1、查看证书到期时间
kubeadm certs check-expiration
1.1、输出如下内容
[root@master pki]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Mar 15, 2023 12:07 UTC 335d ca no
apiserver Mar 15, 2023 12:07 UTC 335d ca no
apiserver-etcd-client Mar 15, 2023 12:07 UTC 335d etcd-ca no
apiserver-kubelet-client Mar 15, 2023 12:07 UTC 335d ca no
controller-manager.conf Mar 15, 2023 12:07 UTC 335d ca no
etcd-healthcheck-client Mar 15, 2023 12:07 UTC 335d etcd-ca no
etcd-peer Mar 15, 2023 12:07 UTC 335d etcd-ca no
etcd-server Mar 15, 2023 12:07 UTC 335d etcd-ca no
front-proxy-client Mar 15, 2023 12:07 UTC 335d front-proxy-ca no
scheduler.conf Mar 15, 2023 12:07 UTC 335d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Mar 12, 2032 12:07 UTC 9y no
etcd-ca Mar 12, 2032 12:07 UTC 9y no
front-proxy-ca Mar 12, 2032 12:07 UTC 9y no
该命令显示了 所有证书的到期/剩余时间,包括在etc/kubernetes/pki目录下的客户端证书及由kubeadm嵌入到KUBECONFIG文件中的客户端证书(admin.conf,controller-manager.conf和scheduler.conf)
2、手动续订证书
使用 kubeadm certs renew 命令 可以随时手动续订证书,该命令使用存储在/etc/kubernetes/pki中的 CA (or front-proxy-CA)证书和密钥来更新证书
2.1、查看 kubeadm certs renew 帮助信息
[root@master pki]# kubeadm certs renew -h
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm certs renew [flags]
kubeadm certs renew [command]
Available Commands:
admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
all Renew all available certificates
apiserver Renew the certificate for serving the Kubernetes API
apiserver-etcd-client Renew the certificate the apiserver uses to access etcd
apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use
etcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcd
etcd-peer Renew the certificate for etcd nodes to communicate with each other
etcd-server Renew the certificate for serving etcd
front-proxy-client Renew the certificate for the front proxy client
scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
Flags:
-h, --help help for renew
Global Flags:
--add-dir-header If true, adds the file directory to the header of the log messages
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--one-output If true, only write logs to their native severity level (vs also writing to each lower severity level)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
Use "kubeadm certs renew [command] --help" for more information about a command.
说明:如上所知,指定某个证书就能续订该证书,指定 all 则续订所有证书。
2.2、命令执行后,注意:
- 无论证书的到期时间如何,都会无条件地续订一年。
- 证书的SAN等信息基于原证书,无需再次提供。
- renew执行后,为使更改生效,需要重启各组件。
说明:kubeadm certs命令仅支持v1.15及其以上的版本
2.3、手动续订所有证书
2.3.1、备份源文件及执行证书更新命令
[root@master ~]# cp -r /etc/kubernetes /etc/kubernetes.bak
[root@master ~]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so tha
2.4、查看新证书文件
[root@master ~]# ll /etc/kubernetes
总用量 36
-rw-------. 1 root root 5639 4月 14 14:48 admin.conf
-rw-------. 1 root root 5671 4月 14 14:48 controller-manager.conf
-rw-------. 1 root root 1963 3月 15 20:07 kubelet.conf
drwxr-xr-x. 2 root root 113 3月 22 10:24 manifests
drwxr-xr-x. 3 root root 4096 3月 15 20:07 pki
drwxr-xr-x. 3 root root 4096 4月 14 14:37 pki.old
-rw-------. 1 root root 5619 4月 14 14:48 scheduler.conf
[root@master ~]# ll /etc/kubernetes/pki
总用量 56
-rw-r--r--. 1 root root 1281 4月 14 14:48 apiserver.crt
-rw-r--r--. 1 root root 1155 4月 14 14:48 apiserver-etcd-client.crt
-rw-------. 1 root root 1675 4月 14 14:48 apiserver-etcd-client.key
-rw-------. 1 root root 1675 4月 14 14:48 apiserver.key
-rw-r--r--. 1 root root 1164 4月 14 14:48 apiserver-kubelet-client.crt
-rw-------. 1 root root 1679 4月 14 14:48 apiserver-kubelet-client.key
-rw-r--r--. 1 root root 1099 3月 15 20:07 ca.crt
-rw-------. 1 root root 1679 3月 15 20:07 ca.key
drwxr-xr-x. 2 root root 162 3月 15 20:07 etcd
-rw-r--r--. 1 root root 1115 3月 15 20:07 front-proxy-ca.crt
-rw-------. 1 root root 1679 3月 15 20:07 front-proxy-ca.key
-rw-r--r--. 1 root root 1119 4月 14 14:48 front-proxy-client.crt
-rw-------. 1 root root 1675 4月 14 14:48 front-proxy-client.key
-rw-------. 1 root root 1675 3月 15 20:07 sa.key
-rw-------. 1 root root 451 3月 15 20:07 sa.pub
2.5、再次查看证书有效期
[root@master ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Apr 14, 2023 06:48 UTC 364d ca no
apiserver Apr 14, 2023 06:48 UTC 364d ca no
apiserver-etcd-client Apr 14, 2023 06:48 UTC 364d etcd-ca no
apiserver-kubelet-client Apr 14, 2023 06:48 UTC 364d ca no
controller-manager.conf Apr 14, 2023 06:48 UTC 364d ca no
etcd-healthcheck-client Apr 14, 2023 06:48 UTC 364d etcd-ca no
etcd-peer Apr 14, 2023 06:48 UTC 364d etcd-ca no
etcd-server Apr 14, 2023 06:48 UTC 364d etcd-ca no
front-proxy-client Apr 14, 2023 06:48 UTC 364d front-proxy-ca no
scheduler.conf Apr 14, 2023 06:48 UTC 364d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Mar 12, 2032 12:07 UTC 9y no
etcd-ca Mar 12, 2032 12:07 UTC 9y no
front-proxy-ca Mar 12, 2032 12:07 UTC 9y no
3、重启 kube-apiserver、kube-controller-manager、kube-scheduler、etcd 组件后生效
3.1、重启方法1:
[root@master ~]# mv /etc/kubernetes/manifests/* /tmp/
//约等30秒后 kube-apiserver、kube-controller-manager、kube-scheduler、etcd 容器会停止,然后,再将清单文件移过来:
[root@master ~]# mv /tmp/kube-* /etc/kubernetes/manifests/
[root@master ~]# mv /tmp/etcd.yaml /etc/kubernetes/manifests/
3.2、重启方法2:
[root@master ~]# kubectl delete pod etcd-master -n kube-system
[root@master ~]# kubectl delete pod kube-apiserver-master -n kube-system
[root@master ~]# kubectl delete pod kube-controller-manager-master -n kube-system
[root@master ~]# kubectl delete pod kube-scheduler-master -n kube-system
4、修改config文件
[root@master ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@master ~]# chown $(id -u):$(id -g) $HOME/.kube/config
扫一扫
1153
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
