一.kubernets证书详情
1.查看证书
tree /etc/kubernetes/pki/
/etc/kubernetes/pki/ ├── apiserver.crt ├── apiserver-etcd-client.crt ├── apiserver-etcd-client.key ├── apiserver.key ├── apiserver-kubelet-client.crt ├── apiserver-kubelet-client.key ├── ca.crt ├── ca.key ├── etcd │ ├── ca.crt │ ├── ca.key │ ├── healthcheck-client.crt │ ├── healthcheck-client.key │ ├── peer.crt │ ├── peer.key │ ├── server.crt │ └── server.key ├── front-proxy-ca.crt ├── front-proxy-ca.key ├── front-proxy-client.crt ├── front-proxy-client.key ├── sa.key └── sa.pub
2.各个证书过期时间
/etc/kubernetes/pki/apiserver.crt #1年有效期 /etc/kubernetes/pki/front-proxy-ca.crt #10年有效期 /etc/kubernetes/pki/ca.crt #10年有效期 /etc/kubernetes/pki/apiserver-etcd-client.crt #1年有效期 /etc/kubernetes/pki/front-proxy-client.crt #1年有效期 /etc/kubernetes/pki/etcd/server.crt #1年有效期 /etc/kubernetes/pki/etcd/ca.crt #10年有效期 /etc/kubernetes/pki/etcd/peer.crt #1年有效期 /etc/kubernetes/pki/etcd/healthcheck-client.crt #1年有效期 /etc/kubernetes/pki/apiserver-kubelet-client.crt #1年有效期
3.查看各个证书过期时间
kubeadm alpha certs check-expirations
[root@master01 ~]# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Jan 24, 2023 16:12 UTC 275d no apiserver Jan 24, 2023 16:12 UTC 275d ca no apiserver-etcd-client Jan 24, 2023 16:12 UTC 275d etcd-ca no apiserver-kubelet-client Jan 24, 2023 16:12 UTC 275d ca no controller-manager.conf Jan 24, 2023 16:12 UTC 275d no etcd-healthcheck-client Jan 24, 2023 16:12 UTC 275d etcd-ca no etcd-peer Jan 24, 2023 16:12 UTC 275d etcd-ca no etcd-server Jan 24, 2023 16:12 UTC 275d etcd-ca no front-proxy-client Jan 24, 2023 16:12 UTC 275d front-proxy-ca no scheduler.conf Jan 24, 2023 16:12 UTC 275d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Apr 14, 2030 02:18 UTC 7y no etcd-ca Apr 14, 2030 02:18 UTC 7y no front-proxy-ca Apr 14, 2030 02:18 UTC 7y no
二.更新证书方法一(证书还没有过期的情况)
1.导出配置文件(master01)
kubeadm config view > kubeadm-cluster.yaml
2.备份原有证书文件(master01)
cp -rp /etc/kubernetes /etc/kubernetes-$(date +%Y%m%d).bak
3.备份etcd数据目录(master01)
cp -r /var/lib/etcd /var/lib/etcd-$(date +%Y%m%d).bak
4.更新全部证书(master01)
kubeadm alpha certs renew all --config=/tmp/cluster.yaml
5.确认证书更新(master01)
kubeadm alpha certs check-expiration
6.更新其他master节点(按照步骤)
scp cluster.yaml root@10.10.20.4:/tmp cp -rp /etc/kubernetes /etc/kubernetes-$(date +%Y%m%d).bak cp -r /var/lib/etcd /var/lib/etcd-$(date +%Y%m%d).bak kubeadm alpha certs renew all --config=/tmp/cluster.yaml kubeadm alpha certs check-expiration
7.在三台Master上执行重启kube-apiserver、kube-controller、kube-scheduler、etcd这4个容器,以便使证书生效
建议先重启Etcd,再重启kube-apiserver、kube-controller、kube-scheduler
重启Etcd数据库
docker ps |grep -E 'k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart
重启kube-apiserver、kube-controller、kube-scheduler
docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler' | awk -F ' ' '{print $1}' |xargs docker restart
更新证书二(证书已经过期)
1.修改系统时间到证书有效期时间内(三个master节点都要操作,确保证书在有效期)
date -s “2022-04-25”
2.备份配置文件
kubeadm config view > /root/kubeadm.yaml
3.备份原有证书
cp -rp /etc/kubernetes /etc/kubernetes-$(date +%Y%m%d).bak
4.备份ETCD数据库
cp -r /var/lib/etcd /var/lib/etcd-$(date +%Y%m%d).bak
5.更新证书
kubeadm alpha certs renew all
6.重启 apiserver、kube-controller、kube-scheduler、etcd 容器
docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash
7.执行过之后发现etcd容器持续重启,不能正常,重启docker和kubelet
systemctl restart docker && systemctl restart kubelet
8.同步时间
ntpdate ntp1.aliyun.com
9.确认集群状态
kubectl get node kubectl get pod -n kube-system
