kubernetes 证书过期
<h1 id="kubernetes-证书过期">kubernetes 证书过期</h1><p>kubernetes 集群是使用kubeadm工具安装的。</p>
<h2 id="证书过期的表现">证书过期的表现:</h2>
<ol>
<li>kubeclt 不能正常使用</li>
<li>kube-apiserver、kube-controller-manager、kube-scheduler的日志会有<strong>certificate</strong>、<strong>Unauthorized</strong>关键字的错误提示:</li>
</ol>
<pre><code># kubectl logs -n kube-system kube-apiserver-vonedaomaster1 --tail=10 -f
E0819 05:25:16.691962 1 authentication.go:53] Unable to authenticate the request due to an error: x509: certificate has expired or is not yet valid
# kubectl logs -f --tail=100 kube-scheduler-vonedaomaster1-n kube-system
E0819 05:49:52.909861 1 reflector.go:178] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.PersistentVolume: Unauthorized
E0819 05:49:59.011448 1 reflector.go:178] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.StorageClass: Unauthorized
E0819 05:50:02.003645 1 reflector.go:178] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.PersistentVolumeClaim: Unauthorized
E0819 05:50:02.352984 1 reflector.go:178] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.CSINode: Unauthorized
E0819 05:50:04.750558 1 reflector.go:178] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.Service: Unauthorized
E0819 05:50:11.741815 1 reflector.go:178] k8s.io/kubernetes/cmd/kube-scheduler/app/server.go:233: Failed to list *v1.Pod: Unauthorized
</code></pre>
<h2 id="证书续期步骤">证书续期步骤</h2>
<p>本集群只有一个master。(多个master没有验证过)<br>
<img src="https://img2020.cnblogs.com/blog/1444147/202108/1444147-20210819151431959-240958591.png"><br>
所有操作步骤都是在master上执行。</p>
<h3 id="1-备份旧数据">1. 备份旧数据</h3>
<p>不管做什么操作,备份是必须的。</p>
<pre><code># cp /etc/kubernetes /etc/kubernetes.bak -rf
</code></pre>
<h3 id="2-导出kubeadm配置">2. 导出kubeadm配置</h3>
<pre><code># kubeadm config view > cluster.yaml
</code></pre>
<h3 id="3-重新生成证书">3. 重新生成证书</h3>
<pre><code># kubeadm alpha certs renew all --config cluster.yaml
</code></pre>
<p><img src="https://img2020.cnblogs.com/blog/1444147/202108/1444147-20210819144938702-1926484581.png"></p>
<h3 id="4-替换kubeconfig">4. 替换~/.kube/config</h3>
<pre><code># cp -i /etc/kubernetes/admin.conf /root/.kube/config
</code></pre>
<h3 id="5-重启kubelet">5. 重启kubelet</h3>
<pre><code># systemctl restart kubelet
</code></pre>
<h3 id="6-重启kube-apiserverkube-controller-managerkube-scheduler组件pod">6. 重启kube-apiserver、kube-controller-manager、kube-scheduler组件pod</h3>
<p>错误的重启方式:用<code>kubectl delete pods</code>删除组件pod让其自动启动,如图:<br>
<img src="https://img2020.cnblogs.com/blog/1444147/202108/1444147-20210819151609156-164509838.png"><br>
可以看到红色框框的pod,最后一列AGE的值变成了重启过的时间<br>
<img src="https://img2020.cnblogs.com/blog/1444147/202108/1444147-20210819151628396-275757309.png"></p>
<p>查看日志:<br>
<img src="https://img2020.cnblogs.com/blog/1444147/202108/1444147-20210819145521392-1664245066.png"></p>
<p>查看组件的容器,可以看出容器并没有重启,还是4周之前启动的:<br>
<img src="https://img2020.cnblogs.com/blog/1444147/202108/1444147-20210819145541162-1896206009.png"></p>
<p>原因:<strong>证书已经过期,使用<code>kubectl delete pods</code>方式管理的容器自动重启是没法进行的。</strong></p>
<blockquote>
<blockquote>
<p>当组件的证书没生效的时候,去执行创建动作,可以查看到<code>kubectl get DaemonSet -n ingress-nginx </code>的结果都是0,用<code>kubectl get pods -n ingress-nginx </code>查看会出现没有pod的情况:<br>
<img src="https://img2020.cnblogs.com/blog/1444147/202108/1444147-20210819150239928-1962410479.png"><br>
<img src="https://img2020.cnblogs.com/blog/1444147/202108/1444147-20210819150248104-1045873812.png"></p>
</blockquote>
</blockquote>
<p><strong>下面是正确重启kube-apiserver、kube-controller-manager、kube-scheduler组件容器的方式</strong></p>
<pre><code># docker ps |grep kube-apiserver|grep -v pause|awk '{print $1}'|xargs -i docker restart {}
# docker ps |grep kube-controller-manage|grep -v pause|awk '{print $1}'|xargs -i docker restart {}
# docker ps |grep kube-scheduler|grep -v pause|awk '{print $1}'|xargs -i docker restart {}
</code></pre>
<p>查看kube-apiserver、kube-controller-manager、kube-scheduler组件的日志,已经正常:<br>
<img src="https://img2020.cnblogs.com/blog/1444147/202108/1444147-20210819145807865-1098711825.png"></p><br><br>
来源:https://www.cnblogs.com/zoujiaojiao/p/15161862.html
頁:
[1]