解决k8s证书过期问题

  1. 发现证书过期
# kubectl get node
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2022-08-29T09:45:20+08:00 is after 2022-08-27T01:18:19Z
  1. 查看各种证书周期
# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 27, 2022 01:18 UTC   <invalid>                               no      
apiserver                  Aug 27, 2022 01:18 UTC   <invalid>       ca                      no      
apiserver-etcd-client      Aug 27, 2022 01:18 UTC   <invalid>       etcd-ca                 no      
apiserver-kubelet-client   Aug 27, 2022 01:18 UTC   <invalid>       ca                      no      
controller-manager.conf    Aug 27, 2022 01:18 UTC   <invalid>                               no      
etcd-healthcheck-client    Aug 27, 2022 01:18 UTC   <invalid>       etcd-ca                 no      
etcd-peer                  Aug 27, 2022 01:18 UTC   <invalid>       etcd-ca                 no      
etcd-server                Aug 27, 2022 01:18 UTC   <invalid>       etcd-ca                 no      
front-proxy-client         Aug 27, 2022 01:18 UTC   <invalid>       front-proxy-ca          no      
scheduler.conf             Aug 27, 2022 01:18 UTC   <invalid>                               no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 25, 2031 01:18 UTC   8y              no      
etcd-ca                 Aug 25, 2031 01:18 UTC   8y              no      
front-proxy-ca          Aug 25, 2031 01:18 UTC   8y              no      
  1. 备份配置文件
# cp -r /etc/kubernetes/pki /etc/kubernetes/pki.bak
  1. 更新证书
# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
  1. 解决无权限问题,根本原因是 $HOME/.kube/config 文件里面的信息还没有被更新,所以需要 copy 一份。
# kubectl get pod
error: You must be logged in to the server (Unauthorized)

#  cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
cp:是否覆盖"/root/.kube/config"? yes
# kubectl get node
NAME               STATUS   ROLES                  AGE    VERSION
vm-zdqmx-4c16g-3   Ready    control-plane,master   367d   v1.21.2
vm-zdqmx-4c16g-4   Ready    <none>                 367d   v1.21.2
vm-zdqmx-8c16g     Ready    <none>                 367d   v1.21.2
  1. 再次查看各组件信息
# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 29, 2023 01:48 UTC   364d                                    no      
apiserver                  Aug 29, 2023 01:48 UTC   364d            ca                      no      
apiserver-etcd-client      Aug 29, 2023 01:48 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Aug 29, 2023 01:48 UTC   364d            ca                      no      
controller-manager.conf    Aug 29, 2023 01:48 UTC   364d                                    no      
etcd-healthcheck-client    Aug 29, 2023 01:48 UTC   364d            etcd-ca                 no      
etcd-peer                  Aug 29, 2023 01:48 UTC   364d            etcd-ca                 no      
etcd-server                Aug 29, 2023 01:48 UTC   364d            etcd-ca                 no      
front-proxy-client         Aug 29, 2023 01:48 UTC   364d            front-proxy-ca          no      
scheduler.conf             Aug 29, 2023 01:48 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 25, 2031 01:18 UTC   8y              no      
etcd-ca                 Aug 25, 2031 01:18 UTC   8y              no      
front-proxy-ca          Aug 25, 2031 01:18 UTC   8y              no      

8.参考:https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注