一、报错信息
操作系统 | K8S版本 | 内核版本 |
---|---|---|
Ubuntu 18.04 LTS | 1.24.12 | 4.15.0-20-generic |
说明:由于当前环境为新部署的K8S,所以这里通过修改Ubuntu操作系统的服务器时间来模拟证书过期。这里需要取消自动从互联网同步时间设置才能修改服务器时间,否则无法修改。
root@k8s-master-92:~# timedatectl set-ntp 0
报错信息,如下图所示:
说明:如上图报错则表明kubernetes证书过期了,需要重新续签证书。
二、查看证书过期时间
root@k8s-master-92:~# kubeadm certs check-expiration
如下图所示:
三、备份证书
注意:为了避免升级过程中出现问题,建议备份kubernetes的配置文件和证书文件。
root@k8s-master-92:~# \cp -arp /etc/kubernetes/ /etc/kubernetes_`date +%F
四、更新证书
4.1、基于docker
#!/bin/bash
echo 'backup certs'
\cp -arp /etc/kubernetes/ /etc/kubernetes_`date +%F`
echo "## Expiration before renewal ##"
kubeadm certs check-expiration
echo "## Renewing certificates managed by kubeadm ##"
kubeadm certs renew all
echo "## Restarting control plane pods managed by kubeadm ##"
docker ps -af 'name=k8s_POD_(kube-apiserver|kube-controller-manager|kube-scheduler|etcd)-*' -q | /usr/bin/xargs docker rm -f
echo "## Updating /root/.kube/config ##"
\cp /etc/kubernetes/admin.conf /root/.kube/config
echo "## Expiration after renewal ##"
kubeadm certs check-expiration
4.2、基于containerd
#!/bin/bash
echo 'backup certs'
\cp -arp /etc/kubernetes/ /etc/kubernetes_`date +%F`
echo "## Expiration before renewal ##"
kubeadm certs check-expiration
echo "## Renewing certificates managed by kubeadm ##"
kubeadm certs renew all
echo "## Restarting control plane pods managed by kubeadm ##"
crictl pods --namespace kube-system --name 'kube-scheduler-*|kube-controller-manager-*|kube-apiserver-*|etcd-*' -q | /usr/bin/xargs crictl rmp -f
echo "## Updating /root/.kube/config ##"
\cp /etc/kubernetes/admin.conf /root/.kube/config
echo "## Expiration after renewal ##"
kubeadm certs check-expiration
总结:整理不易,如果对你有帮助,可否点赞关注一下?
更多详细内容请参考:企业级K8s集群运维实战