云计算运维

Windows Server 2003 - Windows Server 2019 系统工具,Linux系统脚本,Mysql、Nginx、PHP、Redis、K8S、Seafile、Weblogic 、Jenkins、DNS、DHCP、FTP、IIS、Zookeeper、Rabbitmq、Oracle、Tomcat、Mavrn等服务搭建维护,请关注我.

k8s证书过期之后如何自动续订证书


在k8s集群执行kubectl命令无法访问集群了——错误大概为:“certificate has expired or is not yet valid”注意:下面实验未加说明的话,操作默认都是在k8s控制节点上。

查看证书过期时间

[root@ ~]# kubeadm certs check-expiration

显示如下:

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jan 04, 2024 13:49 UTC   363d            ca                      no    
apiserver                  Jan 04, 2024 13:48 UTC   363d            ca                      no      
apiserver-etcd-client      Jan 04, 2024 13:49 UTC   363d            etcd-ca                 no      
apiserver-kubelet-client   Jan 04, 2024 13:48 UTC   363d            ca                      no      
controller-manager.conf    Jan 04, 2024 13:49 UTC   363d            ca                      no      
etcd-healthcheck-client    Jan 04, 2024 13:49 UTC   363d            etcd-ca                 no      
etcd-peer                  Jan 04, 2024 13:49 UTC   363d            etcd-ca                 no  
etcd-server                Jan 04, 2024 13:49 UTC   363d            etcd-ca                 no  
front-proxy-client         Jan 04, 2024 13:49 UTC   363d            front-proxy-ca          no      
scheduler.conf             Jan 04, 2024 13:49 UTC   363d            ca                      no   
CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jan 01, 2033 13:48 UTC   9y              no      
etcd-ca                 Jan 01, 2033 13:49 UTC   9y              no      
front-proxy-ca          Jan 01, 2033 13:49 UTC   9y              no

续订所有证书

使用kubeadm certs renew all命令:

[root@xianchaomaster1~]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

查看证书是否获得更新

还是使用kubeadm certs check-expiration来查看证书过期时间是否更新:

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jan 06, 2024 14:16 UTC   364d            ca                      no      
apiserver                  Jan 06, 2024 14:16 UTC   364d            ca                      no      
apiserver-etcd-client      Jan 06, 2024 14:16 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Jan 06, 2024 14:16 UTC   364d            ca                      no      
controller-manager.conf    Jan 06, 2024 14:16 UTC   364d            ca                      no      
etcd-healthcheck-client    Jan 06, 2024 14:16 UTC   364d            etcd-ca                 no      
etcd-peer                  Jan 06, 2024 14:16 UTC   364d            etcd-ca                 no      
etcd-server                Jan 06, 2024 14:16 UTC   364d            etcd-ca                 no      
front-proxy-client         Jan 06, 2024 14:16 UTC   364d            front-proxy-ca          no      
scheduler.conf             Jan 06, 2024 14:16 UTC   364d            ca                      no      


CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jan 01, 2033 13:48 UTC   9y              no      
etcd-ca                 Jan 01, 2033 13:49 UTC   9y              no      
front-proxy-ca          Jan 01, 2033 13:49 UTC   9y              no

你可以看到,CA的证书还有9年(初始为10年),表明该k8s集群已经部署了1年;服务的证书还有364天,说明刚renew过。

  • 分享:
评论
还没有评论
    发表评论 说点什么