Kubelet证书一年过期解决方法

一.第一种解决方法

1.修改/etc/systemd/system/kube-controller-manager.service添加或者修改如下内容
--experimental-cluster-signing-duration=87600h     \

然后执行以下命令重启kube-controller-manager

systemctl daemon-reload
systemctl restart kube-controller-manager

2.执行以下步骤重新生成kubelet证书,xx.xx.xx.xx为k8s apiserver的 IP
mkdir -p /app/k8s
cd /app/k8s

export KUBE_APISERVER="https://xx.xx.xx.xx:6443"
export node_name="kube-node1" 
# 创建 token
export BOOTSTRAP_TOKEN=$(kubeadm token create \
--description kubelet-bootstrap-token \
--groups system:bootstrappers:${node_name} \
--kubeconfig ~/.kube/config)

# 设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/cert/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kubelet-bootstrap-${node_name}.kubeconfig

# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
--token=${BOOTSTRAP_TOKEN} \
--kubeconfig=kubelet-bootstrap-${node_name}.kubeconfig

# 设置上下文参数
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=kubelet-bootstrap-${node_name}.kubeconfig

# 设置默认上下文
kubectl config use-context default --kubeconfig=kubelet-bootstrap-${node_name}.kubeconfig

kubeadm token list --kubeconfig ~/.kube/config

rm -rf /etc/kubernetes/kubelet-bootstrap.kubeconfig
cp kubelet-bootstrap-${node_name}.kubeconfig /etc/kubernetes/kubelet-bootstrap.kubeconfig

rm -rf /etc/kubernetes/cert/kubelet-client*

service kubelet restart
sleep 5
kubectl get csr | awk '{print $1}' | grep -v "NAME"|xargs kubectl certificate approve

 

3.在kulebet服务器执行以下命令验证kubelet证书的有效期，如果是10年代表修改成功

cd /etc/kubernetes/cert/

openssl x509 -in kubelet-client-current.pem -noout -text | grep "Not"

kubectl get no

root@iZbp1dey0fcjb1t6dhtnadZ:[/root]cd /etc/kubernetes/cert/

root@iZbp1dey0fcjb1t6dhtnadZ:[/etc/kubernetes/cert]ls

ca-config.json  kube-controller-manager-key.pem         kubelet-client-2019-12-23-09-28-00.pem  kubelet.key         metrics-server-key.pem

ca-key.pem      kube-controller-manager.pem             kubelet-client-current.pem              kubernetes-key.pem  metrics-server.pem

ca.pem          kubelet-client-2018-12-23-00-19-36.pem  kubelet.crt                             kubernetes.pem

root@iZbp1dey0fcjb1t6dhtnadZ:[/etc/kubernetes/cert]openssl x509 -in kubelet-client-current.pem -noout -text | grep "Not"

            Not Before: Dec 23 01:23:00 2019 GMT

            Not After : Dec 20 01:23:00 2029 GMT

root@iZbp1dey0fcjb1t6dhtnadZ:[/etc/kubernetes/cert]kubectl get no

NAME            STATUS   ROLES    AGE     VERSION

192.168.1.177   Ready    <none>   169d    v1.13.1

192.168.1.178   Ready    <none>   169d    v1.13.1

192.168.1.180   Ready    <none>   169d    v1.13.1

192.168.1.183   Ready    <none>   169d    v1.13.1

192.168.1.184   Ready    <none>   169d    v1.13.1

192.168.1.186   Ready    <none>   2d18h   v1.13.1

 

二.第二种解决方法
1.修改/etc/systemd/system/kubelet.service添加如下内容
--feature-gates=RotateKubeletServerCertificate=true   --feature-gates=RotateKubeletClientCertificate=true    --rotate-certificates  \

2.修改/etc/systemd/system/kube-controller-manager.service添加如下内容
# 证书有效期为10年
--experimental-cluster-signing-duration=87600h0m0s   --feature-gates=RotateKubeletServerCertificate=true   \

3.创建自动批准相关CSR请求的ClusterRole
3.1.vim tls-instructs-csr.yaml

kind: ClusterRole

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver

rules:

- apiGroups: ["certificates.k8s.io"]

  resources: ["certificatesigningrequests/selfnodeserver"]

  verbs: ["create"]

3.2.kubectl apply -f tls-instructs-csr.yaml

4.自动批准 kubelet-bootstrap 用户 TLS bootstrapping 首次申请证书的 CSR 请求
kubectl create clusterrolebinding node-client-auto-approve-csr --clusterrole=system:certificates.k8s.io:certificatesigningrequests:nodeclient --user=kubelet-bootstrap

5.自动批准 system:nodes 组用户更新 kubelet 10250 api 端口证书的 CSR 请求
kubectl create clusterrolebinding node-client-auto-renew-crt --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeclient --group=system:nodes

6.重启kube-controller-manager服务

systemctl daemon-reload
systemctl restart kube-controller-manager

7.进入到ssl配置目录，删除 kubelet 证书
cd /etc/kubernetes/cert
rm -f kubelet-client*.pem  kubelet.key kubelet.crt

8.重启kubelet服务
systemctl daemon-reload
systemctl restart kubelet

9.进入到ssl配置目录，查看kubelet-client证书有效期
cd /etc/kubernetes/cert
openssl x509 -in kubelet-client-current.pem -noout -text | grep "Not"
Not Before: May 13 02:36:00 2019 GMT
Not After : May 10 02:36:00 2029 GMT

 

参考:https://blog.csdn.net/qq_24794401/article/details/103245796