自建K8S集群认证过期

今天使用kubectl命令查看pod信息时,一直正常运行的k8s集群突然不能访问了,输入任何命令都提示以下报错:
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2025-01-25T11:35:45+08:00 is after 2024-11-22T23:44:48Z

解决方案:

参考官方文档: kubeadm证书管理 使用命令kubeadm alpha certs 来管理证书:

  1. 使用命令kubeadm alpha certs renew all更新证书,返回
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
  1. 使用如下命令拷贝新生成的配置文件
sudo kubeadm alpha kubeconfig user --client-name=admin --org=system:masters > /tmp/admin.conf
sudo cp /tmp/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
  1. 重启kubeletsystemctl restart kubelet 即可正常使用K8S集群
[root@k8smaster k8s]# kubectl get po
NAME READY STATUS RESTARTS AGE
cron-job-test-1732318920-k2g76 0/1 Completed 0 63d
cron-job-test-1732318980-kcr4x 0/1 Completed 0 63d
cron-job-test-1732319040-b88rf 0/1 Completed 0 63d
  1. 再次查看证书到期情况
[root@k8smaster k8s]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jan 25, 2026 05:55 UTC 364d no
apiserver Jan 25, 2026 05:55 UTC 364d ca no
apiserver-etcd-client Jan 25, 2026 05:55 UTC 364d etcd-ca no
apiserver-kubelet-client Jan 25, 2026 05:55 UTC 364d ca no
controller-manager.conf Jan 25, 2026 05:55 UTC 364d no
etcd-healthcheck-client Jan 25, 2026 05:55 UTC 364d etcd-ca no
etcd-peer Jan 25, 2026 05:55 UTC 364d etcd-ca no
etcd-server Jan 25, 2026 05:55 UTC 364d etcd-ca no
front-proxy-client Jan 25, 2026 05:55 UTC 364d front-proxy-ca no
scheduler.conf Jan 25, 2026 05:55 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 20, 2033 23:44 UTC 8y no
etcd-ca Nov 20, 2033 23:44 UTC 8y no
front-proxy-ca Nov 20, 2033 23:44 UTC 8y no

注意事项:

官网上给的命令是kubeadm certs check-expiration,标识的k8s版本是V1.15,直接在本地执行该命令报错:

[root@k8smaster k8s]# kubeadm certs check-expiration
unknown command "certs" for "kubeadm"
To see the stack trace of this error execute with --v=5 or higher

查了下,我本地的k8s版本是1.19,certs命令放在了 kubeadm alpha下,需要将kubeadm certs 替换为 kubeadm aplha certs 执行即可

[root@k8smaster k8sh]# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.5", GitCommit:"e338cf2c6d297aa603b50ad3a301f761b4173aa6", GitTreeState:"clean", BuildDate:"2020-12-09T11:16:40Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"linux/amd64"}
[root@k8smaster k8s]# kubeadm --help
┌──────────────────────────────────────────────────────────┐
│ KUBEADM │
│ Easily bootstrap a secure Kubernetes cluster │
│ │
│ Please give us feedback at: │
│ https://github.com/kubernetes/kubeadm/issues │
└──────────────────────────────────────────────────────────┘
Example usage:
Create a two-machine cluster with one control-plane node
(which controls the cluster), and one worker node
(where your workloads, like Pods and Deployments run).
┌──────────────────────────────────────────────────────────┐
│ On the first machine: │
├──────────────────────────────────────────────────────────┤
│ control-plane# kubeadm init │
└──────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────┐
│ On the second machine: │
├──────────────────────────────────────────────────────────┤
│ worker# kubeadm join <arguments-returned-from-init> │
└──────────────────────────────────────────────────────────┘
You can then repeat the second step on as many other machines as you like.
Usage:
kubeadm [command]
Available Commands:
alpha Kubeadm experimental sub-commands
completion Output shell completion code for the specified shell (bash or zsh)
config Manage configuration for a kubeadm cluster persisted in a ConfigMap in the cluster
help Help about any command
init Run this command in order to set up the Kubernetes control plane
join Run this on any machine you wish to join an existing cluster
reset Performs a best effort revert of changes made to this host by 'kubeadm init ' or 'kubeadm join'
token Manage bootstrap tokens
upgrade Upgrade your cluster smoothly to a newer version with this command
version Print the version of kubeadm
Flags:
--add-dir-header If true, adds the file directory to the header of the lo g messages
-h, --help help for kubeadm
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesyst em.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
Use "kubeadm [command] --help" for more information about a command.
[root@k8smaster k8s]# kubectl alpha --help
These commands correspond to alpha features that are not enabled in Kubernetes
clusters by default.
Available Commands:
debug Attach a debug container to a running pod
Use "kubectl <command> --help" for more information about a given command.
[root@k8smaster k8s]# kubeadm alpha --help
Kubeadm experimental sub-commands
Usage:
kubeadm alpha [command]
Available Commands:
certs Commands related to handling kubernetes certificates
kubeconfig Kubeconfig file utilities
selfhosting Make a kubeadm cluster self-hosted
Flags:
-h, --help help for alpha
Global Flags:
--add-dir-header If true, adds the file directory to the header of the log messages
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
Additional help topics:
kubeadm alpha phase Invoke subsets of kubeadm functions separately for a manual install
Use "kubeadm alpha [command] --help" for more information about a command.

posted on   wenha  阅读(19)  评论(0编辑  收藏  举报

相关博文:
阅读排行:
· DeepSeek-R1本地部署如何选择适合你的版本?看这里
· 传国玉玺易主,ai.com竟然跳转到国产AI
· 揭秘 Sdcb Chats 如何解析 DeepSeek-R1 思维链
· 自己如何在本地电脑从零搭建DeepSeek!手把手教学,快来看看! (建议收藏)
· C# 深度学习:对抗生成网络(GAN)训练头像生成模型

导航

< 2025年2月 >
26 27 28 29 30 31 1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 1
2 3 4 5 6 7 8
点击右上角即可分享
微信分享提示