1、修改master主机kube-controller配置，三个master主机都要修改

添加两个参数

vi /etc/kubernetes/manifests/kube-controller-manager.yaml 
- --cluster-signing-duration=87600h0m0s 
- --feature-gates=RotateKubeletServerCertificate=true

- --experimental-cluster-signing-duration=87600h0m0s

2、修改所有主机的kubelet配置

修改master主机kubelet配置，三个master主机都要修改，同理继续修改node节点/etc/sysconfig/kubelet配置文件

vi /etc/sysconfig/kubelet 
KUBELET_EXTRA_ARGS=--fail-swap-on=false --feature-gates=RotateKubeletServerCertificate=true --feature-gates=RotateKubeletClientCertificate=true --rotate-certificates

3、检查旧证书有效期限

openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -text -noout | grep Not 
openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -text -noout | grep Not 

# tls启动引导：https://kubernetes.io/zh/docs/reference/command-line-tools- 
reference/kubelet-tls-bootstrapping/#bootstrap-tokens

4、创建三个ClusterRole

vi approve-node-client-csr.yaml 
# A ClusterRole which instructs the CSR approver to approve a user requesting
# node client credentials.kind: ClusterRole 
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRole 
metadata: 
name: approve-node-client-csr 
rules: 
- apiGroups: ["certificates.k8s.io"] 
resources: ["certificatesigningrequests/nodeclient"] 
verbs: ["create"] 

vi approve-node-client-renewal-csr.yaml
# A ClusterRole which instructs the CSR approver to approve a node renewing its
# own client credentials.kind: ClusterRole 
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRole 
metadata: 
name: approve-node-client-renewal-csr 
rules: 
- apiGroups: ["certificates.k8s.io"] 
resources: ["certificatesigningrequests/selfnodeclient"] 
verbs: ["create"] 

vi approve-node-server-renewal-csr.yaml 
# A ClusterRole which instructs the CSR approver to approve a node requesting a
# serving cert matching its client cert.kind: ClusterRole 
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRole 
metadata: 
name: approve-node-server-renewal-csr 
rules: 
- apiGroups: ["certificates.k8s.io"] 
resources: ["certificatesigningrequests/selfnodeserver"] 
verbs: ["create"]

执行创建集群角色命令

kubectl apply -f approve-node-client-csr.yaml 
kubectl apply -f approve-node-client-renewal-csr.yaml 
kubectl apply -f approve-node-server-renewal-csr.yaml

5、创建ClusterRole完成后，绑定角色权限

自动批准 kubelet 的首次 CSR 请求(用于与 apiserver 通讯的证书)

kubectl create clusterrolebinding node-client-auto-approve-csr --clusterrole=approve-node-client-csr --group=system:bootstrappers

自动批准 kubelet 发起的用于 10250 端口鉴权证书的 CSR 请求(包括后续 renew)

kubectl create clusterrolebinding node-server-auto-renew-crt --clusterrole=approve-node-server-renewal-csr --group=system:nodes

自动批准 kubelet 后续 renew 用于与 apiserver 通讯证书的 CSR 请求

kubectl create clusterrolebinding node-client-auto-renew-crt --clusterrole=approve-node-client-renewal-csr --group=system:nodes 

vi auto-approve-csrs-for-group.yaml 
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRoleBinding 
metadata: 
name: auto-approve-csrs-for-group 
subjects: 
- kind: Group 
name: system:bootstrappers 
apiGroup: rbac.authorization.k8s.io 
roleRef: 
kind: ClusterRole 
name: system:certificates.k8s.io:certificatesigningrequests:nodeclient 
apiGroup: rbac.authorization.k8s.io 
vi auto-approve-renewals-for-nodes.yaml 
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRoleBinding 
metadata:name: auto-approve-renewals-for-nodes 
subjects: 
- kind: Group 
name: system:nodes 
apiGroup: rbac.authorization.k8s.io 
roleRef: 
kind: ClusterRole 
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 
apiGroup: rbac.authorization.k8s.io 
vi create-csrs-for-bootstrapping.yaml 
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRoleBinding 
metadata: 
name: create-csrs-for-bootstrapping 
subjects: 
- kind: Group 
name: system:bootstrappers 
apiGroup: rbac.authorization.k8s.io 
roleRef: 
kind: ClusterRole 
name: system:node-bootstrapper 
apiGroup: rbac.authorization.k8s.io

执行创建集群角色绑定命令

kubectl apply -f auto-approve-csrs-for-group.yaml 
kubectl apply -f auto-approve-renewals-for-nodes.yaml 
kubectl apply -f create-csrs-for-bootstrapping.yaml

验证创建的集群角色和绑定关系

kubectl get ClusterRole 
kubectl get clusterrolebinding

6、设置kubelet签发证书bootstrap和账号授权

kubectl config --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig set-cluster 
default-cluster --server='https://k8s.yunlearn.org:6443' --certificate- 
authority=/etc/kubernetes/pki/ca.crt 
kubectl config --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig set- 
credentials default-auth --token=9cgr05.vl1g1tae2vshltdu 
kubectl config --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig set-context 
default-context --user=default-auth --cluster=default-cluster 
kubectl config --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig use-context 
default-context

7、登录到k8s集群node节点，添加以下配置文件

vi /etc/kubernetes/bootstrap-kubelet.conf 
apiVersion: v1 
kind: Config 
clusters: 
- cluster: 
certificate-authority: /etc/kubernetes/pki/ca.crt 
server: https://k8s.yunlearn.org:6443 
name: default-cluster 
contexts: 
- context:
cluster: default-cluster 
user: default-auth 
name: default-context 
current-context: default-context 
preferences: {} 
users: 
- name: default-auth 
user: 
token: 9cgr05.vl1g1tae2vshltdu

8、登录到k8s集群node节点，切到目录/var/lib/kubelet/pki

登录192.168.1.13主机
备份旧证书后，删除所有旧证书文件，重启kubelet

cp -rp /var/lib/kubelet/pki /var/lib/kubelet/pki.old 
rm -rf /var/lib/kubelet/pki/* 
systemctl daemon-reload 
systemctl restart kubelet

重启成功后，自动生成证书
检查证书有效期限

openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -text -noout | grep Not 
openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -text -noout | grep Not

9、登录到k8s集群master节点，进入目录/var/lib/kubelet/pki

备份旧证书后，删除所有旧证书文件，重启kubelet

cp -rp /var/lib/kubelet/pki /var/lib/kubelet/pki.old 
rm -rf /var/lib/kubelet/pki/* 
systemctl daemon-reload 
systemctl restart kubelet

重启成功后，自动生成证书
检查证书有效期限

openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -text -noout | grep Not 
openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -text -noout | grep Not