一、查看证书过期的时间
方法一:通过kubeadmin进行查看
Go
[root@k8s-master prometheus]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jun 08, 2023 09:30 UTC 352d no
apiserver Jun 08, 2023 09:30 UTC 352d ca no
apiserver-etcd-client Jun 08, 2023 09:30 UTC 352d etcd-ca no
apiserver-kubelet-client Jun 08, 2023 09:30 UTC 352d ca no
controller-manager.conf Jun 08, 2023 09:30 UTC 352d no
etcd-healthcheck-client Jun 08, 2023 09:30 UTC 352d etcd-ca no
etcd-peer Jun 08, 2023 09:30 UTC 352d etcd-ca no
etcd-server Jun 08, 2023 09:30 UTC 352d etcd-ca no
front-proxy-client Jun 08, 2023 09:30 UTC 352d front-proxy-ca no
scheduler.conf Jun 08, 2023 09:30 UTC 352d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jun 05, 2032 09:30 UTC 9y no
etcd-ca Jun 05, 2032 09:30 UTC 9y no
front-proxy-ca Jun 05, 2032 09:30 UTC 9y no
|
方法二:通过openssl进行查看
Go
[root@k8s-master prometheus]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '
Not Before: Jun 8 09:30:53 2022 GMT
Not After : Jun 8 09:30:54 2023 GMT
|
二. 自动更新证书
Kubenetes 在升级控制面板相关组件时会主动更新证书,因此如果保证 Kubernetes 能够定期(一年以内)升级的话,证书会自动更新。
三. 手动更新证书
3.1、证书备份
Go
cp -rp /etc/kubernetes/ /etc/kubernetes.bak |
3.2、删除旧的证书
Go
rm -rf /etc/kubernetes/pki/apiserver.key |
3.3、重新生成证书
Go
###重新生产所有组件的证书
[root@k8s-master prometheus]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
##重新生产某一个组件apiserver的证书
kubeadm certs renew apiserver |
3.4、重新生成配置文件
Go
#1、备份文件
[root@k8s-master prometheus]# mkdir /tmp/k8s
[root@k8s-master prometheus]# mv /etc/kubernetes/*.conf /tmp/k8s/
#2、生成新的配置所有的
[root@k8s-master prometheus]# kubeadm init phase kubeconfig all
I0621 17:29:03.472908 27817 version.go:254] remote version is much newer: v1.24.2; falling back to: stable-1.21
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
###生成新的配置单个
// 重新生成 admin 配置文件
kubeadm init phase kubeconfig admin
// 重新生成 kubelet 配置文件
kubeadm init phase kubeconfig kubelet |
3.5、重启kubelet和更新配置
完成证书和配置文件的更新后,需要进行一系列后续操作保证更新生效,主要包括重启 kubelet、更新管理配置。
#重启kubelet
systemctl restart kubelet
##更新 admin 配置
cp /etc/kubernetes/admin.conf ~/.kube/config
|
