K8S v1.21 证书一年到期更新
本文针对 kubeadm 部署的 Kubernetes。
1、证书过期报错信息
[root@master ~]# kubectl get node
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-04-11T13:43:27+08:00 is after 2023-03-10T07:05:01Z
k8s安装一年后证书显示过期,证书未自动续期,以下操作需到所有master节点操作。
先备份证书:
# 将k8s和tecd相关文件做备份
[root@master ~]# cp -r /etc/kubernetes /etc/kubernetes.bak && cp -r /var/lib/etcd /var/lib/etcd.bak
2、执行证书更新
[root@master ~]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
[root@master ~]# kubectl get node
error: You must be logged in to the server (Unauthorized)
3、更新 kubeconfig
# 可使用新证书生成新的kubeconfig文件
[root@master ~]# kubeadm init phase kubeconfig all
I0411 14:11:41.389754 16203 version.go:254] remote version is much newer: v1.26.3; falling back to: stable-1.21
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/admin.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/scheduler.conf"
4、替换文件
# 替换文件
[root@master ~]# cp -f /etc/kubernetes/admin.conf .kube/config
# 重启服务器
# 查看节点
[root@master ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
master Ready control-plane,master 420d v1.21.8
参考:https://blog.csdn.net/kali_yao/article/details/123051414
5、查看证书过期时间
# 用查看文件的方式查看证书
[root@master ~]# for item in `find /etc/kubernetes/pki -maxdepth 2 -name "*.crt"`; do openssl x509 -in $item -text -noout| grep Not; echo ===============$item=================;done
# 用命令查看
[root@master ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf May 24, 2024 02:23 UTC 204d ca no
apiserver May 24, 2024 02:23 UTC 204d ca no
apiserver-etcd-client May 24, 2024 02:23 UTC 204d etcd-ca no
apiserver-kubelet-client May 24, 2024 02:23 UTC 204d ca no
controller-manager.conf May 24, 2024 02:23 UTC 204d ca no
etcd-healthcheck-client May 24, 2024 02:23 UTC 204d etcd-ca no
etcd-peer May 24, 2024 02:23 UTC 204d etcd-ca no
etcd-server May 24, 2024 02:23 UTC 204d etcd-ca no
front-proxy-client May 24, 2024 02:23 UTC 204d front-proxy-ca no
scheduler.conf May 24, 2024 02:23 UTC 204d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca May 22, 2033 02:23 UTC 9y no
etcd-ca May 22, 2033 02:23 UTC 9y no
front-proxy-ca May 22, 2033 02:23 UTC 9y no
# 查看api到期日期
[root@master ~]# echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate