k8s集群证书升级

升级前，证书显示过期

如果想看详细帮助信息，可以直接传送至官方帮助地址

下面是我个人的升级步骤，仅供参考

~]# kubectl get pods # 集群证书过期后，kubectl命令不能正常执行
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2022-07-22T16:51:07+08:00 is after 2022-07-08T23:44:15Z
# 使用命令查看证书过期状态
~]# kubeadm certs check-expiration
# 如果kubeadm版本比较旧人，会报错显示没有certs选项，那么则需要使用这个命令kubeadm alpha certs check-expiration来代替
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 08, 2022 23:44 UTC   <invalid>                               no      
apiserver                  Jul 08, 2022 23:44 UTC   <invalid>       ca                      no      
apiserver-etcd-client      Jul 08, 2022 23:44 UTC   <invalid>       etcd-ca                 no      
apiserver-kubelet-client   Jul 08, 2022 23:44 UTC   <invalid>       ca                      no      
controller-manager.conf    Jul 08, 2022 23:44 UTC   <invalid>                               no      
etcd-healthcheck-client    Jul 08, 2022 23:44 UTC   <invalid>       etcd-ca                 no      
etcd-peer                  Jul 08, 2022 23:44 UTC   <invalid>       etcd-ca                 no      
etcd-server                Jul 08, 2022 23:44 UTC   <invalid>       etcd-ca                 no      
front-proxy-client         Jul 08, 2022 23:44 UTC   <invalid>       front-proxy-ca          no      
scheduler.conf             Jul 08, 2022 23:44 UTC   <invalid>                               no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jul 06, 2031 23:44 UTC   8y              no      
etcd-ca                 Jul 06, 2031 23:44 UTC   8y              no      
front-proxy-ca          Jul 06, 2031 23:44 UTC   8y              no      

# 查看`EXPIRES`这一列就知道，证书已经过期了，需要更新证书

备份

1.备份master上的配置文件/etc/kubernetes/admin.conf
2.如果其他主机上~/.kube/conf上也配置了admin.conf的内容，则最好也备份下
3.同上，如果其他主机用到了上面这些组件的配置文件，最好都需要备份，证书更新后，也需要及时同步到其他需要的主机上（比如控制机，etcd备份机等）

kubeadm升级证书的命令

~]# kubeadm certs renew all # 旧版本使用kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

根据提示，需要重启kube-apiserver，kube-controller-manager，kube-scheduler 和etcd组件，因此还需再进行重启操作

说明： 因为动态证书重载目前还不被所有组件和证书支持，所以重启pod操作是必须的

重启容器进程

docker ps | grep -i "scheduler" #各个组件都可以使用这种方式重启
docker restart 8c361562701b

再次查看证书状态

[root@k8s-master pki]# kubeadm certs check-expiration # 旧版本同上，需要带alpha
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 22, 2023 09:07 UTC   364d                                    no      
apiserver                  Jul 22, 2023 09:07 UTC   364d            ca                      no      
apiserver-etcd-client      Jul 22, 2023 09:07 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Jul 22, 2023 09:07 UTC   364d            ca                      no      
controller-manager.conf    Jul 22, 2023 09:07 UTC   364d                                    no      
etcd-healthcheck-client    Jul 22, 2023 09:07 UTC   364d            etcd-ca                 no      
etcd-peer                  Jul 22, 2023 09:07 UTC   364d            etcd-ca                 no      
etcd-server                Jul 22, 2023 09:07 UTC   364d            etcd-ca                 no      
front-proxy-client         Jul 22, 2023 09:08 UTC   364d            front-proxy-ca          no      
scheduler.conf             Jul 22, 2023 09:08 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jul 06, 2031 23:44 UTC   8y              no      
etcd-ca                 Jul 06, 2031 23:44 UTC   8y              no      
front-proxy-ca          Jul 06, 2031 23:44 UTC   8y              no      

可以知道，此次执行已经成功，证书已经更新