k8s集群证书升级
kubernetes集群证书更新步骤
·
升级前,证书显示过期
如果想看详细帮助信息,可以直接传送至官方帮助地址
下面是我个人的升级步骤,仅供参考
~]# kubectl get pods # 集群证书过期后,kubectl命令不能正常执行
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2022-07-22T16:51:07+08:00 is after 2022-07-08T23:44:15Z
# 使用命令查看证书过期状态
~]# kubeadm certs check-expiration
# 如果kubeadm版本比较旧人,会报错显示没有certs选项,那么则需要使用这个命令kubeadm alpha certs check-expiration来代替
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jul 08, 2022 23:44 UTC <invalid> no
apiserver Jul 08, 2022 23:44 UTC <invalid> ca no
apiserver-etcd-client Jul 08, 2022 23:44 UTC <invalid> etcd-ca no
apiserver-kubelet-client Jul 08, 2022 23:44 UTC <invalid> ca no
controller-manager.conf Jul 08, 2022 23:44 UTC <invalid> no
etcd-healthcheck-client Jul 08, 2022 23:44 UTC <invalid> etcd-ca no
etcd-peer Jul 08, 2022 23:44 UTC <invalid> etcd-ca no
etcd-server Jul 08, 2022 23:44 UTC <invalid> etcd-ca no
front-proxy-client Jul 08, 2022 23:44 UTC <invalid> front-proxy-ca no
scheduler.conf Jul 08, 2022 23:44 UTC <invalid> no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jul 06, 2031 23:44 UTC 8y no
etcd-ca Jul 06, 2031 23:44 UTC 8y no
front-proxy-ca Jul 06, 2031 23:44 UTC 8y no
# 查看`EXPIRES`这一列就知道,证书已经过期了,需要更新证书
备份
1.备份master上的配置文件/etc/kubernetes/admin.conf
2.如果其他主机上~/.kube/conf上也配置了admin.conf的内容,则最好也备份下
3.同上,如果其他主机用到了上面这些组件的配置文件,最好都需要备份,证书更新后,也需要及时同步到其他需要的主机上(比如控制机,etcd备份机等)
kubeadm升级证书的命令
~]# kubeadm certs renew all # 旧版本使用kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
根据提示,需要重启kube-apiserver,kube-controller-manager,kube-scheduler 和etcd组件,因此还需再进行重启操作
说明: 因为动态证书重载目前还不被所有组件和证书支持,所以重启pod操作是必须的
重启容器进程
docker ps | grep -i "scheduler" #各个组件都可以使用这种方式重启
docker restart 8c361562701b
再次查看证书状态
[root@k8s-master pki]# kubeadm certs check-expiration # 旧版本同上,需要带alpha
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jul 22, 2023 09:07 UTC 364d no
apiserver Jul 22, 2023 09:07 UTC 364d ca no
apiserver-etcd-client Jul 22, 2023 09:07 UTC 364d etcd-ca no
apiserver-kubelet-client Jul 22, 2023 09:07 UTC 364d ca no
controller-manager.conf Jul 22, 2023 09:07 UTC 364d no
etcd-healthcheck-client Jul 22, 2023 09:07 UTC 364d etcd-ca no
etcd-peer Jul 22, 2023 09:07 UTC 364d etcd-ca no
etcd-server Jul 22, 2023 09:07 UTC 364d etcd-ca no
front-proxy-client Jul 22, 2023 09:08 UTC 364d front-proxy-ca no
scheduler.conf Jul 22, 2023 09:08 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jul 06, 2031 23:44 UTC 8y no
etcd-ca Jul 06, 2031 23:44 UTC 8y no
front-proxy-ca Jul 06, 2031 23:44 UTC 8y no
可以知道,此次执行已经成功,证书已经更新
更多推荐
已为社区贡献6条内容
所有评论(0)