kubeadm进行kubernetes证书管理

最新推荐文章于 2024-08-12 16:43:37 发布
最新推荐文章于 2024-08-12 16:43:37 发布
阅读量201 收藏
点赞数
分类专栏: kubernetes 文章标签: kubernetes 容器 云原生 证书
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/m0_37732829/article/details/123548613
版权

检查证书是否过期

kubeadm certs check-expiration

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 15, 2023 01:59 UTC   362d            ca                      no      
apiserver                  Mar 15, 2023 01:58 UTC   362d            ca                      no      
apiserver-etcd-client      Mar 15, 2023 01:59 UTC   362d            etcd-ca                 no      
apiserver-kubelet-client   Mar 15, 2023 01:59 UTC   362d            ca                      no      
controller-manager.conf    Mar 15, 2023 01:59 UTC   362d            ca                      no      
etcd-healthcheck-client    Mar 15, 2023 01:59 UTC   362d            etcd-ca                 no      
etcd-peer                  Mar 15, 2023 01:59 UTC   362d            etcd-ca                 no      
etcd-server                Mar 15, 2023 01:59 UTC   362d            etcd-ca                 no      
front-proxy-client         Mar 15, 2023 01:59 UTC   362d            front-proxy-ca          no      
scheduler.conf             Mar 15, 2023 01:59 UTC   362d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 12, 2032 01:58 UTC   9y              no      
etcd-ca                 Mar 12, 2032 01:59 UTC   9y              no      
front-proxy-ca          Mar 12, 2032 01:59 UTC   9y              no

手动更新证书

kubeadm certs renew -h

This command is not meant to be run on its own. See list of available subcommands.

Usage:
  kubeadm certs renew [flags]
  kubeadm certs renew [command]

Available Commands:
  admin.conf               Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
  all                      Renew all available certificates
  apiserver                Renew the certificate for serving the Kubernetes API
  apiserver-etcd-client    Renew the certificate the apiserver uses to access etcd
  apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
  controller-manager.conf  Renew the certificate embedded in the kubeconfig file for the controller manager to use
  etcd-healthcheck-client  Renew the certificate for liveness probes to healthcheck etcd
  etcd-peer                Renew the certificate for etcd nodes to communicate with each other
  etcd-server              Renew the certificate for serving etcd
  front-proxy-client       Renew the certificate for the front proxy client
  scheduler.conf           Renew the certificate embedded in the kubeconfig file for the scheduler manager to use

Flags:
  -h, --help   help for renew

Global Flags:
      --add-dir-header           If true, adds the file directory to the header of the log messages
      --log-file string          If non-empty, use this log file
      --log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
      --one-output               If true, only write logs to their native severity level (vs also writing to each lower severity level)
      --rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.
      --skip-headers             If true, avoid header prefixes in the log messages
      --skip-log-headers         If true, avoid headers when opening log files
  -v, --v Level                  number for the log level verbosity

