k8s证书更新

运维开发那些事

已于 2024-08-28 18:01:48 修改

阅读量291

点赞数 4

文章标签： kubernetes 容器云原生

于 2024-08-28 18:00:32 首次发布

本文链接：https://blog.csdn.net/litaimin/article/details/141644182

版权

1、背景

监控到k8s证书还有1个月就过期了，所以决定在业务低峰期停机更新证书

k8s版本：1.19

2、操作

1、查看证书是否到期
kubeadm alpha certs check-expiration

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 28, 2025 05:45 UTC   364d                                    no      
apiserver                  Aug 28, 2025 03:59 UTC   364d            ca                      no      
apiserver-etcd-client      Aug 28, 2025 03:59 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Aug 28, 2025 04:00 UTC   364d            ca                      no      
controller-manager.conf    Aug 28, 2025 05:48 UTC   364d                                    no      
etcd-healthcheck-client    Aug 28, 2025 03:59 UTC   364d            etcd-ca                 no      
etcd-peer                  Aug 28, 2025 03:59 UTC   364d            etcd-ca                 no      
etcd-server                Aug 28, 2025 03:59 UTC   364d            etcd-ca                 no      
front-proxy-client         Aug 28, 2025 03:59 UTC   364d            front-proxy-ca          no      
scheduler.conf             Aug 28, 2025 05:51 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 11, 2033 07:06 UTC   8y              no      
etcd-ca                 Aug 11, 2033 07:06 UTC   8y              no      
front-proxy-ca          Aug 11, 2033 07:06 UTC   8y              no      
[root@k8s-master kubernetes]# kubectl get nodes
error: You must be logged in to the server (Unauthorized)

如果到期RESIDUAL TIME这里会显示，这里没有记录当时的信息

2、更新证书（哪个过期就更新哪个）

2.1先备份
cp -r /etc/kubernetes/pki /etc/kubernetes/pki.bak

2.2 更新证书
kubeadm alpha certs renew apiserver
kubeadm alpha certs renew apiserver-etcd-client
kubeadm alpha certs renew apiserver-kubelet-client
kubeadm alpha certs renew etcd-healthcheck-client
kubeadm alpha certs renew etcd-peer
kubeadm alpha certs renew etcd-server
kubeadm alpha certs renew front-proxy-client

备份.conf 结尾的证书文件admin.conf 、controller-manager.conf 、scheduler.conf，注意如果源文件存在无法创建，所以先备份
cd /etc/kubernetes/
mv controller-manager.conf controller-manager.conf.bak20240828
mv admin.conf admin.conf.bak20240828
mv scheduler.conf scheduler.conf.bak20240828
kubeadm init phase kubeconfig controller-manager
kubeadm init phase kubeconfig admin
kubeadm init phase kubeconfig scheduler

3、查看是否更新成功
kubeadm alpha certs check-expiration

4、更新kubeconfig
cp /etc/kubernetes/admin.conf $HOME/.kube/config
kubectl get nodes

5、重启服务器reboot