kubernetes v1.19.2 证书过期更新
证书过期报错[root@k8s-master-ant ~]# kubectl get nodeUnable to connect to the server: x509: certificate has expired or is not yet valid: current time 2021-05-12T10:22:38+08:00 is after 2021-05-11T12:02:22Z解
·
证书过期报错
[root@k8s-master ~]# kubectl get node
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2021-05-12T10:22:38+08:00 is after 2021-05-11T12:02:22Z
解决办法:
1、生成集群的配置文件(集群部署时最好留的有kubeadm.yaml,否则改起来稍微麻烦些)
# (1)导出kubeadm config
kubeadm config print init-defaults > /root/kubeadm-config-install.yaml
# (2)修改kubeadm-config-install.yaml 给一个示例,如下
apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: 0dh28u.eaimfr3hn6jwzidh
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 10.100.10.100
bindPort: 6443
nodeRegistration:
criSocket: /var/run/dockershim.sock
name: k8s-master
taints:
- effect: NoSchedule
key: node-role.kubernetes.io/master
---
apiServer:
certSANs:
- 10.100.10.100
- 127.0.0.1
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: 10.100.10.100:6443
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.19.2
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
scheduler: {}
2、备份原有证书
cp -rp /etc/kubernetes /etc/kubernetes.bak
3、备份etcd数据目录
cp -r /var/lib/etcd /var/lib/etcd.bak
4、更新证书
kubeadm alpha certs renew all --config=/root/kubeadm-config-install.yaml
# 新版本
kubeadm certs renew all --config=/root/kubeadm-config-install.yaml
5、Master重启kube-apiserver,kube-controller,kube-scheduler,etcd这4个容器,使证书生效
docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart
7、查看各个证书过期时间
for item in `find /etc/kubernetes/pki -maxdepth 2 -name "*.crt"`;do echo ======================$item===============;openssl x509 -in $item -text -noout| grep Not;done
8、新生成的admin.conf 覆盖老的
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
9、查看集群状态
[root@k8s-master ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 365d v1.19.2
参考文章:
更多推荐
已为社区贡献13条内容
所有评论(0)