7.Kubernetes 證書續期

ArcherBrian發表於2024-08-01

7.Kubernetes 證書續期

現狀

由 kubeadm 生成的客戶端證書在 1 年後到期,過期之後需要進行續期操作

[M1]檢視證書過期時間

kubeadm certs check-expiration
CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
admin.conf                 Mar 15, 2022 09:54 UTC   364d            no      
apiserver                  Mar 15, 2022 09:54 UTC   364d            no      
apiserver-etcd-client      Mar 15, 2022 09:54 UTC   364d            no      
apiserver-kubelet-client   Mar 15, 2022 09:54 UTC   364d            no      
controller-manager.conf    Mar 15, 2022 09:54 UTC   364d            no      
etcd-healthcheck-client    Mar 15, 2022 09:54 UTC   364d            no      
etcd-peer                  Mar 15, 2022 09:54 UTC   364d            no      
etcd-server                Mar 15, 2022 09:54 UTC   364d            no      
front-proxy-client         Mar 15, 2022 09:54 UTC   364d            no      
scheduler.conf             Mar 15, 2022 09:54 UTC   364d            no

[M1]方案一

檢視是否有未批准的CSR請求

kubectl get csr --sort-by=.metadata.creationTimestamp

如果有,手動審批

kubectl certificate approve csr-xxxx

重啟服務使證書生效

systemctl restart kubelet

Docker

docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' |xargs docker restart

Containerd

crictl ps | grep -E "etcd|scheduler|controller|apiserver" |awk '{print $1}'|xargs crictl  stop

方案二

[m1]手動證書續簽

所有Master全部需要執行

kubeadm certs renew all

輸出

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healtcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

[M1]方案三

如果已經過期,或者上一個命令無法續簽的情況下使用
所有Master全部需要執行
kubernetesVersion 異常可以忽略

kubeadm alpha certs renew all --config /etc/kuber/kubeadm/kubeadm-config.yaml

輸出

W0315 18:29:28.231020   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
W0315 18:29:28.384120   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate for serving the Kubernetes API renewed
W0315 18:29:29.190988   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate the apiserver uses to access etcd renewed
W0315 18:29:29.491685   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate for the API server to connect to kubelet renewed
W0315 18:29:30.067720   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate embedded in the kubeconfig file for the controller manager to use renewed
W0315 18:29:31.046075   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate for liveness probes to healtcheck etcd renewed
W0315 18:29:31.445792   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate for etcd nodes to communicate with each other renewed
W0315 18:29:31.906409   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate for serving etcd renewed
W0315 18:29:32.431430   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate for the front proxy client renewed
W0315 18:29:32.547497   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

相關文章