参考:https://www.ibm.com/support/knowledgecenter/SSCKRH_1.1.0/platform/t_certificate_renewal.html
实测发现即使已过期的也适用
Renewing Kubernetes cluster certificates
The Kubernetes cluster certificates have a lifespan of one year. If the Kubernetes cluster certificate expires on the Kubernetes master, then the kubelet service will fail. Issuing a kubectl command, such as kubectl get pods or kubectl exec -it container_name bash, will result in a message similar to Unable to connect to the server: x509: certificate has expired or is not yet valid.
Procedure
- Log on to the Kubernetes master node as the root user and run the following command to check when the Kubernetes certificates will expire.
The output will be similar to the following. In this case the certificates will expire in 273 days.kubeadm alpha certs check-expiration
[root@fcidevilt-km ~]# kubeadm alpha certs check-expiration CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED admin.conf Sep 17, 2020 21:24 UTC 273d no apiserver Sep 17, 2020 21:24 UTC 273d no apiserver-etcd-client Sep 17, 2020 21:24 UTC 273d no apiserver-kubelet-client Sep 17, 2020 21:24 UTC 273d no controller-manager.conf Sep 17, 2020 21:24 UTC 273d no etcd-healthcheck-client Sep 17, 2020 21:24 UTC 273d no etcd-peer Sep 17, 2020 21:24 UTC 273d no etcd-server Sep 17, 2020 21:24 UTC 273d no front-proxy-client Sep 17, 2020 21:24 UTC 273d no scheduler.conf Sep 17, 2020 21:24 UTC 273d no
- Run the following command to renew all the Kubernetes certificates:
The output of the command will be similar to the following:kubeadm alpha certs renew all
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healtcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed
- Run the following command to confirm the certificates have been renewed and will expire in 364 days:
The output should look similar to the following:kubeadm alpha certs check-expiration
[root@fcidevilt-km ~]# kubeadm alpha certs check-expiration CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED admin.conf Dec 18, 2020 18:55 UTC 364d no apiserver Dec 18, 2020 18:55 UTC 364d no apiserver-etcd-client Dec 18, 2020 18:55 UTC 364d no apiserver-kubelet-client Dec 18, 2020 18:55 UTC 364d no controller-manager.conf Dec 18, 2020 18:55 UTC 364d no etcd-healthcheck-client Dec 18, 2020 18:55 UTC 364d no etcd-peer Dec 18, 2020 18:55 UTC 364d no etcd-server Dec 18, 2020 18:55 UTC 364d no front-proxy-client Dec 18, 2020 18:55 UTC 364d no scheduler.conf Dec 18, 2020 18:55 UTC 364d no
- Confirm that kubelet services are running and communication between the worker nodes and the Kubernetes master is working.
- After waiting a few minutes, run the following command from the Kubernetes master node to confirm that the worker nodes are available:
如果原证书已过期,则此时会报错kubectl get nodes
使用新授权文件即可[root@FAT-K8S-M1 kubernetes]# kubectl get pod error: You must be logged in to the server (Unauthorized)
cp /etc/kubernetes/admin.conf ~/.kube/config
- 重启kube-apiserver,kube-controller,kube-scheduler,etcd这4个容器:
docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash