k8s 1.18证书更新

1.证书过期

k8s安装一年以后,证书会过期

ubuntu@ip-172-31-25-85:~$ kubectl get pods
Unable to connect to the server: x509: certificate has expired or is not yet valid

 

2.证书检测

可以看出已经过期了

复制代码
ubuntu@ip-172-31-25-85:$ sudo kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

W0919 09:47:20.248483   16939 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Sep 16, 2022 06:12 UTC   <invalid>                               no
apiserver                  Sep 16, 2022 06:12 UTC   <invalid>       ca                      no
apiserver-etcd-client      Sep 16, 2022 06:12 UTC   <invalid>       etcd-ca                 no
apiserver-kubelet-client   Sep 16, 2022 06:12 UTC   <invalid>       ca                      no
controller-manager.conf    Sep 16, 2022 06:12 UTC   <invalid>                               no
etcd-healthcheck-client    Sep 16, 2022 06:12 UTC   <invalid>       etcd-ca                 no
etcd-peer                  Sep 16, 2022 06:12 UTC   <invalid>       etcd-ca                 no
etcd-server                Sep 16, 2022 06:12 UTC   <invalid>       etcd-ca                 no
front-proxy-client         Sep 16, 2022 06:12 UTC   <invalid>       front-proxy-ca          no
scheduler.conf             Sep 16, 2022 06:12 UTC   <invalid>                               no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Sep 14, 2031 06:12 UTC   8y              no
etcd-ca                 Sep 14, 2031 06:12 UTC   8y              no
front-proxy-ca          Sep 14, 2031 06:12 UTC   8y              no
复制代码

 

 

3.证书更新

 

复制代码
ubuntu@ip-172-31-25-85:$ sudo kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

W0919 09:47:28.567846   17005 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
复制代码

 

 

4.证书验证

 

复制代码
ubuntu@ip-172-31-25-85:$ sudo kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Sep 19, 2023 09:47 UTC   364d                                    no
apiserver                  Sep 19, 2023 09:47 UTC   364d            ca                      no
apiserver-etcd-client      Sep 19, 2023 09:47 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Sep 19, 2023 09:47 UTC   364d            ca                      no
controller-manager.conf    Sep 19, 2023 09:47 UTC   364d                                    no
etcd-healthcheck-client    Sep 19, 2023 09:47 UTC   364d            etcd-ca                 no
etcd-peer                  Sep 19, 2023 09:47 UTC   364d            etcd-ca                 no
etcd-server                Sep 19, 2023 09:47 UTC   364d            etcd-ca                 no
front-proxy-client         Sep 19, 2023 09:47 UTC   364d            front-proxy-ca          no
scheduler.conf             Sep 19, 2023 09:47 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Sep 14, 2031 06:12 UTC   8y              no
etcd-ca                 Sep 14, 2031 06:12 UTC   8y              no
front-proxy-ca          Sep 14, 2031 06:12 UTC   8y              no
复制代码

 

5.重启内核服务

证书更新以后,需要重启kube-apiserver, kube-controller-manager, kube-scheduler和etcd服务

已经k8s 1.18采用docker安装的,所以直接用docker重启服务即可:

 

复制代码
ubuntu@ip-172-31-25-85:$ sudo docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd'|sudo xargs docker restart
3a058c979dfb
k8s_kube-apiserver_kube-apiserver-iz2zeabl8ta0jq1nd850igz_kube-system_91781631bd4116dd829bd7f13c56b009_5
a8ee21edf101
k8s_kube-scheduler_kube-scheduler-iz2zeabl8ta0jq1nd850igz_kube-system_a1a9ab0012f568abd5ff6d13f407098a_4
ce4f2ec2547f
k8s_kube-controller-manager_kube-controller-manager-iz2zeabl8ta0jq1nd850igz_kube-system_d5e6fcb0367b27d18401e3e75f0e3634_4
3f353e38ccb6
k8s_etcd_etcd-iz2zeabl8ta0jq1nd850igz_kube-system_c7f9a92bff37fb94e3d0ab73329c1359_1
Error response from daemon: No such container: 8836b0d760bf
Error response from daemon: No such container: kube-apiserver --ad…
Error response from daemon: No such container: About
Error response from daemon: Multiple IDs found with provided prefix: a
Error response from daemon: No such container: minute
Error response from daemon: No such container: ago
Error response from daemon: No such container: Up
Error response from daemon: No such container: About
Error response from daemon: Multiple IDs found with provided prefix: a
Error response from daemon: No such container: minute
Error response from daemon: No such container: ef5be715de1b
Error response from daemon: No such container: kube-scheduler --au…
Error response from daemon: Multiple IDs found with provided prefix: 3
Error response from daemon: No such container: days
Error response from daemon: No such container: ago
Error response from daemon: No such container: Up
Error response from daemon: Multiple IDs found with provided prefix: 4
Error response from daemon: No such container: minutes
Error response from daemon: No such container: a0f70a7cf739
Error response from daemon: No such container: kube-controller-man…
Error response from daemon: Multiple IDs found with provided prefix: 3
Error response from daemon: No such container: days
Error response from daemon: No such container: ago
Error response from daemon: No such container: Up
Error response from daemon: Multiple IDs found with provided prefix: 4
Error response from daemon: No such container: minutes
Error response from daemon: No such container: 303ce5db0e90
Error response from daemon: No such container: etcd --advertise-cl…
Error response from daemon: Multiple IDs found with provided prefix: 9
Error response from daemon: No such container: months
Error response from daemon: No such container: ago
Error response from daemon: No such container: Up
Error response from daemon: Multiple IDs found with provided prefix: 4
Error response from daemon: No such container: minutes
复制代码

 

6.拷贝证书给当前用户

 K8s会用到当前用户的权限,可以拷贝配置文件,或者设置链接

 拷贝:

   mkdir -p $HOME/.kube

   sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

  sudo chown $(id -u):$(id -g) $HOME/.kube/config         

软连接:

  mkdir -p $HOME/.kube

  sudo ln -sf /etc/kubernetes/admin.conf ~/.kube/config

如果之前是软连接,证书更新以后就不需要操作,自动更新了

7.看下命令是否可以使用

 

复制代码
ubuntu@ip-172-31-25-85:~$ sudo kubectl get pods
NAME                       READY   STATUS    RESTARTS   AGE
account-67bbddfb47-prqwv   1/1     Running   0          179d
account-67bbddfb47-rsm8z   1/1     Running   0          179d
course-84ffd55765-4gzxv    1/1     Running   0          63d
course-84ffd55765-qxlns    1/1     Running   0          63d
device-84b5b655dd-nqtgv    1/1     Running   0          31d
device-84b5b655dd-p4565    1/1     Running   0          31d
dnsutils                   1/1     Running   3246       368d
file-685bf77b74-5rg9d      1/1     Running   0          179d
file-685bf77b74-66drt      1/1     Running   0          179d
gateway-5595fd66cc-5m5h6   1/1     Running   0          4d8h
复制代码

 

至此证书更新完成。

posted @   若-飞  阅读(752)  评论(0编辑  收藏  举报
相关博文:
阅读排行:
· 清华大学推出第四讲使用 DeepSeek + DeepResearch 让科研像聊天一样简单!
· 实操Deepseek接入个人知识库
· 易语言 —— 开山篇
· 一个费力不讨好的项目,让我损失了近一半的绩效!
· 【全网最全教程】使用最强DeepSeekR1+联网的火山引擎,没有生成长度限制,DeepSeek本体
点击右上角即可分享
微信分享提示