k8s集群更新证书(kubeadm方式部署的集群)

# 特别注意：证书到期前替换！！！

1. 先查看有哪些证书即将过期

for item in `find /etc/kubernetes/pki -maxdepth 2 -name "*.crt"`;do openssl x509 -in item -text -noout| grep Not;echo ======================item===============;done

for f in (ls /etc/kubernetes/{admin,controller-manager,scheduler,kubelet}.conf); do
 echof
    kubectl --kubeconfig $f config view --raw -o jsonpath='{range .users[*]}{.user.client-certificate-data}{end}' | base64 -d | openssl x509 -enddate -noout
done

2. 备份

cp -R /etc/kubernetes /etc/kubernetes(date "+%Y%m%d")


cp -r /var/lib/etcd /var/lib/etcd.bak

cp /application/kube-ops/cluster.yaml /application/kube-ops/cluster.yaml.(date +%Y%m%d)
kubeadm config view > /application/kube-ops/cluster.yaml

3. 更新证书

# 三台master都要执行
# 生成证书
kubeadm alpha certs renew all --config=/application/kube-ops/cluster.yaml
mv /etc/kubernetes/admin.conf /etc/kubernetes/admin.bak
mv /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.bak                  
mv /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.bak
mv /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.bak
# 生成配置文件
kubeadm init phase kubeconfig all --config=/application/kube-ops/cluster.yaml
####kubeadm init phase kubeconfig kubelet

4. 重启服务

docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print 1}' |xargs docker restart

# 各个节点重启Kubelet
systemctl restart kubelet


更新kubectl 配置
cp -i /etc/kubernetes/admin.confHOME/.kube/config

5. 查看证书时间

for item in `find /etc/kubernetes/pki -maxdepth 2 -name "*.crt"`;do openssl x509 -in item -text -noout| grep Not;echo ======================item===============;done



for f in (ls /etc/kubernetes/{admin,controller-manager,scheduler,kubelet}.conf); do
 echof
    kubectl --kubeconfig $f config view --raw -o jsonpath='{range .users[*]}{.user.client-certificate-data}{end}' | base64 -d | openssl x509 -enddate -noout
done