1、在仅有一个master证书保留的情况下
将以下证书拷贝到其他master节点
/etc/kubernetes/pki/ca.crt
/etc/kubernetes/pki/ca.key
/etc/kubernetes/pki/front-proxy-ca.crt
/etc/kubernetes/pki/front-proxy-ca.key
/etc/kubernetes/pki/sa.pub
/etc/kubernetes/pki/sa.key
/etc/kubernetes/pki/etcd/ca.crt
/etc/kubernetes/pki/etcd/ca.key
在其他master节点上执行
kubeadm init phase certs apiserver
kubeadm init phase certs apiserver-etcd-client
kubeadm init phase certs apiserver-kubelet-client
kubeadm init phase certs etcd-healthcheck-client
kubeadm init phase certs etcd-peer
kubeadm init phase certs etcd-server
kubeadm init phase certs front-proxy-client
2、所有证书丢失的情况下
清空所有master节点 /etc/kubernetes/pki 下所有文件,保留/etc/kubernetes/pki/etcd目录,在其中一个master上执行以下命令,获得所有ca文件,并同步到其他master。(所有master节点ca文件要一致)
kubeadm init phase certs all
在其他master节点上执行
kubeadm init phase certs apiserver
kubeadm init phase certs apiserver-etcd-client
kubeadm init phase certs apiserver-kubelet-client
kubeadm init phase certs etcd-healthcheck-client
kubeadm init phase certs etcd-peer
kubeadm init phase certs etcd-server
kubeadm init phase certs front-proxy-client