k8s解决证书过期问题
By admin
- 3 minutes read - 543 words在k8s中的时间会提示证书过期问题,如
# kubectl get nodes
Unable to connect to the server: x509: certificate has expired or is not yet valid
这里我们介绍一下续期方法。
注意:当前集群通过 kubeadm 命令创建。
kubeadm 安装得证书默认为 1 年,注意原证书文件必须保留在服务器上才能做延期操作,否则就会重新生成,集群可能无法恢复。
准备
这里先查看一下测试集群的证书过期时间
# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Aug 30, 2022 03:18 UTC 324d no
apiserver Aug 30, 2022 03:18 UTC 324d ca no
apiserver-etcd-client Aug 30, 2022 03:18 UTC 324d etcd-ca no
apiserver-kubelet-client Aug 30, 2022 03:18 UTC 324d ca no
controller-manager.conf Aug 30, 2022 03:18 UTC 324d no
etcd-healthcheck-client Aug 30, 2022 03:18 UTC 324d etcd-ca no
etcd-peer Aug 30, 2022 03:18 UTC 324d etcd-ca no
etcd-server Aug 30, 2022 03:18 UTC 324d etcd-ca no
front-proxy-client Aug 30, 2022 03:18 UTC 324d front-proxy-ca no
scheduler.conf Aug 30, 2022 03:18 UTC 324d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Aug 28, 2031 03:18 UTC 9y no
etcd-ca Aug 28, 2031 03:18 UTC 9y no
front-proxy-ca Aug 28, 2031 03:18 UTC 9y no
可以看到过期时间为 2022-08-30。
续期
现在我们对所有证书续期一年
# kubeadm certs renew all
kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
验证
再次查看证书过期时间
# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Oct 09, 2022 11:39 UTC 364d no
apiserver Oct 09, 2022 11:40 UTC 364d ca no
apiserver-etcd-client Oct 09, 2022 11:39 UTC 364d etcd-ca no
apiserver-kubelet-client Oct 09, 2022 11:39 UTC 364d ca no
controller-manager.conf Oct 09, 2022 11:39 UTC 364d no
etcd-healthcheck-client Oct 09, 2022 11:39 UTC 364d etcd-ca no
etcd-peer Oct 09, 2022 11:39 UTC 364d etcd-ca no
etcd-server Oct 09, 2022 11:39 UTC 364d etcd-ca no
front-proxy-client Oct 09, 2022 11:39 UTC 364d front-proxy-ca no
scheduler.conf Oct 09, 2022 11:39 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Aug 28, 2031 03:18 UTC 9y no
etcd-ca Aug 28, 2031 03:18 UTC 9y no
front-proxy-ca Aug 28, 2031 03:18 UTC 9y no
可以看到过期时间变为 2022-10-09,从今天开始计算正好为一年。 我们也可以对指定的证书进行续期,如 apiserver
# kubeadm certs renew apiserver
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate for serving the Kubernetes API renewed
上面我们只对所有证书都进行了续期,如想到某一类证书进行续期的话,则可以通过查看命令:
# kubeadm certs renew -h
总结
当前办法只针对集群所有证书未过期情况下的方法,如果集群已过期的话,则需要采用其它办法,如 https://www.cnblogs.com/abcdef/p/12792043.html