k8s升级证书步骤

####自己笔记记录####
k8s 集群中基础服务的证书默认的是一年,如果证书过期,会导致APIserver服务不可用,需要更新证书,以下为证书更新步骤:
查看证书过期时间:openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ’ Not ’
步骤
查看证书是否过期

> 1.4 时候,才可以用这个方法

kubeadm alpha certs check-expiration

< 1.4 时候,用下面方法检测

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ’ Not ’
openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt -noout -text |grep ’ Not ’
openssl x509 -in /etc/kubernetes/pki/apiserver-kubelet-client.crt -noout -text |grep ’ Not ’
openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text |grep ’ Not ’
openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt -noout -text |grep ’ Not ’
openssl x509 -in /etc/kubernetes/pki/front-proxy-client.crt -noout -text |grep ’ Not ’
openssl x509 -in /etc/kubernetes/pki/etcd/ca.crt -noout -text |grep ’ Not ’
openssl x509 -in /etc/kubernetes/pki/etcd/peer.crt -noout -text |grep ’ Not ’
openssl x509 -in /etc/kubernetes/pki/etcd/server.crt -noout -text |grep ’ Not ’
openssl x509 -in /etc/kubernetes/pki/etcd/healthcheck-client.crt -noout -text |grep ’ Not ’
升级所有证书

kubeadm alpha certs renew all
重启etcd kube-apiserver kube-controller kube-scheduler 这4个容器(这几个都在主节点,重启不会影响业务的正常运行)

for i in etcd kube-apiserver kube-controller kube-scheduler;do
echo ….restart container $i….
docker ps |grep $i | grep -v pause | cut -d " " -f1 | xargs docker restart
done
重启 kubelet 服务(注:所有服务会重启,慎用!)

systemctl daemon-reload && systemctl restart kubelet
自我踩坑,不一定会有这个问题
巨坑:需要重新生成k8s的配置文件
执行:先把/etc/kubelet/下的配置都mv。备份
再更新
rm -rf /etc/kubernetes/*.conf
#更新证书和配置文件,最好复制保存一下
kubeadm init phase kubeconfig all
kubeadm init phase certs all
rm -rf $HOME/.kube
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown ( i d − u ) : (id -u): (idu):(id -g) $HOME/.kube/config

sed -i 's/^    client-key-data.*/    client-key-data: \/var\/lib\/kubelet\/pki\/kubelet-client-current.pem/g' /etc/kubernetes/kubelet.conf

更新之后重启pod
for i in etcd kube-apiserver kube-controller kube-scheduler;do
echo ….restart container $i….
docker ps |grep $i | grep -v pause | cut -d " " -f1 | xargs docker restart
done

已经过期的平台报错:
error: the server doesn’t have a resource type “pod”
The connection to the server 172.31.16.151:6443 was refused - did you specify the right host or port?

解决方法
1.先修改时间到之前
date -s “2020-07-11 22:30:00”
2,
查看报错日志:
journalctl -fu kubelet

其它命令
查看版本:
kubectl version
kubeadm version
kubelet --version
降级 kubeadm 和 kubelet 的版本
yum downgrade -y kubeadm-1.13.2-0.x86_64
yum downgrade -y kubernetes-cni-0.6.0-0.x86_64 kubelet-1.13.2-0.x86_64

上面降级后正常,kubectl 可以选择不降

curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.13.2/bin/linux/amd64/kubectl
chmod +x ./kubectl
sudo mv ./kubectl /usr/local/bin/kubectl
查看 kublet 日志:journalctl -u kubelet -f -n 100
如果系统内存不够需要更改副本数量: (变0再变1,变相重启)
kubectl scale deploy/admin-server --replicas=0
kubectl scale deploy/admin-front --replicas=1

重装k8s
kubeadm reset -f
modprobe -r ipip
lsmod
rm -rf ~/.kube/
rm -rf /etc/kubernetes/
rm -rf /etc/systemd/system/kubelet.service.d
rm -rf /etc/systemd/system/kubelet.service
rm -rf /usr/bin/kube*
rm -rf /etc/cni
rm -rf /opt/cni
rm -rf /var/lib/etcd
rm -rf /var/etcd
yum clean all
yum remove kube*
yum remove -y kubelet kubectl
移除之后重新安装k8s系统

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