目录
Kubernetes集群的ca证书默认是10年,其他证书的有效期是1年,当证书过期以后集群无法正常执行命令,所以需要更新证书。证书更新分为自动更新和手动更新,当集群升级的时候,证书会自动更新。这里我们主要说的是手动更新。
查看证书何时过期
kubeadm certs check-expiration
[root@master ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Nov 28, 2024 06:55 UTC 357d no
apiserver Nov 28, 2024 06:55 UTC 357d ca no
apiserver-etcd-client Nov 28, 2024 06:55 UTC 357d etcd-ca no
apiserver-kubelet-client Nov 28, 2024 06:55 UTC 357d ca no
controller-manager.conf Nov 28, 2024 06:55 UTC 357d no
etcd-healthcheck-client Nov 28, 2024 06:55 UTC 357d etcd-ca no
etcd-peer Nov 28, 2024 06:55 UTC 357d etcd-ca no
etcd-server Nov 28, 2024 06:55 UTC 357d etcd-ca no
front-proxy-client Nov 28, 2024 06:55 UTC 357d front-proxy-ca no
scheduler.conf Nov 28, 2024 06:55 UTC 357d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 26, 2033 06:55 UTC 9y no
etcd-ca Nov 26, 2033 06:55 UTC 9y no
front-proxy-ca Nov 26, 2033 06:55 UTC 9y no
更新证书
更新证书时,可以对证书进行备份,防止出现意外情况
# 当升级证书失败时, 可以将此文件夹复原, 即可恢复原有集群
cp -r /etc/kubernetes /etc/kubernetes.old
# 更新证书
kubeadm certs renew all
[root@master ~]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
更新 ~/.kube/config 文件
mv ~/.kube/config ~/.kube/config.old
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
sudo chmod 644 $HOME/.kube/config
重启相关服务
docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash
# 重启以后查看证书时间发现已经更新
[root@master ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Dec 05, 2024 10:03 UTC 364d no
apiserver Dec 05, 2024 10:03 UTC 364d ca no
apiserver-etcd-client Dec 05, 2024 10:03 UTC 364d etcd-ca no
apiserver-kubelet-client Dec 05, 2024 10:03 UTC 364d ca no
controller-manager.conf Dec 05, 2024 10:03 UTC 364d no
etcd-healthcheck-client Dec 05, 2024 10:03 UTC 364d etcd-ca no
etcd-peer Dec 05, 2024 10:03 UTC 364d etcd-ca no
etcd-server Dec 05, 2024 10:03 UTC 364d etcd-ca no
front-proxy-client Dec 05, 2024 10:03 UTC 364d front-proxy-ca no
scheduler.conf Dec 05, 2024 10:03 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 26, 2033 06:55 UTC 9y no
etcd-ca Nov 26, 2033 06:55 UTC 9y no
front-proxy-ca Nov 26, 2033 06:55 UTC 9y no