kubeSphere+kubernetes 集群更新证书
模拟问题点
使用kubernetes时错误提示
yang@master:~$ kubectl get nodes
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2022-10-25T09:04:19+08:00 is after 2022-09-25T08:17:20Z
解决办法:
一、查看证书过期时间
yang@master:~$ sudo kubeadm certs check-expiration [sudo] password for yang: [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' W1027 09:27:32.225497 46147 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10] CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Oct 25, 2023 08:17 UTC 363d ca no apiserver Oct 25, 2023 08:17 UTC 363d ca no apiserver-kubelet-client Oct 25, 2023 08:17 UTC 363d ca no controller-manager.conf Oct 25, 2023 08:17 UTC 363d ca no front-proxy-client Oct 25, 2023 08:17 UTC 363d front-proxy-ca no scheduler.conf Oct 25, 2023 08:17 UTC 363d ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Oct 22, 2032 08:17 UTC 9y no front-proxy-ca Oct 22, 2032 08:17 UTC 9y no
二、备份现有证书和重新生成新证书
1.备份现有证书
yang@master:~$ ll /etc/kubernetes/ total 292 drwxr-xr-x 5 kube root 4096 Oct 25 16:18 ./ drwxr-xr-x 101 root root 4096 Oct 26 10:38 ../ drwxrwxr-x 2 kube root 4096 Oct 25 16:18 addons/ -rw------- 1 kube root 5659 Oct 25 16:17 admin.conf -rw------- 1 kube root 5681 Oct 25 16:17 controller-manager.conf -rw-r--r-- 1 kube root 925 Oct 25 16:18 coredns-svc.yaml -rw-r--r-- 1 kube root 2670 Oct 25 16:17 kubeadm-config.yaml -rw------- 1 kube root 1979 Oct 25 16:18 kubelet.conf drwxr-xr-x 2 kube root 4096 Oct 25 16:17 manifests/ -rw-r--r-- 1 kube root 230001 Oct 25 16:18 network-plugin.yaml -rw-r--r-- 1 kube root 1040 Oct 25 16:18 nodelocaldnsConfigmap.yaml -rw-r--r-- 1 kube root 2775 Oct 25 16:18 nodelocaldns.yaml drwxr-xr-x 2 kube root 4096 Oct 25 16:17 pki/ -rw------- 1 kube root 5633 Oct 25 16:17 scheduler.conf yang@master:/home$ sudo mkdir config-back yang@master:/home$ sudo cp -a /etc/kubenetes/ /home/config-back/ yang@master:~$ ll /home/config-back/kubernetes/ total 292 drwxr-xr-x 5 kube root 4096 Oct 25 16:18 ./ drwxr-xr-x 3 root root 4096 Oct 27 09:29 ../ drwxrwxr-x 2 kube root 4096 Oct 25 16:18 addons/ -rw------- 1 kube root 5659 Oct 25 16:17 admin.conf -rw------- 1 kube root 5681 Oct 25 16:17 controller-manager.conf -rw-r--r-- 1 kube root 925 Oct 25 16:18 coredns-svc.yaml -rw-r--r-- 1 kube root 2670 Oct 25 16:17 kubeadm-config.yaml -rw------- 1 kube root 1979 Oct 25 16:18 kubelet.conf drwxr-xr-x 2 kube root 4096 Oct 25 16:17 manifests/ -rw-r--r-- 1 kube root 230001 Oct 25 16:18 network-plugin.yaml -rw-r--r-- 1 kube root 1040 Oct 25 16:18 nodelocaldnsConfigmap.yaml -rw-r--r-- 1 kube root 2775 Oct 25 16:18 nodelocaldns.yaml drwxr-xr-x 2 kube root 4096 Oct 25 16:17 pki/ -rw------- 1 kube root 5633 Oct 25 16:17 scheduler.conf
2.生成新证书
yang@master:~$ sudo kubeadm certs renew all [renew] Reading configuration from the cluster... [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' W1027 09:29:53.913902 49108 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10] certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
三、查看证书有效期
yang@master:~$ sudo kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' W1027 09:31:31.191076 51350 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10] CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Oct 27, 2023 01:29 UTC 364d ca no apiserver Oct 27, 2023 01:29 UTC 364d ca no apiserver-kubelet-client Oct 27, 2023 01:29 UTC 364d ca no controller-manager.conf Oct 27, 2023 01:29 UTC 364d ca no front-proxy-client Oct 27, 2023 01:29 UTC 364d front-proxy-ca no scheduler.conf Oct 27, 2023 01:29 UTC 364d ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Oct 22, 2032 08:17 UTC 9y no front-proxy-ca Oct 22, 2032 08:17 UTC 9y no
四、新证书替换老的证书凭证
yang@master:~$ sudo cp -a ~/.kube/config /home/config-back/ yang@master:~$ sudo cp /etc/kubernetes/admin.conf ~/.kube/config
五、查看集群状态
yang@master:~$ kubectl get nodes NAME STATUS ROLES AGE VERSION master Ready control-plane,master,worker 41h v1.22.10 node Ready worker 39h v1.22.10
