kubernetes集证书更新
kubeadm 默认证书为⼀年,⼀年过期后,会导致api service不可⽤,使⽤过程中会出现:x509: certificate has expired or is not yet valid.⽅案⼀通过修改kubeadm 调整证书过期时间
修改代码,调整过期时间
⽅案⼆ 通过⾃动轮换证书默认开启
以下⽅案通过第⼆种⽅法模拟集证书过期
电脑清理准备
本次集版本1.15
备份集证书(略)
cd /etc/kubernetes
tar czvf kubernetes
小学校园文化Master节点:
[root@k8s-master .kube]# hwclock --show
2020年01⽉21⽇星期⼆ 15时16分34秒 -0.856601秒
[root@k8s-master .kube]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 167d v1.15.0
k8s-node1 Ready node 166d v1.15.0
[root@k8s-master .kube]# kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
apiserver Jan 20, 202107:09 UTC 364d no
apiserver-etcd-client Jan 20, 202107:09 UTC 364d no
apiserver-kubelet-client Jan 20, 202107:09 UTC 364d no
etcd-healthcheck-client Jan 20, 202107:09 UTC 364d no
etcd-peer Jan 20, 202107:09 UTC 364d no
etcd-server Jan 20, 202107:09 UTC 364d no
front-proxy-client Jan 20, 202107:09 UTC 364d no
[root@k8s-master .kube]#
先⽣成集配置⽂件
kubeadm config view > /root/kubeadm.yaml
word背景颜怎么去掉要提前备份⼀下集配置⽂件,当集证书过期后 此命令也不能执⾏了
修改时间让集过期
[root@k8s-master .kube]# date -s "2021-08-08"
2021年 08⽉ 08⽇星期⽇00:00:00 CST
[root@k8s-master .kube]# date
2021年 08⽉ 08⽇星期⽇00:00:02 CST
[root@k8s-master .kube]# kubectl get nodes
Unable to connect to the server: x509: certificate has expired or is not yet valid
[root@k8s-master .kube]#
更新证书
[root@k8s-master ~]# kubeadm alpha certs renew all --config=/root/kubeadm.yaml
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healtcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
日本动漫排行榜2013certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@k8s-master ~]# kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
apiserver Aug 07, 202216:02 UTC 364d no
apiserver-etcd-client Aug 07, 202216:02 UTC 364d no
apiserver-kubelet-client Aug 07, 202216:02 UTC 364d no
etcd-healthcheck-client Aug 07, 202216:02 UTC 364d no
etcd-peer Aug 07, 202216:02 UTC 364d no
etcd-server Aug 07, 202216:02 UTC 364d no
front-proxy-client Aug 07, 202216:02 UTC 364d no
重启master节点三个容器:
[root@k8s-master .kube]# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd'|xargs docker restart 98257170f1fb
k8s_kube-apiserver_kube-apiserver-k8s-master_kube-system_db9cf46161351d3a7f76537093caa0b8_10
82c07f5d9b6f
k8s_etcd_etcd-k8s-master_kube-system_2da345f314df09b06ba8257f5457dbed_6 Error response from daemon: No such container: 201c7a840312
Error response from daemon: No such container: kube-apiserver --ad…
Error response from daemon: No such container: 18
Error response from daemon: No such container: months
Error response from daemon: No such container: ago
Error response from daemon: No such container: Up
Error response from daemon: No such container: 18
Error response from daemon: No such container: months
Error response from daemon: No such container: 2c4adeb21b4f
Error response from daemon: No such container: etcd --advertise-cl…
Error response from daemon: No such container: 18
Error response from daemon: No such container: months签名档吧
Error response from daemon: No such container: ago
Error response from daemon: No such container: Up
Error response from daemon: No such container: 18
Error response from daemon: No such container: months
[root@k8s-master .kube]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 2y1d v1.15.0
k8s-node1 Ready node 2y1d v1.15.0
[root@k8s-master .kube]# date
2021年 08⽉ 08⽇星期⽇00:04:33 CST
[root@k8s-master .kube]#
注意同步配置⽂件:
cp /etc/f /root/.kube/config
删除.kube下的缓存⽬录
老年人吃什么水果好总结
当集证书过期时操作步骤:
1.提前备份集配置⽂件
kubeadm config view > /root/kubeadm.yaml
2.更新集证书
kubeadm alpha certs renew all --config=/root/kubeadm.yaml
3.同步配置⽂件,清除.kube下缓存
cp /etc/f /root/.kube/config
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论