集群证书更新说明
https://help.aliyun.com/document_detail/122584.html
执行版本
[root@k8s-master pki]# kubeadm versionkubeadm version: &version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.11", GitCommit:"d94a81c724ea8e1ccc9002d89b7fe81d58f89ede", GitTreeState:"clean", BuildDate:"2020-03-12T21:06:11Z", GoVersion:"go1.12.17", Compiler:"gc", Platform:"linux/amd64"}[root@k8s-master pki]#
查看证书过期时间
[root@k8s-master pki]# kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Jul 27, 2022 10:24 UTC 131d no
apiserver Jul 27, 2022 10:24 UTC 131d no
apiserver-etcd-client Jul 27, 2022 10:24 UTC 131d no
apiserver-kubelet-client Jul 27, 2022 10:24 UTC 131d no
controller-manager.conf Jul 27, 2022 10:24 UTC 131d no
etcd-healthcheck-client Jul 27, 2022 10:24 UTC 131d no
etcd-peer Jul 27, 2022 10:24 UTC 131d no
etcd-server Jul 27, 2022 10:24 UTC 131d no
front-proxy-client Jul 27, 2022 10:24 UTC 131d no
scheduler.conf Jul 27, 2022 10:24 UTC 131d no
每个Master操作
更新步骤
1、 备份原有证书
cp -r /etc/kubernetes/pki /etc/kubernetes/pki.20220318
cp -r /etc/kubernetes /etc/kubernetes.back20220630
2、生成集群配置的yaml文件
kubeadm config view > /root/kubeadm_0708.yaml
3、 更新操作
[root@k8s-master pki]# kubeadm alpha certs renew all --config=/root/kubeadm_0708.yaml
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healtcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@k8s-master pki]#
4、再次查询证书期限
[root@k8s-master pki]# kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Mar 18, 2023 10:08 UTC 364d no
apiserver Mar 18, 2023 10:08 UTC 364d no
apiserver-etcd-client Mar 18, 2023 10:08 UTC 364d no
apiserver-kubelet-client Mar 18, 2023 10:08 UTC 364d no
controller-manager.conf Mar 18, 2023 10:08 UTC 364d no
etcd-healthcheck-client Mar 18, 2023 10:08 UTC 364d no
etcd-peer Mar 18, 2023 10:08 UTC 364d no
etcd-server Mar 18, 2023 10:08 UTC 364d no
front-proxy-client Mar 18, 2023 10:08 UTC 364d no
scheduler.conf Mar 18, 2023 10:08 UTC 364d no
5、在三台Master上执行重启kube-apiserver,kube-controller,kube-scheduler,etcd这4个容器,使证书生效
[root@k8s-master pki]# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart
63946d594a6a
006ff0dea49f
af8568a9831c
b82de88427bf
[root@k8s-master pki]#
每个node
Node节点可能不用进行操作。。。再查查资料
1、备份原有pki文件
[root@k8s-node1 pki]# cp -r /etc/kubernetes/pki /etc/kubernetes/pki.20220318
2、查看当前node 有效期
参考资料
使用 kubeadm 进行证书管理:https://kubernetes.io/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/
k8s(kubernetes)证书续期:https://blog.csdn.net/qq_40954652/article/details/123226272
48-k8s-高可用集群-集群搭建PKI:https://www.jianshu.com/p/7ddca1939b80
kubeadm安装集群系列-4.证书更新:https://www.cnblogs.com/dolphintwo/p/11388644.html
kubeadm1.17安装的K8S集群证书续期:https://www.cnblogs.com/shiji888/p/12620305.html
Kubernetes kubeadm 证书到期,更新证书:https://blog.csdn.net/wo18237095579/article/details/119956018
更新kubernetes 过期证书:https://my.oschina.net/hgfdoing/blog/3163487
附025.kubeadm部署Kubernetes更新证书:https://www.cnblogs.com/itzgr/p/13370185.html
证书轮换:https://feisky.gitbooks.io/kubernetes/content/practice/certificate-rotation.html
若有收获,就点个赞吧
0 人点赞
