登录master,执行指令报错,如kubectl get nodes
The connection to the server ip:6443 was refused - did you specify the right host or port?
一、 查找问题
- 上述问题,因为apiserver引起,于是在master上执行 docker ps -a | grep kube-apiserver 发现该容器状态不对(Exited)
- 查看该容器日志docker logs api容器id ,最后一行报错提示为: authentication handshake failed:x509: certificate has expired or is not yet valid 说明认证过期
- cd /etc/kubernets.pki
- openssl x509 -in etcd/server.crt -noout -text | grep ‘Not’
查看证书时期,发现已过期 - 查看各个控件的过期日期: kubeadm certs check-expiration
二、master更新证书
- 备份原文件:
cp -r /etc/kubernets/ /tmp/backup/
cp -r /var/lib/kubelet/pki/ /tmp/backup.crr - 重新生成认证文件 : kubeadm certs renew all
- 可再次通过 kubeadm certs check-expiration 查看各个控件日期,发现已更新一年
- 删除配置文件: rm -rf /etc/kubernetes/*.conf
- 重新生成配置文件:
kubeadm init --kubernetes-version=v1.22.11 phase kubeconfig all - 备份老配置文件及更新文件:
cp /root/.kube/config /tmp/kube.old/config
cp /etc/kubernetes/admin.conf ~/.kube/config - 重启scheduler: docker restart container-id
- 重启kubelet:systemctl restart kubelet
- 查看证书签名请求,当时执行皆有报错,忽略
kubectl get csr
kubectl certificate approve csr-vg9bd
三、node节点更新证书
共两台节点chenkun03 chenkun04
- mkdir -p /tmp/worker
- 生成kubelet.conf文件:
kubeadm init --kubernetes-version=v1.22.11 phase kubeconfig kubelet --node-name chenkun03 --kubeconfig-dir /tmp/worker/ - 备份老文件:
mv /etc/kubernetes/kubelet.conf /etc/kubernetes/kubeletconf.bak - 拷贝新文件:
scp /tmp/worker/kubelet.conf root@xxx.xx.0.1:/etc/kubernetes/ - chenkun03节点上重启systemctl restart kubelet
- chenkun03节点查看证书日期:
openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text | grep Not - 在其他节点(chenkun04)重复以上操作(2-6),期间需删除03节点生成的/tmp/worker/kubelet.conf
四.重启
有的建议重启各个节点reboot,可不必须。