kubernetes證書過期處理
1.使用kubernetes時錯誤提示
[root@test35 ~]# kubectl get nodes
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2022-07-26T09:04:19+08:00 is after 2022-06-19T09:48:20Z
[root@test35 ~]#
2. 檢視證書過期時間
[root@test35 ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jun 19, 2022 09:48 UTC <invalid> no --證書是2022年6月19日過期
apiserver Jun 19, 2022 09:48 UTC <invalid> ca no
apiserver-etcd-client Jun 19, 2022 09:48 UTC <invalid> etcd-ca no
apiserver-kubelet-client Jun 19, 2022 09:48 UTC <invalid> ca no
controller-manager.conf Jun 19, 2022 09:48 UTC <invalid> no
etcd-healthcheck-client Jun 19, 2022 09:48 UTC <invalid> etcd-ca no
etcd-peer Jun 19, 2022 09:48 UTC <invalid> etcd-ca no
etcd-server Jun 19, 2022 09:48 UTC <invalid> etcd-ca no
front-proxy-client Jun 19, 2022 09:48 UTC <invalid> front-proxy-ca no
scheduler.conf Jun 19, 2022 09:48 UTC <invalid> no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jun 17, 2031 09:48 UTC 8y no
etcd-ca Jun 17, 2031 09:48 UTC 8y no
front-proxy-ca Jun 17, 2031 09:48 UTC 8y no
You have mail in /var/spool/mail/root
[root@test35 ~]#
3.備份現有的證書和生成新證書
[root@test35 ~]# cp -a /etc/kubernetes/ /home/ssl-back/ --備份老的kubernetes配置檔案
[root@test35 ~]# kubeadm certs renew all --生成新的證書
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
You have mail in /var/spool/mail/root
[root@test35 ~]#
4.檢視新證書有效時間
[root@test35 ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W0726 09:18:53.367103 1999 kubelet.go:215] detected "cgroupfs" as the Docker cgroup driver, the provided value "systemd" in "KubeletConfiguration" will be overrided
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jul 26, 2023 01:18 UTC 364d no --新的證書是2023年7月26日
apiserver Jul 26, 2023 01:18 UTC 364d ca no
apiserver-etcd-client Jul 26, 2023 01:18 UTC 364d etcd-ca no
apiserver-kubelet-client Jul 26, 2023 01:18 UTC 364d ca no
controller-manager.conf Jul 26, 2023 01:18 UTC 364d no
etcd-healthcheck-client Jul 26, 2023 01:18 UTC 364d etcd-ca no
etcd-peer Jul 26, 2023 01:18 UTC 364d etcd-ca no
etcd-server Jul 26, 2023 01:18 UTC 364d etcd-ca no
front-proxy-client Jul 26, 2023 01:18 UTC 364d front-proxy-ca no
scheduler.conf Jul 26, 2023 01:18 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jun 17, 2031 09:48 UTC 8y no
etcd-ca Jun 17, 2031 09:48 UTC 8y no
front-proxy-ca Jun 17, 2031 09:48 UTC 8y no
[root@test35 ~]#
5.新證書替換老的證書憑證
[root@test35 ~]# cp -a ~/.kube/config /home/ssl-back/
[root@test35 ~]# cp /etc/kubernetes/admin.conf ~/.kube/config
cp: overwrite ‘/root/.kube/config’? y
[root@test35 ~]#
6.測試叢集狀態是否正常
[root@test35 ~]# kubectl get nodes --k8s可以正常使用了。
NAME STATUS ROLES AGE VERSION
test01 Ready control-plane,master 401d v1.21.2
test02 Ready node 401d v1.21.2
test03 Ready node 401d v1.21.2
[root@test35 ~]#
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/25854343/viewspace-2907563/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- rancher證書過期
- win10證書即將過期如何解決_win10許可證即將過期的處理方法Win10
- SSL證書會不會過期?域名SSL證書過期了怎麼辦?
- SSL證書為什麼會過期?證書過期會有哪些影響?
- 監控Kubernetes叢集證書過期時間的三種方案
- Mac安裝homebrew證書過期Mac
- Oracle密碼過期處理Oracle密碼
- harbor映象倉庫證書過期問題
- oracle密碼過期處理辦法Oracle密碼
- nginx 是如何處理過期事件的?Nginx事件
- 關於IOS開發者證書過期的問題iOS
- 網站安裝SSL證書就安全了嗎?不,SSL證書會過期!網站
- win10提示windows許可證即將過期怎麼處理 win10windows許可證即將過期如何解決Win10Windows
- SSL證書為什麼會有有效期?如何有效避免SSL證書過期?
- [JS] Ajax請求會話過期處理JS會話
- 使用者密碼過期的處理密碼
- 【Oracle】使用者密碼過期處理Oracle密碼
- SSL 證書過期事件頻發,切忌不要因小失大!事件
- 如果網站ssl證書過期怎麼解決網站
- Chrome訪問https頁面顯示ERR_CERT_INVALID,且無法跳過繼續訪問 本地證書過期處理ChromeHTTP
- Kubernetes證書相關(CFSSL)
- 中級通訊工程師證書會過期嗎工程師
- 10 刪除個人儲存中過期的證書薦
- oracle使用者鎖住、過期處理方式Oracle
- 處理過期的archivelog和rman備份Hive
- redis的過期健的處理方式與原理Redis
- 如何下載電子版證書以及如何申請紙質證書(申請紙質證書的入口已過期)
- win10系統下安全證書過期如何解決Win10
- SSL證書過期後,網站還能正常訪問嗎?網站
- 根證書過期問題大嗎?有什麼影響
- WAS證書過期替換之獨立WAS Server之文字操作版Server
- Tailscale 的 TLS 證書過期,網站掛了 90 分鐘!AITLS網站
- JWT過期,修改密碼,登出登入如何處理JWT密碼
- win10金鑰過期怎麼辦_windows10金鑰過期如何處理Win10Windows
- 證書過期?私鑰洩露?原來,企業證書管理不當竟有這麼多安全風險!
- 手機上所部署的DigiCert證書過期怎麼辦
- nacos2.3 密碼驗證的處理過程密碼
- Oracle資料使用者密碼過期處理方法Oracle密碼