Kuberneteskubeadm证书到期,更新证书
Kuberneteskubeadm证书到期,更新证书
版本
服务版本
CentOS7.8怎么把桌面图标变小
Kubernetes  1.18.x
证书问题
  可能很多⼈在⼀开始学习 k8s 的时候,没有注意过证书的问题,在使⽤ kubeadm 安装 k8s 单机/集的过程中就是⼀路往下,如果是学习或者测试使⽤,使⽤完毕之后就把虚拟机或者临时云服务器删除了,那也不会发现证书问题。如果这个 k8s 环境要使⽤ 1 年以上,就会碰到这个问题,因为默认证书有效期为 1 年,CA 根证书是 10 年:
# 查看证书截⽌时间,该命令显⽰ /etc/kubernetes/pki ⽂件夹中的客户端证书以及 kubeadm 使⽤的 KUBECONFIG ⽂件中嵌⼊的客户端证书的到期时间/剩余时间。新版本命令:kubeadm certs check-expiration
心理学学什么
[root@kubernetes ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE                EXPIRES                  RESIDUAL TIME  CERTIFICATE AUTHORITY  EXTERNALLY MANAGED
apiserver                  Aug 26, 202210:47 UTC  364d            ca                      no
apiserver-etcd-client      Aug 26, 202210:47 UTC  364d            etcd-ca                no
apiserver-kubelet-client  Aug 26, 202210:47 UTC  364d            ca                      no
etcd-healthcheck-client    Aug 26, 202210:47 UTC  364d            etcd-ca                no
怎么破解wifi密码
etcd-peer                  Aug 26, 202210:47 UTC  364d            etcd-ca                no
etcd-server                Aug 26, 202210:47 UTC  364d            etcd-ca                no
front-proxy-client        Aug 26, 202210:47 UTC  364d            front-proxy-ca          no
CERTIFICATE AUTHORITY  EXPIRES                  RESIDUAL TIME  EXTERNALLY MANAGED
ca                      Aug 23, 2030 07:00 UTC  8y              no
etcd-ca                Aug 23, 2030 07:00 UTC  8y              no
front-proxy-ca          Aug 23, 2030 07:00 UTC  8y              no
[root@kubernetes pki]# for i in $(ls *.crt); do echo "===== $i ====="; openssl x509 -in $i -text -noout | grep -A 3 'Validity' ; done
===== =====
Validity
Not Before: Aug 25 07:00:38 2020 GMT
Not After : Aug 25 07:00:38 2021 GMT
Subject: CN=kube-apiserver
===== =====
Validity
Not Before: Aug 25 07:00:39 2020 GMT
Not After : Aug 25 07:00:40 2021 GMT
Subject: O=system:masters, CN=kube-apiserver-etcd-client
===== =====
豆瓣Validity
Not Before: Aug 25 07:00:38 2020 GMT
Not After : Aug 25 07:00:39 2021 GMT
Subject: O=system:masters, CN=kube-apiserver-kubelet-client
===== ca.crt =====
Validity
Not Before: Aug 25 07:00:38 2020 GMT
Not After : Aug 23 07:00:38 2030 GMT
Subject: CN=kubernetes
===== =====
Validity
Not Before: Aug 25 07:00:39 2020 GMT
Not After : Aug 23 07:00:39 2030 GMT
Subject: CN=front-proxy-ca
===== =====
Validity
Not Before: Aug 25 07:00:39 2020 GMT
Not After : Aug 25 07:00:39 2021 GMT
Subject: CN=front-proxy-client
  运⾏⼀年以后就会变成这样:
lol猴子出装  如果各个服务⼀直还都正常运⾏,那问题不⼤,也就是 kubectl 客户端连接连接不上了,⽐如:
  ⽽如果⼀些关键服务,⽐如 etcd,进⾏了重启,因为这时证书已经过期了,那证书就不好使了。就会导致 etcd ⽆法启动,进⽽导致kube-apiserver,也启动不起来,最终就会崩盘,进⽽可能会导致业务服务也⽆法正常运⾏。
  etcd 错误信息:
  kube-apiserver 错误信息:
1. transport: authentication handshake failed: remote error: tls: bad certificate
2. error "tls: failed to verify client's certificate: x509: certificate has expired or is not yet valid", ServerName ""
3. error "remote error: tls: bad certificate", ServerName ""
⽣成新的证书
  kubeadm alpha certs renew:可以使⽤ all ⼦命令来续订所有 Kubernetes 证书,也可以选择性地续订部分证书。。更多的相关细节,可参见 。
# 查看证书命令下有哪些功能
[root@kubernetes ~]# kubeadm alpha certs -h
Commands related to handling kubernetes certificates
Usage:
kubeadm alpha certs [command]
Aliases:
certs, certificates
Available Commands:
certificate-key  Generate certificate keys
check-expiration Check certificates expiration for a Kubernetes cluster
renew            Renew certificates for a Kubernetes cluster
最吃香的三个师范专业Flags:
-h, --help  help for certs
Global Flags:
--add-dir-header          If true, adds the file directory to the header
--log-file string          If non-empty, use this log file
--log-file-max-size uint  Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string            [EXPERIMENTAL] The path to the 'real'host root filesystem.
--skip-headers            If true, avoid header prefixes in the log messages
--skip-log-headers        If true, avoid headers when opening log files
-v, --v Level                  number for the log level verbosity
Use "kubeadm alpha certs [command] --help"for more information about a command.
renew:Renew certificates for a Kubernetes cluster(更新 Kubernetes 集的证书,注:不涉及 CA 根证书)。
  要使⽤的就是 renew 命令,来进⾏重新⽣成集证书。
# 查看重新⽣成证书下有哪些命令
[root@kubernetes etc]# kubeadm alpha certs -h
Commands related to handling kubernetes certificates
Usage:
kubeadm alpha certs [command]
Aliases:
certs, certificates
Available Commands:
certificate-key  Generate certificate keys
check-expiration Check certificates expiration for a Kubernetes cluster
renew            Renew certificates for a Kubernetes cluster
Flags:
-h, --help  help for certs
Global Flags:
--add-dir-header          If true, adds the file directory to the header
--log-file string          If non-empty, use this log file
--log-file-max-size uint  Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string            [EXPERIMENTAL] The path to the 'real'host root filesystem.
--skip-headers            If true, avoid header prefixes in the log messages
--skip-log-headers        If true, avoid headers when opening log files
-v, --v Level                  number for the log level verbosity
Use "kubeadm alpha certs [command] --help"for more information about a command.
[root@kubernetes etc]# kubeadm alpha certs renew -h
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha certs renew [flags]
kubeadm alpha certs renew [command]
Available Commands:
all                      Renew all available certificates
apiserver                Renew the certificate for serving the Kubernetes API
apiserver-etcd-client    Renew the certificate the apiserver uses to access etcd
apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
etcd-healthcheck-client  Renew the certificate for liveness probes to healthcheck etcd
etcd-peer                Renew the certificate for etcd nodes to communicate with each other
etcd-server              Renew the certificate for serving etcd
front-proxy-client      Renew the certificate for the front proxy client
Flags:
-h, --help  help for renew
Global Flags:
--add-dir-header          If true, adds the file directory to the header
--log-file string          If non-empty, use this log file
--log-file-max-size uint  Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string            [EXPERIMENTAL] The path to the 'real'host root filesystem.
--skip-headers            If true, avoid header prefixes in the log messages
--skip-log-headers        If true, avoid headers when opening log files
-v, --v Level                  number for the log level verbosity
Use "kubeadm alpha certs renew [command] --help"for more information about a command.

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。