目录
Kubernetes集群的ca证书默认是10年,其他证书的有效期是1年,当证书过期以后集群无法正常执行命令,所以需要更新证书。Kubernetes官方提供的更新方案是更新组件的证书不能更新CA证书,那CA证书该怎么调整呢,我查阅资料后了解到可以在部署Kubernetes集群的时候修改源代码把CA证书的时间调整长一些,但是这个是新集群,已经存在的集群怎么在线更新呢,据了解好像还有方法但是需要解散集群,然后在我的测试下找到一种不影响集群就能在线更新CA证书的方法,接下来我就把这个方法分享给大家,请大家批评指正。
查看证书时间
[root@master ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Nov 28, 2024 06:55 UTC 349d no
apiserver Nov 28, 2024 06:55 UTC 349d ca no
apiserver-etcd-client Nov 28, 2024 06:55 UTC 349d etcd-ca no
apiserver-kubelet-client Nov 28, 2024 06:55 UTC 349d ca no
controller-manager.conf Nov 28, 2024 06:55 UTC 349d no
etcd-healthcheck-client Nov 28, 2024 06:55 UTC 349d etcd-ca no
etcd-peer Nov 28, 2024 06:55 UTC 349d etcd-ca no
etcd-server Nov 28, 2024 06:55 UTC 349d etcd-ca no
front-proxy-client Nov 28, 2024 06:55 UTC 349d front-proxy-ca no
scheduler.conf Nov 28, 2024 06:55 UTC 349d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 26, 2033 06:55 UTC 9y no
etcd-ca Nov 26, 2033 06:55 UTC 9y no
front-proxy-ca Nov 26, 2033 06:55 UTC 9y no
自签CA证书
mkdir ssl
cd ssl
MASTER_IP=‘192.168.207.131’
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca.crt
替换CA证书
cp ca.* /etc/kubernetes/pki
cp ca.crt /etc/kubernetes/pki/front-proxy-ca.crt
cp ca.key /etc/kubernetes/pki/front-proxy-ca.key
cp ca.* /etc/kubernetes/pki/etcd
更新证书
kubeadm certs renew all
# 重启相关容器
docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' |
awk '{print "docker","restart",$1}' | bash
更新 ~/.kube/config 文件
mv ~/.kube/config ~/.kube/config.old
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
sudo chmod 644 $HOME/.kube/config
重启静态Pod
mkdir -p /backup
mv /etc/kubernetes/manifests/*.yaml /backup/
# 然后等待大概30秒再移动回去
mv /backup/*.yaml /etc/kubernetes/manifests
查看证书时间
[root@master ssl]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Dec 14, 2024 01:04 UTC 364d no
apiserver Dec 14, 2024 01:04 UTC 364d ca no
apiserver-etcd-client Dec 14, 2024 01:04 UTC 364d etcd-ca no
apiserver-kubelet-client Dec 14, 2024 01:04 UTC 364d ca no
controller-manager.conf Dec 14, 2024 01:04 UTC 364d no
etcd-healthcheck-client Dec 14, 2024 01:04 UTC 364d etcd-ca no
etcd-peer Dec 14, 2024 01:04 UTC 364d etcd-ca no
etcd-server Dec 14, 2024 01:04 UTC 364d etcd-ca no
front-proxy-client Dec 14, 2024 01:04 UTC 364d front-proxy-ca no
scheduler.conf Dec 14, 2024 01:04 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca May 02, 2051 00:55 UTC 27y no
etcd-ca May 02, 2051 00:55 UTC 27y no
front-proxy-ca May 02, 2051 00:55 UTC 27y no