kubenetes证书过期之续签证书

1.执行命令报错

?

1 2 3 4 5 6

[root@k8s-master ~]# kubectl -version Error: invalid argument "ersion" for "-v, --v" flag: strconv.ParseInt: parsing "ersion": invalid syntax See 'kubectl --help' for usage. [root@k8s-master ~]# kubectl version Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.4", GitCommit:"d360454c9bcd1634cf4cc52d1867af5491dc9c5f", GitTreeState:"clean", BuildDate:"2020-11-11T13:17:17Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"linux/amd64"} Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2022-08-10T20:36:58+08:00 is after 2022-03-23T13:56:31Z

2.查看当前证书过期时间，可以看到全部过期了

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

[root@k8s-master ~]# kubeadm alpha certs check-expiration [kubelet.config.k8s.io kubeproxy.config.k8s.io] CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED admin.conf                 Mar 23, 2022 13:56 UTC   <invalid>                               no      apiserver                  Mar 23, 2022 13:56 UTC   <invalid>       ca                      no      apiserver-etcd-client      Mar 23, 2022 13:56 UTC   <invalid>       etcd-ca                 no      apiserver-kubelet-client   Mar 23, 2022 13:56 UTC   <invalid>       ca                      no      controller-manager.conf    Mar 23, 2022 13:56 UTC   <invalid>                               no      etcd-healthcheck-client    Mar 23, 2022 13:56 UTC   <invalid>       etcd-ca                 no      etcd-peer                  Mar 23, 2022 13:56 UTC   <invalid>       etcd-ca                 no      etcd-server                Mar 23, 2022 13:56 UTC   <invalid>       etcd-ca                 no      front-proxy-client         Mar 23, 2022 13:56 UTC   <invalid>       front-proxy-ca          no      scheduler.conf             Mar 23, 2022 13:56 UTC   <invalid>                               no        CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED ca                      Mar 21, 2031 13:56 UTC   8y              no      etcd-ca                 Mar 21, 2031 13:56 UTC   8y              no      front-proxy-ca          Mar 21, 2031 13:56 UTC   8y              no

3.续签所有证书

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

[root@k8s-master ~]# kubeadm alpha certs renew all [root@k8s-master ~]# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'   CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED admin.conf                 Aug 10, 2023 12:39 UTC   364d                                    no      apiserver                  Aug 10, 2023 12:39 UTC   364d            ca                      no      apiserver-etcd-client      Aug 10, 2023 12:39 UTC   364d            etcd-ca                 no      apiserver-kubelet-client   Aug 10, 2023 12:39 UTC   364d            ca                      no      controller-manager.conf    Aug 10, 2023 12:39 UTC   364d                                    no      etcd-healthcheck-client    Aug 10, 2023 12:39 UTC   364d            etcd-ca                 no      etcd-peer                  Aug 10, 2023 12:39 UTC   364d            etcd-ca                 no      etcd-server                Aug 10, 2023 12:39 UTC   364d            etcd-ca                 no      front-proxy-client         Aug 10, 2023 12:39 UTC   364d            front-proxy-ca          no      scheduler.conf             Aug 10, 2023 12:39 UTC   364d                                    no        CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED ca                      Mar 21, 2031 13:56 UTC   8y              no      etcd-ca                 Mar 21, 2031 13:56 UTC   8y              no      front-proxy-ca          Mar 21, 2031 13:56 UTC   8y              no

4.重启apiserver，scheduler，controller-manager 容器

?

1 2 3 4 5

docker ps | grep apiserver docker ps | grep scheduler docker ps | grep controller-manager   docker restart containerID

5.更新kubectl证书

?

