kubeSphere+kubernetes 集群更新证书
模拟问题点
使用kubernetes时错误提示
yang@master:~$ kubectl get nodes
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2022-10-25T09:04:19+08:00 is after 2022-09-25T08:17:20Z
解决办法:
一、查看证书过期时间
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | yang@master:~$ sudo kubeadm certs check-expiration[sudo] password for yang: [check-expiration] Reading configuration from the cluster...[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'W1027 09:27:32.225497 46147 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGEDadmin.conf Oct 25, 2023 08:17 UTC 363d ca no apiserver Oct 25, 2023 08:17 UTC 363d ca no apiserver-kubelet-client Oct 25, 2023 08:17 UTC 363d ca no controller-manager.conf Oct 25, 2023 08:17 UTC 363d ca no front-proxy-client Oct 25, 2023 08:17 UTC 363d front-proxy-ca no scheduler.conf Oct 25, 2023 08:17 UTC 363d ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDca Oct 22, 2032 08:17 UTC 9y no front-proxy-ca Oct 22, 2032 08:17 UTC 9y no |
二、备份现有证书和重新生成新证书
1.备份现有证书
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | yang@master:~$ ll /etc/kubernetes/total 292drwxr-xr-x 5 kube root 4096 Oct 25 16:18 ./drwxr-xr-x 101 root root 4096 Oct 26 10:38 ../drwxrwxr-x 2 kube root 4096 Oct 25 16:18 addons/-rw------- 1 kube root 5659 Oct 25 16:17 admin.conf-rw------- 1 kube root 5681 Oct 25 16:17 controller-manager.conf-rw-r--r-- 1 kube root 925 Oct 25 16:18 coredns-svc.yaml-rw-r--r-- 1 kube root 2670 Oct 25 16:17 kubeadm-config.yaml-rw------- 1 kube root 1979 Oct 25 16:18 kubelet.confdrwxr-xr-x 2 kube root 4096 Oct 25 16:17 manifests/-rw-r--r-- 1 kube root 230001 Oct 25 16:18 network-plugin.yaml-rw-r--r-- 1 kube root 1040 Oct 25 16:18 nodelocaldnsConfigmap.yaml-rw-r--r-- 1 kube root 2775 Oct 25 16:18 nodelocaldns.yamldrwxr-xr-x 2 kube root 4096 Oct 25 16:17 pki/-rw------- 1 kube root 5633 Oct 25 16:17 scheduler.confyang@master:/home$ sudo mkdir config-backyang@master:/home$ sudo cp -a /etc/kubenetes/ /home/config-back/yang@master:~$ ll /home/config-back/kubernetes/total 292drwxr-xr-x 5 kube root 4096 Oct 25 16:18 ./drwxr-xr-x 3 root root 4096 Oct 27 09:29 ../drwxrwxr-x 2 kube root 4096 Oct 25 16:18 addons/-rw------- 1 kube root 5659 Oct 25 16:17 admin.conf-rw------- 1 kube root 5681 Oct 25 16:17 controller-manager.conf-rw-r--r-- 1 kube root 925 Oct 25 16:18 coredns-svc.yaml-rw-r--r-- 1 kube root 2670 Oct 25 16:17 kubeadm-config.yaml-rw------- 1 kube root 1979 Oct 25 16:18 kubelet.confdrwxr-xr-x 2 kube root 4096 Oct 25 16:17 manifests/-rw-r--r-- 1 kube root 230001 Oct 25 16:18 network-plugin.yaml-rw-r--r-- 1 kube root 1040 Oct 25 16:18 nodelocaldnsConfigmap.yaml-rw-r--r-- 1 kube root 2775 Oct 25 16:18 nodelocaldns.yamldrwxr-xr-x 2 kube root 4096 Oct 25 16:17 pki/-rw------- 1 kube root 5633 Oct 25 16:17 scheduler.conf |
2.生成新证书
1 2 3 4 5 6 7 8 9 10 11 12 13 | yang@master:~$ sudo kubeadm certs renew all[renew] Reading configuration from the cluster...[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'W1027 09:29:53.913902 49108 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewedcertificate for serving the Kubernetes API renewedcertificate for the API server to connect to kubelet renewedcertificate embedded in the kubeconfig file for the controller manager to use renewedcertificate for the front proxy client renewedcertificate embedded in the kubeconfig file for the scheduler manager to use renewedDone renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates. |
三、查看证书有效期
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | yang@master:~$ sudo kubeadm certs check-expiration[check-expiration] Reading configuration from the cluster...[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'W1027 09:31:31.191076 51350 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGEDadmin.conf Oct 27, 2023 01:29 UTC 364d ca no apiserver Oct 27, 2023 01:29 UTC 364d ca no apiserver-kubelet-client Oct 27, 2023 01:29 UTC 364d ca no controller-manager.conf Oct 27, 2023 01:29 UTC 364d ca no front-proxy-client Oct 27, 2023 01:29 UTC 364d front-proxy-ca no scheduler.conf Oct 27, 2023 01:29 UTC 364d ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDca Oct 22, 2032 08:17 UTC 9y no front-proxy-ca Oct 22, 2032 08:17 UTC 9y no |
四、新证书替换老的证书凭证
1 2 | yang@master:~$ sudo cp -a ~/.kube/config /home/config-back/yang@master:~$ sudo cp /etc/kubernetes/admin.conf ~/.kube/config |
五、查看集群状态
1 2 3 4 | yang@master:~$ kubectl get nodesNAME STATUS ROLES AGE VERSIONmaster Ready control-plane,master,worker 41h v1.22.10node Ready worker 39h v1.22.10 |
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· TypeScript + Deepseek 打造卜卦网站:技术与玄学的结合
· Manus的开源复刻OpenManus初探
· .NET Core 中如何实现缓存的预热?
· 阿里巴巴 QwQ-32B真的超越了 DeepSeek R-1吗?
· 如何调用 DeepSeek 的自然语言处理 API 接口并集成到在线客服系统