kubeadm certs renew all

[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

kubeadm certs check-expiration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 17, 2023 05:38 UTC   364d            ca                      no      
apiserver                  Mar 17, 2023 05:38 UTC   364d            ca                      no      
apiserver-etcd-client      Mar 17, 2023 05:38 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Mar 17, 2023 05:38 UTC   364d            ca                      no      
controller-manager.conf    Mar 17, 2023 05:38 UTC   364d            ca                      no      
etcd-healthcheck-client    Mar 17, 2023 05:38 UTC   364d            etcd-ca                 no      
etcd-peer                  Mar 17, 2023 05:38 UTC   364d            etcd-ca                 no      
etcd-server                Mar 17, 2023 05:38 UTC   364d            etcd-ca                 no      
front-proxy-client         Mar 17, 2023 05:38 UTC   364d            front-proxy-ca          no      
scheduler.conf             Mar 17, 2023 05:38 UTC   364d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 12, 2032 01:58 UTC   9y              no      
etcd-ca                 Mar 12, 2032 01:59 UTC   9y              no      
front-proxy-ca          Mar 12, 2032 01:59 UTC   9y              no
墨渧
关注
专栏目录
k8s 证书过期【完美解决】:x509_ certificate has expired or is not yet valid
甘蓝的专栏
04-08 863
【完美解决】k8s证书在安装1年后过期,导致k8s集群不可用的问题!
使用kubeadm搭建kubernetes容器集群管理系统
weixin_44602192的博客
08-11 417
Kubernetes概述 kubernetes 是由google提供的一款开源的容器集群管理系统,基于Docker构建一个窗口的调度服务、提供资源调度、均衡容灾、服务注册、动态扩容等功能套件。kubernetes是基于Docker容器的云平台,简写为:K8S Master 节点是K8S集群的控制节点,负责整个集群的管理和控制 Master节点上的组件: kuber-apiserver:集群控制接口,负责提供HTTP REST 服务。REST API是K8S的基础架构。组件之间的所有操作和通信以及外..
查看k8s证书过期时间:各组件
学亮编程手记
02-22 4990
[root@k8s-n0 kuboard-install]# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' [check-expi
kubeadm1.28证书续签
最新发布
tingting0119的博客
08-12 760
版本:k8s集群中各个组件(如api服务器、节点、控制器管理器等)之间使用证书进行身份验证和安全传输数据。然而,由于证书具有有效期,一旦过期,集群中的组件将无法正常通信,导致应用程序无法使用。1、kubectl命令无法连接到集群,会出现上图的告警2、集群中的Pod可能无法启动或运行异常,因为kubelet组件无法与API服务器进行通信3、集群的监控和日志收集等功能可能受到影响,因为组件无法正常运行。
k8s v1.16.3,Unable to connect to the server: x509: certificate has expired or is not yet valid
牛奔的博客
03-27 663
前言 kubernetes 版本为 v1.16.3 使用 kubelet get node 后报错: x509: certificate has expired or is not yet valid ,提示证书过期。 解决 检查证书何时过期 kubeadm alpha certs check-expiration CERTIFICATE EXPIRES ...
Unable to connect to the server: x509: certificate has expired or is not yet valid
weixin_54104864的博客
06-15 6655
【代码】Unable to connect to the server: x509: certificate has expired or is not yet valid。
k8s报错:Unable to connect to the server: x509: certificate has expired or is not yet valid
qq_42448043的博客
01-02 8388
问题现象:kubernetes集群部署过程中,kubectl相关命令不可用,报错:Unable to connect to the server: x509: certificate has expired or is not yet valid。过一段时间又可以正常使用。 解决方案:检查生成证书的机器的时间是否与master、node节点时间同步,若生成证书机器的时间早于master、node...
kubernetes-ha:通过简单的方法通过kubeadm设置kubernetes ha集群
03-04
2. **复制证书和配置**:将初始化节点上的`/etc/kubernetes/pki`目录和`/etc/kubernetes/manifests`中的文件复制到其他控制平面节点。 3. **加入其他控制平面节点**:在每个新节点上,使用`kubeadm join --...
Kubeadm安装Kubernetes1.15记录V1.1.docx
09-27
本文将介绍Kubernetes的核心组件,如Docker(容器运行时)、kubelet(每个节点上的核心代理,负责Pods和节点管理)、kubectl(命令行工具,仅在Master节点上使用)以及kubeadm(用于初始化和管理Kubernetes集群的...
使用Kubeadm安装Kubernetes 1.15教程
1. **证书管理**:Kubernetes的很多操作都依赖于证书,过期或缺失的证书可能导致服务中断。确保定期更新和备份证书。 2. **版本兼容性**:不同版本的Kubernetes组件之间可能存在兼容性问题,建议使用相同版本的...
一、kubeadm部署Kubernetes(k8s) 1.23.0多主高可用集群
技术分享博客,工作经验,技能学习分享(多做一些不会的,会有意向不到的收获,IT高手不可能永远只做会的)
03-14 1133
kubeadm部署Kubernetes(k8s) 1.23.0多主高可用集群
K8S(kubeadm版)更新证书
ArrogantB的博客
03-18 2273
k8s证书过期更换,kubeadm方式更换证书
k8s证书更新
kali_yao的博客
02-21 6786
1.故障现象 k8s安装一年后证书显示过期。证书未自动续期。 2.更新过程 一下操作需到所有master节点操作 下载kubeadm 一般情况下,k8s创建的集群节点上的/usr/bin/文件夹下会存在kubeadm二进制文件,如果发现master节点上没有kubeadm,可以从官方下载。以amd64架构1.16.9版本的kubeadm为例子,可以通过curl -L --remote-name-all https://storage.googleapis.com/kubernetes-r
K8S异常之Unable to connect to the server: x509: certificate has expired or is not yet valid
一掬净土
01-03 9458
K8S异常之Unable to connect to the server: x509: certificate has expired or is not yet valid
k8s组件证书过期:Unable to connect to the server: x509: certificate has expired or is not yet valid
llg___的博客
11-28 1582
Unable to connect to the server: x509: certificate has expired or is not yet valid自己服务的pod重启后数量一直会为0。K8S 各个组件需要与 api-server 进行通信,通信使用的证书都存放在 /etc/kubernetes/pki 路径下,由 kubeadm 生成的客户端证书在 1 年后到期,因此需要定时更新证书,否则证书到期会导致整个集群不可用。今天遇到一个k8s证书过期问题,记录下解决方法。
k8s重启后kubectl get nodes: Unable to connect to the server: x509: certificate has expired or is not ye
迷失在代码的海洋里
08-29 1059
执行 kubectl get nodes报错 Unable to connect to the server: x509: certificate has expired or is not yet valid k8s/kubelet 证书过期解决
k8s报错 Unable to connect to the server: x509: certificate has expired or is not yet vali
weixin_44371237的博客
03-03 466
k8s报错 Unable to connect to the server: x509: certificate has expired or is not yet vali
实测:重启服务器之后k8s启动失败报错Unable to connect to the server:x509: certificate has expired or is not yet valid
sfdst的博客
03-07 7151
文章目录1 问题描述(kubeadm证书/etcd证书过期处理)2 集群恢复方法3 手动替换apiserver证书3.1 备份证书和配置3.2 自备的kube-config.yaml文件4 通过脚本一键更新证书(本次通过脚本更新证书)5 启用自动轮换kubelet证书5.1 增加kubelet参数5.2 增加controller-manager参数5.3 创建rbac对象 1 问题描述(kubeadm证书/etcd证书过期处理) 重启了服务器,发现k8s启动失败,一直报错连接 Unable to regis
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值