1	cp /etc/kubernetes/admin.conf ~/.kube/config

6.更新kubeclet证书

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

[root@k8s-master pki]# cd  /var/lib/kubelet/pki/ [root@k8s-master pki]# openssl x509 -in kubelet.crt -text -noout [root@k8s-master pki]# openssl genrsa -out kubelet.key 2048 [root@k8s-master pki]# openssl x509 -req -in kubelet.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -out kubelet.crt -days 3600 -CAcreateserial [root@k8s-master pki]# cat kubelet.crt > kubelet-client-2021-03-23-21-56-34.pem [root@k8s-master pki]# cat kubelet.key >> kubelet-client-2021-03-23-21-56-34.pem [root@k8s-master pki]# cat /etc/kubernetes/pki/ca.crt |base64 LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Fo a2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1ETXlN ekV6TlRZek1Wb1hEVE14TURNeU1URXpOVFl6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVa WFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSm1WClBPQStz MkpVNStMVm5CbDEvdC95S1U2U2pwS0w4N0JaMTB5RVVVU3d4RHlObFE0ZG9CSE9CME1KQlExVVJI VGYKWDdSZ1BTeHpobExyc1d4b04zRGlla3lMWjdpaUlrNWdSZjI2YkhCVndkVDFyb1FOM0Nmem9j blNteEFPZGpJcgo4K1A5aUEwajhaQzhGZjZRMlBNNDBSSkgwOWZDWkJSNDdkR0YzbFZYS2Eva1ov WFNKdG8zNlYwSldTUkxyMGdUClJQUTVFWmc0SHdEN2JIKzB6bVV3dWRQWDR1ZTNGc21CWjFPUDJj YmtneDlnQjk0eHRPN2JNZVZ6T2ZsazNrSW4KSGljSG9aTVd4L0JTcXpDejJZVFFVcGw3T3c2bGVZ VldUdUVJcmkvTmNRakxqT2duMWZkNlRsWW9wUjBrQ25RbQoxMTZQK0g3dXNCUWJHS3JIc2Q4Q0F3 RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hR WURWUjBPQkJZRUZCOU9nNVp0T2pKaWRXa0o0NGdJYldQZzY3Q1dNQTBHQ1NxR1NJYjMKRFFFQkN3 VUFBNElCQVFCRTRBMEJOd2gvRFRRY3M3L0tiRlFVaUorTnlXbXdKMlZBQnRKWUE0eVJRaDAvREpX Mwp5NHU2QjFpNk1UWkVxZERFMGdUL2NxUHl0OE5nYk9IbE80VFl1dStsY2xxMUUyZElHQkhlRE80 RjFsWkY3TnF4CnM4T0hrV0ZTTDEydHBjTVNjWlM0TEJRYXozeU52NVRhY0FJWkU3S2FqckRLY3du akRzd2Q2L1d6Zk45VEVMbUMKR1FnZWlDL2VOaHk3K2hPWitWU0dqMFY4KzR4WTZwMnhGMlAzbEFi ZDZQN0Y1VFVZYXZPMGFYdC8xbmdwbHBtZwpzYVdyQUM5VXJLTU9HMGhlcHpoei9ONUJIckd4MkFr Q09GTzR6SDRENFkybUtQWVNGbFFsa2Q0cG1ZZVc3blBaCk8xUTBUSG9mWFdvelcvRzhOZURrWE5U VDlvUmJ3ZVdpWE9KOAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==   [root@k8s-master pki]# vim /etc/kubernetes/kubelet.conf certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1ETXlNekV6TlRZek1Wb1hEVE14TURNeU1URXpOVFl6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSm1WClBPQStzMkpVNStMVm5CbDEvdC95S1U2U2pwS0w4N0JaMTB5RVVVU3d4RHlObFE0ZG9CSE9CME1KQlExVVJIVGYKWDdSZ1BTeHpobExyc1d4b04zRGlla3lMWjdpaUlrNWdSZjI2YkhCVndkVDFyb1FOM0Nmem9jblNteEFPZGpJcgo4K1A5aUEwajhaQzhGZjZRMlBNNDBSSkgwOWZDWkJSNDdkR0YzbFZYS2Eva1ovWFNKdG8zNlYwSldTUkxyMGdUClJQUTVFWmc0SHdEN2JIKzB6bVV3dWRQWDR1ZTNGc21CWjFPUDJjYmtneDlnQjk0eHRPN2JNZVZ6T2ZsazNrSW4KSGljSG9aTVd4L0JTcXpDejJZVFFVcGw3T3c2bGVZVldUdUVJcmkvTmNRakxqT2duMWZkNlRsWW9wUjBrQ25RbQoxMTZQK0g3dXNCUWJHS3JIc2Q4Q0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZCOU9nNVp0T2pKaWRXa0o0NGdJYldQZzY3Q1dNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCRTRBMEJOd2gvRFRRY3M3L0tiRlFVaUorTnlXbXdKMlZBQnRKWUE0eVJRaDAvREpXMwp5NHU2QjFpNk1UWkVxZERFMGdUL2NxUHl0OE5nYk9IbE80VFl1dStsY2xxMUUyZElHQkhlRE80RjFsWkY3TnF4CnM4T0hrV0ZTTDEydHBjTVNjWlM0TEJRYXozeU52NVRhY0FJWkU3S2FqckRLY3duakRzd2Q2L1d6Zk45VEVMbUMKR1FnZWlDL2VOaHk3K2hPWitWU0dqMFY4KzR4WTZwMnhGMlAzbEFiZDZQN0Y1VFVZYXZPMGFYdC8xbmdwbHBtZwpzYVdyQUM5VXJLTU9HMGhlcHpoei9ONUJIckd4MkFrQ09GTzR6SDRENFkybUtQWVNGbFFsa2Q0cG1ZZVc3blBaCk8xUTBUSG9mWFdvelcvRzhOZURrWE5UVDlvUmJ3ZVdpWE9KOAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== [root@k8s-master ~]# systemctl restart kubelet [root@k8s-master ~]# systemctl status kubelet