kubernetes集群证书更新

天际边 發表於 2020-1-21 15:55:00

kubeadm 默认证书为一年，一年过期后，会导致api service不可用，使用过程中会出现：x509: certificate has expired or is not yet valid.
<h3 id="方案一-通过修改kubeadm-调整证书过期时间">方案一通过修改kubeadm 调整证书过期时间</h3>
<h4 id="修改代码，调整过期时间">修改代码，调整过期时间</h4>
<h3>方案二　通过自动轮换证书默认开启</h3>
<h1>以下方案通过第二种方法模拟集群证书过期</h1>
<h1>准备</h1>
本次集群版本1.15
备份集群证书（略)
cd /etc/kubernetes
tar czvf kubernetes.tar.gz kubernetes
<h1>Master节点：</h1>
<div class="cnblogs_code">
<pre># hwclock --show

2020年01月21日星期二 15时16分34秒-0.856601 秒

# kubectl get nodes

NAME STATUS ROLES AGE VERSION

k8s-master Ready master 167d v1.15.0

k8s-node1 Ready node 166d v1.15.0

# kubeadm alpha certs check-expiration

CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED

admin.conf Jan 20, 2021 07:09 UTC 364d no

apiserver Jan 20, 2021 07:09 UTC 364d no

apiserver-etcd-client Jan 20, 2021 07:09 UTC 364d no

apiserver-kubelet-client Jan 20, 2021 07:09 UTC 364d no

controller-manager.conf Jan 20, 2021 07:09 UTC 364d no

etcd-healthcheck-client Jan 20, 2021 07:09 UTC 364d no

etcd-peer Jan 20, 2021 07:09 UTC 364d no

etcd-server Jan 20, 2021 07:09 UTC 364d no

front-proxy-client Jan 20, 2021 07:09 UTC 364d no

scheduler.conf Jan 20, 2021 07:09 UTC 364d no

#</pre>
</div>
 
<h1>先生成集群配置文件</h1>
kubeadm config view > /root/kubeadm.yaml　
要提前备份一下集群配置文件,当集群证书过期后　此命令也不能执行了
 
<h1>修改时间让集群过期</h1>
<div class="cnblogs_code">
<pre># date -s "2021-08-08"

2021年 08月 08日星期日 00:00:00 CST

# date

2021年 08月 08日星期日 00:00:02 CST

# kubectl get nodes

Unable to connect to the server: x509: certificate has expired or is not yet valid

#</pre>
</div>
 
 
<h1>更新证书</h1>
<div class="cnblogs_code">
<pre># kubeadm alpha certs renew all --config=/root/kubeadm.yaml

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed

certificate for serving the Kubernetes API renewed

certificate the apiserver uses to access etcd renewed

certificate for the API server to connect to kubelet renewed

certificate embedded in the kubeconfig file for the controller manager to use renewed

certificate for liveness probes to healtcheck etcd renewed

certificate for etcd nodes to communicate with each other renewed

certificate for serving etcd renewed

certificate for the front proxy client renewed

certificate embedded in the kubeconfig file for the scheduler manager to use renewed

# kubeadm alpha certs check-expiration

CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED

admin.conf Aug 07, 2022 16:02 UTC 364d no

apiserver Aug 07, 2022 16:02 UTC 364d no

apiserver-etcd-client Aug 07, 2022 16:02 UTC 364d no

apiserver-kubelet-client Aug 07, 2022 16:02 UTC 364d no

controller-manager.conf Aug 07, 2022 16:02 UTC 364d no

etcd-healthcheck-client Aug 07, 2022 16:02 UTC 364d no

etcd-peer Aug 07, 2022 16:02 UTC 364d no

etcd-server Aug 07, 2022 16:02 UTC 364d no

front-proxy-client Aug 07, 2022 16:02 UTC 364d no

scheduler.conf Aug 07, 2022 16:02 UTC 364d no</pre>
</div>
 
 
<h3>重启master节点三个容器：</h3>
<div class="cnblogs_code">
<pre># docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd'|xargs docker restart

98257170f1fb

k8s_kube-apiserver_kube-apiserver-k8s-master_kube-system_db9cf46161351d3a7f76537093caa0b8_10

82c07f5d9b6f

k8s_etcd_etcd-k8s-master_kube-system_2da345f314df09b06ba8257f5457dbed_6

Error response from daemon: No such container: 201c7a840312

Error response from daemon: No such container: kube-apiserver --ad…

Error response from daemon: No such container: 18

Error response from daemon: No such container: months

Error response from daemon: No such container: ago

Error response from daemon: No such container: Up

Error response from daemon: No such container: 18

Error response from daemon: No such container: months

Error response from daemon: No such container: 2c4adeb21b4f

Error response from daemon: No such container: etcd --advertise-cl…

Error response from daemon: No such container: 18

Error response from daemon: No such container: months

Error response from daemon: No such container: ago

Error response from daemon: No such container: Up

Error response from daemon: No such container: 18

Error response from daemon: No such container: months

# kubectl get nodes

NAME STATUS ROLES AGE VERSION

k8s-master Ready master 2y1d v1.15.0

k8s-node1 Ready node 2y1d v1.15.0

# date

2021年 08月 08日星期日 00:04:33 CST

#</pre>
</div>
 
 
<h1>注意同步配置文件：</h1>
cp /etc/kubernetes/admin.conf /root/.kube/config
删除.kube下的缓存目录
 
<h1>总结</h1>
<h2>当集群证书过期时操作步骤：</h2>
1.提前备份集群配置文件
　kubeadm config view > /root/kubeadm.yaml
2.更新集群证书
  kubeadm alpha certs renew all --config=/root/kubeadm.yaml
3.同步配置文件，清除.kube下缓存
  cp /etc/kubernetes/admin.conf /root/.kube/config  
来源：https://www.cnblogs.com/xuliang666/p/12221973.html

頁: [1]

琼殿技术论坛's Archiver

kubernetes集群证书更新