root@master01:~# kubectl get nodes
E0828 10:29:54.481489 47445 memcache.go:265] couldn't get current server API group list: Get "https://192.168.91.150:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-08-28T10:29:54+08:00 is after 2024-08-09T06:16:19Z
E0828 10:29:54.490936 47445 memcache.go:265] couldn't get current server API group list: Get "https://192.168.91.150:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-08-28T10:29:54+08:00 is after 2024-08-09T06:16:19Z
E0828 10:29:54.504782 47445 memcache.go:265] couldn't get current server API group list: Get "https://192.168.91.150:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-08-28T10:29:54+08:00 is after 2024-08-09T06:16:19Z
E0828 10:29:54.521207 47445 memcache.go:265] couldn't get current server API group list: Get "https://192.168.91.150:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-08-28T10:29:54+08:00 is after 2024-08-09T06:16:19Z
E0828 10:29:54.530188 47445 memcache.go:265] couldn't get current server API group list: Get "https://192.168.91.150:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-08-28T10:29:54+08:00 is after 2024-08-09T06:16:19Z
Unable to connect to the server: tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-08-28T10:29:54+08:00 is after 2024-08-09T06:16:19Z
在master01节点执行kubectl get nodes 指令返回如下信息:
E0828 10:29:54.481489 47445 memcache.go:265] couldn't get current server API group list: Get "https://192.168.91.150:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-08-28T10:29:54+08:00 is after 2024-08-09T06:16:19Z
这段话的意思就是这个错误是因为证书已经过期或者尚未生效。当前时间是 2024 年 8 月 28 日 10:15:16,而证书的有效期截止到 2024 年 8 月 9 日 06:16:19。
查看证书有效期
root@master01:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Aug 09, 2024 06:16 UTC <invalid> ca no
apiserver Aug 09, 2024 06:16 UTC <invalid> ca no
apiserver-etcd-client Aug 09, 2024 06:16 UTC <invalid> etcd-ca no
apiserver-kubelet-client Aug 09, 2024 06:16 UTC <invalid> ca no
controller-manager.conf Aug 09, 2024 06:16 UTC <invalid> ca no
etcd-healthcheck-client Aug 09, 2024 06:16 UTC <invalid> etcd-ca no
etcd-peer Aug 09, 2024 06:16 UTC <invalid> etcd-ca no
etcd-server Aug 09, 2024 06:16 UTC <invalid> etcd-ca no
front-proxy-client Aug 09, 2024 06:16 UTC <invalid> front-proxy-ca no
scheduler.conf Aug 09, 2024 06:16 UTC <invalid> ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Aug 07, 2033 06:16 UTC 8y no
etcd-ca Aug 07, 2033 06:16 UTC 8y no
front-proxy-ca Aug 07, 2033 06:16 UTC 8y no
释义:
1.证书列表:列出了 Kubernetes 集群中使用的各种证书,包括管理员证书 (admin.conf)、API 服务器证书 (apiserver)、与 etcd 通信的证书 (apiserver-etcd-client)、kubelet 与 API 服务器通信的证书 (apiserver-kubelet-client) 等。
2.过期时间:每个证书都有一个预计的过期时间。例如,apiserver 证书将在 Aug 09, 2024 06:16 UTC 过期。
3.剩余时间:显示了每个证书的剩余有效期,但这里显示为 ,这可能意味着证书已经过期,或者在检查时遇到了问题。
4.证书颁发机构 (CA):显示了哪个 CA 签名了该证书。例如,apiserver 证书由 ca 签名。
5.外部管理:指出证书是否由外部系统管理。这里的 no 表示这些证书不是由外部系统管理的。
6.证书颁发机构 (CA) 列表:显示了集群中的 CA 证书,包括主 CA (ca)、etcd 的 CA (etcd-ca) 和前端代理的 CA (front-proxy-ca),以及它们的过期时间和剩余有效期。
