kubernetes 证书过期
kubernetes 证书过期
kubernetes 集群是使用kubeadm工具安装的。
证书过期的表现:
- kubeclt 不能正常使用
- kube-apiserver、kube-controller-manager、kube-scheduler的日志会有certificate、Unauthorized关键字的错误提示:
# kubectl logs -n kube-system kube-apiserver-vonedaomaster1 --tail=10 -f
E0819 05:25:16.691962 1 authentication.go:53] Unable to authenticate the request due to an error: x509: certificate has expired or is not yet valid
# kubectl logs -f --tail=100 kube-scheduler-vonedaomaster1 -n kube-system
E0819 05:49:52.909861 1 reflector.go:178] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.PersistentVolume: Unauthorized
E0819 05:49:59.011448 1 reflector.go:178] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.StorageClass: Unauthorized
E0819 05:50:02.003645 1 reflector.go:178] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.PersistentVolumeClaim: Unauthorized
E0819 05:50:02.352984 1 reflector.go:178] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.CSINode: Unauthorized
E0819 05:50:04.750558 1 reflector.go:178] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.Service: Unauthorized
E0819 05:50:11.741815 1 reflector.go:178] k8s.io/kubernetes/cmd/kube-scheduler/app/server.go:233: Failed to list *v1.Pod: Unauthorized
证书续期步骤
本集群只有一个master。(多个master没有验证过)
所有操作步骤都是在master上执行。
1. 备份旧数据
不管做什么操作,备份是必须的。
# cp /etc/kubernetes /etc/kubernetes.bak -rf
2. 导出kubeadm配置
# kubeadm config view > cluster.yaml
3. 重新生成证书
# kubeadm alpha certs renew all --config cluster.yaml
4. 替换~/.kube/config
# cp -i /etc/kubernetes/admin.conf /root/.kube/config
5. 重启kubelet
# systemctl restart kubelet
6. 重启kube-apiserver、kube-controller-manager、kube-scheduler组件pod
错误的重启方式:用kubectl delete pods
删除组件pod让其自动启动,如图:
可以看到红色框框的pod,最后一列AGE的值变成了重启过的时间
查看日志:
查看组件的容器,可以看出容器并没有重启,还是4周之前启动的:
原因:证书已经过期,使用kubectl delete pods
方式管理的容器自动重启是没法进行的。
当组件的证书没生效的时候,去执行创建动作,可以查看到
kubectl get DaemonSet -n ingress-nginx
的结果都是0,用kubectl get pods -n ingress-nginx
查看会出现没有pod的情况:
下面是正确重启kube-apiserver、kube-controller-manager、kube-scheduler组件容器的方式
# docker ps |grep kube-apiserver|grep -v pause|awk '{print $1}'|xargs -i docker restart {}
# docker ps |grep kube-controller-manage|grep -v pause|awk '{print $1}'|xargs -i docker restart {}
# docker ps |grep kube-scheduler|grep -v pause|awk '{print $1}'|xargs -i docker restart {}
查看kube-apiserver、kube-controller-manager、kube-scheduler组件的日志,已经正常: