k8s 1.24.2版本 证书更新 kubeadm方式
#查看证书有效期
kubeadm certs check-expiration
#更新所有证书
kubeadm certs renew all
#也可以指定更新指定证书
#但是kubeadm不能更新kubelet证书
证书更新完后重启对应组件
kubectl delete pod etcd-master -n kube-system
kubectl delete pod kube-apiserver-master -n kube-system
kubectl delete pod kube-controller-manager-master -n kube-system
kubectl delete pod kube-scheduler-master -n kube-system
修改config文件
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
kubelet证书在/var/lib/kubelet/pki下,一般由bootstrap滚动更新。但是会存在关闭rotation证书轮换后,不能自动更新的情况,需要手动更新。
手动更新kubelet证书
手动更新方法:
1. kubeadm init phase kubeconfig kubelet --node-name node2 --kubeconfig-dir /tmp/ 生成配置文件
2. 修改配置文件中dns地址
3. 备份node节点/etc/kubenetes/kubelet.conf文件 和 /var/lib/kubelet/pki证书目录
4. scp新kubelet.conf文件到node节点/etc/kubenetes/目录
5. 重启node节点kubelet
官方文档
Kubelet client certificate rotation fails
By default, kubeadm configures a kubelet with automatic rotation of client certificates by using the /var/lib/kubelet/pki/kubelet-client-current.pem symlink specified in /etc/kubernetes/kubelet.conf. If this rotation process fails you might see errors such as x509: certificate has expired or is not yet valid in kube-apiserver logs. To fix the issue you must follow these steps:
Backup and delete /etc/kubernetes/kubelet.conf and /var/lib/kubelet/pki/kubelet-client* from the failed node.
From a working control plane node in the cluster that has /etc/kubernetes/pki/ca.key execute kubeadm kubeconfig user --org system:nodes --client-name system:node:$NODE > kubelet.conf. $NODE must be set to the name of the existing failed node in the cluster. Modify the resulted kubelet.conf manually to adjust the cluster name and server endpoint, or pass kubeconfig user --config (it accepts InitConfiguration). If your cluster does not have the ca.key you must sign the embedded certificates in the kubelet.conf externally.
Copy this resulted kubelet.conf to /etc/kubernetes/kubelet.conf on the failed node.
Restart the kubelet (systemctl restart kubelet) on the failed node and wait for /var/lib/kubelet/pki/kubelet-client-current.pem to be recreated.
Manually edit the kubelet.conf to point to the rotated kubelet client certificates, by replacing client-certificate-data and client-key-data with:
client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem
client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
Restart the kubelet.
Make sure the node becomes Ready.
请注意
官方文中kubeadm kubeconfig user命令需要指定kubeadm-config文件。可以生成默认配置文件后修改
kubeadm config print init-defaults > init-defaults.yaml
kubeadm kubeconfig user --org system:nodes --client-name system:node:node2 --config=init-defaults.yaml > kubelet.conf
所以用 kubeadm init phase kubeconfig kubelet --node-name node2 --kubeconfig-dir /tmp/ 直接生成kubelet配置文件的方式更简便