver --au…" 9 months ago Up 9 months k8s_kube-apiserver_kube-apiserver-...... 66a23ae913ac 3cab8e1b9802 "etcd --advertise-cl…" 9 months ago Up 9 months k8s_etcd_etcd-...... f614aae9b68f 9508b7d8008d "kube-scheduler --ad…" 9 months ago Up 9 months k8s_kube-scheduler_kube-scheduler-...... fb9d59c857ee d82530ead066 "kube-controller-man…" 9 months ago Up 9 months k8s_kube-controller-manager_kube-controller-manager-...... [root@192 k8s]# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart b53d7fb8e1db c7b6ae222bc1 15707e4219d9 110e23ea3b00
[root@192 k8s]# date -s "2023-2-12" Sun Feb 12 00:00:00 PST 2023
[root@192 k8s]# systemctl restart kubelet
[root@192 k8s]# kubectl get pod --all-namespaces NAMESPACE NAME READY STATUS RESTARTS AGE ingress-nginx nginx-ingress-controller-77b474c665-lh8tt 1/1 Running 0 671d kube-system coredns-86c58d9df4-7bq94 1/1 Running 0 671d kube-system coredns-86c58d9df4-dm6jb 1/1 Running 0 671d kube-system etcd-192.168.73.129 1/1 Running 0 671d kube-system heapster-7856548f99-2l8fp 1/1 Running 0 671d kube-system kube-apiserver-192.168.73.129 1/1 Running 0 671d kube-system kube-controller-manager-192.168.73.129 1/1 Running 0 671d kube-system kube-flannel-ds-amd64-qcmbq 1/1 Running 0 671d kube-system kube-proxy-kh7xn 1/1 Running 0 671d kube-system kube-scheduler-192.168.73.129 1/1 Running 0 671d kube-system nvidia-device-plugin-daemonset-6xzxj 1/1 Running 0 671d [root@192 k8s]# kubectl get node NAME STATUS ROLES AGE VERSION 192.168.73.129 Ready master 671d v1.13.0
参考>>> https://blog.csdn.net/lihongbao80/article/details/109001639
作者:Leozhanggg
出处:https://www.cnblogs.com/leozhanggg/p/14648636.html
本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利。
