kubernetes集证书更新
kubernetes集证书更新
kubeadm 默认证书为⼀年,⼀年过期后,会导致api service不可⽤,使⽤过程中会出现:x509: certificate has expired or is not yet valid.⽅案⼀通过修改kubeadm 调整证书过期时间
修改代码,调整过期时间
⽅案⼆ 通过⾃动轮换证书默认开启
以下⽅案通过第⼆种⽅法模拟集证书过期
电脑清理准备
本次集版本1.15
备份集证书(略)
cd /etc/kubernetes
tar czvf kubernetes
小学校园文化
Master节点:
[root@k8s-master .kube]# hwclock --show
2020年01⽉21⽇星期⼆ 15时16分34秒  -0.856601秒
[root@k8s-master .kube]# kubectl get nodes
NAME        STATUS  ROLES    AGE    VERSION
k8s-master  Ready    master  167d  v1.15.0
k8s-node1    Ready    node    166d  v1.15.0
[root@k8s-master .kube]# kubeadm alpha certs check-expiration
CERTIFICATE                EXPIRES                  RESIDUAL TIME  EXTERNALLY MANAGED
apiserver                  Jan 20, 202107:09 UTC  364d            no
apiserver-etcd-client      Jan 20, 202107:09 UTC  364d            no
apiserver-kubelet-client  Jan 20, 202107:09 UTC  364d            no
etcd-healthcheck-client    Jan 20, 202107:09 UTC  364d            no
etcd-peer                  Jan 20, 202107:09 UTC  364d            no
etcd-server                Jan 20, 202107:09 UTC  364d            no
front-proxy-client        Jan 20, 202107:09 UTC  364d            no
[root@k8s-master .kube]#
先⽣成集配置⽂件
kubeadm config view > /root/kubeadm.yaml 
word背景颜怎么去掉要提前备份⼀下集配置⽂件,当集证书过期后 此命令也不能执⾏了
修改时间让集过期
[root@k8s-master .kube]# date -s "2021-08-08"
2021年 08⽉ 08⽇星期⽇00:00:00 CST
[root@k8s-master .kube]# date
2021年 08⽉ 08⽇星期⽇00:00:02 CST
[root@k8s-master .kube]# kubectl get nodes
Unable to connect to the server: x509: certificate has expired or is not yet valid
[root@k8s-master .kube]#
更新证书
[root@k8s-master ~]# kubeadm alpha certs renew all --config=/root/kubeadm.yaml
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healtcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
日本动漫排行榜2013certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@k8s-master ~]# kubeadm alpha certs check-expiration
CERTIFICATE                EXPIRES                  RESIDUAL TIME  EXTERNALLY MANAGED
apiserver                  Aug 07, 202216:02 UTC  364d            no
apiserver-etcd-client      Aug 07, 202216:02 UTC  364d            no
apiserver-kubelet-client  Aug 07, 202216:02 UTC  364d            no
etcd-healthcheck-client    Aug 07, 202216:02 UTC  364d            no
etcd-peer                  Aug 07, 202216:02 UTC  364d            no
etcd-server                Aug 07, 202216:02 UTC  364d            no
front-proxy-client        Aug 07, 202216:02 UTC  364d            no
重启master节点三个容器:
[root@k8s-master .kube]# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd'|xargs docker restart 98257170f1fb
k8s_kube-apiserver_kube-apiserver-k8s-master_kube-system_db9cf46161351d3a7f76537093caa0b8_10
82c07f5d9b6f
k8s_etcd_etcd-k8s-master_kube-system_2da345f314df09b06ba8257f5457dbed_6 Error response from daemon: No such container: 201c7a840312
Error response from daemon: No such container: kube-apiserver --ad…
Error response from daemon: No such container: 18
Error response from daemon: No such container: months
Error response from daemon: No such container: ago
Error response from daemon: No such container: Up
Error response from daemon: No such container: 18
Error response from daemon: No such container: months
Error response from daemon: No such container: 2c4adeb21b4f
Error response from daemon: No such container: etcd --advertise-cl…
Error response from daemon: No such container: 18
Error response from daemon: No such container: months签名档吧
Error response from daemon: No such container: ago
Error response from daemon: No such container: Up
Error response from daemon: No such container: 18
Error response from daemon: No such container: months
[root@k8s-master .kube]# kubectl get nodes
NAME        STATUS  ROLES    AGE    VERSION
k8s-master  Ready    master  2y1d  v1.15.0
k8s-node1    Ready    node    2y1d  v1.15.0
[root@k8s-master .kube]# date
2021年 08⽉ 08⽇星期⽇00:04:33 CST
[root@k8s-master .kube]#
注意同步配置⽂件:
cp /etc/f /root/.kube/config
删除.kube下的缓存⽬录
老年人吃什么水果好总结
当集证书过期时操作步骤:
1.提前备份集配置⽂件
 kubeadm config view > /root/kubeadm.yaml
2.更新集证书
kubeadm alpha certs renew all --config=/root/kubeadm.yaml
3.同步配置⽂件,清除.kube下缓存
cp /etc/f /root/.kube/config

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。