7.错误信息:在检查开始时,有一个错误信息提示无法从集群读取配置,但命令回退到使用默认配置。
8.配置提示:提示如果需要查看或修改集群的 kubeadm 配置,可以使用 kubectl 命令查看或编辑 kube-system 命名空间下的 kubeadm-config 配置映射。
进入维护模式
kubectl cordon
kubectl drain master01 --ignore-daemonsets
更新证书有效期
1.备份证书
cp -r /etc/kubernetes/ /etc/kubernetes.old
2.更新证书
# 自动更新 Kubernetes 集群中所有自签名的证书
kubeadm certs renew all
# 仅更新指定的 组件 证书
kubeadm alpha certs renew apiserver
这里我的证书都过期了,所以全部更新
root@master01:~# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
更新 ~/.kube/config文件
~/.kube/config 文件是 Kubernetes 集群的配置文件,它通常用于存储集群的访问信息,包括 API 服务器地址、使用的上下文(context)、认证信息(如证书)等。这个文件允许用户通过 kubectl 命令行工具与 Kubernetes 集群进行交互。
root@master01:~# mv /root/.kube/config /root/.kube/config.old
root@master01:~# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
root@master01:~# chown $(id -u):$(id -g) $HOME/.kube/config
root@master01:~# sudo chmod 644 $HOME/.kube/config
重启相关组件
# 如果你的集群使用的是 systemd 管理服务
sudo systemctl restart kubelet
# 对于独立运行的 etcd,使用以下命令
sudo systemctl restart etcd
验证
root@master01:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Aug 28, 2025 03:15 UTC 364d ca no
apiserver Aug 28, 2025 03:15 UTC 364d ca no
apiserver-etcd-client Aug 28, 2025 03:15 UTC 364d etcd-ca no
apiserver-kubelet-client Aug 28, 2025 03:15 UTC 364d ca no
controller-manager.conf Aug 28, 2025 03:15 UTC 364d ca no
etcd-healthcheck-client Aug 28, 2025 03:15 UTC 364d etcd-ca no
etcd-peer Aug 28, 2025 03:15 UTC 364d etcd-ca no
etcd-server Aug 28, 2025 03:15 UTC 364d etcd-ca no
front-proxy-client Aug 28, 2025 03:15 UTC 364d front-proxy-ca no
scheduler.conf Aug 28, 2025 03:15 UTC 364d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Aug 07, 2033 06:16 UTC 8y no
etcd-ca Aug 07, 2033 06:16 UTC 8y no
front-proxy-ca Aug 07, 2033 06:16 UTC 8y no
root@master01:~# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master01 Ready control-plane 383d v1.27.0
node01 Ready <none> 383d v1.27.0
node02 Ready <none> 383d v1.27.0
root@master01:~# kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system calico-kube-controllers-5585f6d55d-qcpmb 1/1 Running 0 383d
kube-system calico-node-b65lt 1/1 Running 0 383d
kube-system calico-node-c9bmn 1/1 Running 0 383d
kube-system calico-node-zzqj2 1/1 Running 0 383d
kube-system coredns-65dcc469f7-2pzxw 1/1 Running 0 383d
kube-system coredns-65dcc469f7-g8dbx 1/1 Running 0 383d
kube-system etcd-master01 1/1 Running 0 383d
kube-system kube-apiserver-master01 1/1 Running 0 383d
kube-system kube-controller-manager-master01 1/1 Running 0 383d
kube-system kube-proxy-9z8c2 1/1 Running 0 383d
kube-system kube-proxy-l6pfq 1/1 Running 0 383d
kube-system kube-proxy-tw46c 1/1 Running 0 383d
kube-system kube-scheduler-master01 1/1 Running 0 383d
kube-system metrics-server-f4d79949f-4sfdj 1/1 Running 0 383d
kubernetes-dashboard dashboard-metrics-scraper-7b87d6575b-qmh78 1/1 Running 0 383d
kubernetes-dashboard kubernetes-dashboard-555d8dbffd-7xsbz 1/1 Running 0 383d
退出维护模式
kubectl uncordon master01
2885
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
