一、开始
证书的修改,必须要 apiserver 服务可用
旧IP:
k8s-master | 10.0.0.5 |
k8s-node-1 | 10.0.0.6 |
k8s-node-2 | 10.0.0.7 |
新IP:
k8s-master | 10.0.0.10 |
k8s-node-1 | 10.0.0.11 |
k8s-node-2 | 10.0.0.12 |
修改/etc/hosts解析(所有节点):
vim /etc/hosts
k8s-master 10.0.0.10
k8s-node-1 10.0.0.11
k8s-node-2 10.0.0.12
二、备份 kubernetes 目录
cp -r /etc/kubernetes{,-bak}
三、查看证书内的 ip
for i in $(find /etc/kubernetes/pki -type f -name "*.crt");do echo ${i} && openssl x509 -in ${i} -text | grep 'Address'
可以看到,只有 apiserver 和 etcd 的证书里面是包含了 ip 的
/etc/kubernetes/pki/ca.crt
/etc/kubernetes/pki/front-proxy-ca.crt
/etc/kubernetes/pki/etcd/ca.crt
/etc/kubernetes/pki/etcd/server.crt
DNS:k8s-master, DNS:localhost, IP Address:10.0.0.1, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
/etc/kubernetes/pki/etcd/healthcheck-client.crt
/etc/kubernetes/pki/etcd/peer.crt
DNS:k8s-master, DNS:localhost, IP Address:10.0.0.1, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
/etc/kubernetes/pki/apiserver.crt
DNS:k8s-master, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:lb-vip, IP Address:10.96.0.1, IP Address:10.0.0.1
/etc/kubernetes/pki/apiserver-kubelet-client.crt
/etc/kubernetes/pki/front-proxy-client.crt
/etc/kubernetes/pki/apiserver-etcd-client.crt
四、生成集群配置
kubeadm config view > /root/kubeadm.yaml
更换IP:
vim kubeadm.yaml
apiServer:
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
# 增加下面的配置
certSANs:
- 10.0.0.10
# 增加上面的配置
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: lb-vip:6443
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
# 增加下面的配置
serverCertSANs:
- 10.0.0.10
peerCertSANs:
- 10.0.0.10
# 增加上面的配置
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.17.3
networking:
dnsDomain: cluster.local
podSubnet: 172.10.0.0/16
serviceSubnet: 10.96.0.0/12
scheduler: {}
五、删除原有的证书
需要保留 ca ,sa,front-proxy 这三个证书
rm -rf /etc/kubernetes/pki/{apiserver*,front-proxy-client*}
rm -rf /etc/kubernetes/pki/etcd/{healthcheck*,peer*,server*}
六、重新生成证书
kubeadm init phase certs all --config /root/kubeadm.yaml
再次查看证书内的 ip
for i in $(find /etc/kubernetes/pki -type f -name "*.crt");do echo ${i} && openssl x509 -in ${i} -text | grep 'DNS:';done
/etc/kubernetes/pki/etcd/ca.crt
/etc/kubernetes/pki/etcd/server.crt
DNS:k8s-master, DNS:localhost, IP Address:10.0.0.10, IP Address:127.0.0.1,
/etc/kubernetes/pki/etcd/peer.crt
DNS:k8s-master, DNS:localhost, IP Address:10.0.0.10, IP Address:127.0.0.1,
/etc/kubernetes/pki/etcd/healthcheck-client.crt
/etc/kubernetes/pki/ca.crt
/etc/kubernetes/pki/front-proxy-ca.crt
/etc/kubernetes/pki/apiserver.crt
DNS:k8s-master, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:lb-vip, IP Address:10.96.0.1, IP Address:10.0.0.10
/etc/kubernetes/pki/apiserver-kubelet-client.crt
/etc/kubernetes/pki/front-proxy-client.crt
/etc/kubernetes/pki/apiserver-etcd-client.crt
七、将配置更新到 configmap 中
这样,以后有升级,或者增加其他 ip 时,也会将配置的 CertSANs 的 ip 保留下来,方便以后删减
kubeadm init phase upload-config kubeadm --config kubeadm.yaml
八、检查
# 检查kubeadm.config配置的ip是否为新节点IP
kubectl get cm -A|grep kubeadm
kubectl get cm -A kubeadm-config -o yaml
#检查所有容器健康状态
kubectl get pod -A
node节点IP更换,证书会自动重新签发