版本信息
kubesphere 3.3.0
k8s v1.22.10
证书更新流程
(1)查看证书到期时间
kubeadm certs check-expiration
打印出的信息如下:
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W1012 10:12:15.800666 26665 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.x.0.10]; the provided value is: [169.x.x.10]
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Oct 13, 2023 04:45 UTC 1d ca no
apiserver Oct 13, 2023 04:45 UTC 1d ca no
apiserver-kubelet-client Oct 13, 2023 04:45 UTC 1d ca no
controller-manager.conf Oct 13, 2023 04:45 UTC 1d ca no
front-proxy-client Oct 13, 2023 04:45 UTC 1d front-proxy-ca no
scheduler.conf Oct 13, 2023 04:45 UTC 1d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Oct 10, 2032 04:44 UTC 9y no
front-proxy-ca Oct 10, 2032 04:44 UTC 9y no
(2)备份关键信息
所有master节点依次进行操作。
## 创建备份目录
mkdir /root/tools
## 备份原有证书
cp -rp /etc/kubernetes /root/tools/kubernetes.bak
## 备份etcd数据目录
cp -r /var/lib/etcd /root/tools/etcd.bak
(3)更新证书
所有master节点依次进行操作。
kubeadm certs renew all
打印出的信息如下:
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W1012 10:12:57.537896 2427 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.x.0.10]; the provided value is: [169.x.x.10]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
再次使用kubeadm certs check-expiration
查看已更新证书的信息。
(4)重启相关服务
所有master节点依次进行操作。 kube-apiserver, kube-controller-manager, kube-scheduler and etcd
## 重启 kube-apiserver, kube-controller-manager, kube-scheduler
docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler' | awk -F ' ' '{print $1}' |xargs docker restart
## 查看服务状态
docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler'
## 重启etcd
systemctl restart etcd
## 查看服务状态
systemctl status etcd
(5)验证集群功能
所有master节点依次进行操作。
kubectl get node
参考文档
- kubesphere证书更新