kubernetes證書過期處理

z597011036發表於2022-07-26

1.使用kubernetes時錯誤提示

[root@test35 ~]# kubectl get nodes

Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2022-07-26T09:04:19+08:00 is after 2022-06-19T09:48:20Z

[root@test35 ~]# 


2. 檢視證書過期時間

[root@test35 ~]# kubeadm certs check-expiration

[check-expiration] Reading configuration from the cluster...

[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration


CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED

admin.conf                 Jun 19, 2022 09:48 UTC   <invalid>                               no       --證書是2022年6月19日過期

apiserver                  Jun 19, 2022 09:48 UTC   <invalid>       ca                      no      

apiserver-etcd-client      Jun 19, 2022 09:48 UTC   <invalid>       etcd-ca                 no      

apiserver-kubelet-client   Jun 19, 2022 09:48 UTC   <invalid>       ca                      no      

controller-manager.conf    Jun 19, 2022 09:48 UTC   <invalid>                               no      

etcd-healthcheck-client    Jun 19, 2022 09:48 UTC   <invalid>       etcd-ca                 no      

etcd-peer                  Jun 19, 2022 09:48 UTC   <invalid>       etcd-ca                 no      

etcd-server                Jun 19, 2022 09:48 UTC   <invalid>       etcd-ca                 no      

front-proxy-client         Jun 19, 2022 09:48 UTC   <invalid>       front-proxy-ca          no      

scheduler.conf             Jun 19, 2022 09:48 UTC   <invalid>                               no      


CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED

ca                      Jun 17, 2031 09:48 UTC   8y              no      

etcd-ca                 Jun 17, 2031 09:48 UTC   8y              no      

front-proxy-ca          Jun 17, 2031 09:48 UTC   8y              no      

You have mail in /var/spool/mail/root

[root@test35 ~]# 


3.備份現有的證書和生成新證書

[root@test35 ~]# cp -a /etc/kubernetes/  /home/ssl-back/     --備份老的kubernetes配置檔案

[root@test35 ~]# kubeadm certs renew all     --生成新的證書

[renew] Reading configuration from the cluster...

[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

[renew] Error reading configuration from the Cluster. Falling back to default configuration


certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed

certificate for serving the Kubernetes API renewed

certificate the apiserver uses to access etcd renewed

certificate for the API server to connect to kubelet renewed

certificate embedded in the kubeconfig file for the controller manager to use renewed

certificate for liveness probes to healthcheck etcd renewed

certificate for etcd nodes to communicate with each other renewed

certificate for serving etcd renewed

certificate for the front proxy client renewed

certificate embedded in the kubeconfig file for the scheduler manager to use renewed


Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

You have mail in /var/spool/mail/root

[root@test35 ~]# 


4.檢視新證書有效時間

[root@test35 ~]# kubeadm certs check-expiration

[check-expiration] Reading configuration from the cluster...

[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

W0726 09:18:53.367103    1999 kubelet.go:215] detected "cgroupfs" as the Docker cgroup driver, the provided value "systemd" in "KubeletConfiguration" will be overrided


CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED

admin.conf                  Jul 26, 2023 01:18 UTC   364d                                    no       --新的證書是2023年7月26日

apiserver                  Jul 26, 2023 01:18 UTC   364d            ca                      no      

apiserver-etcd-client      Jul 26, 2023 01:18 UTC   364d            etcd-ca                 no      

apiserver-kubelet-client   Jul 26, 2023 01:18 UTC   364d            ca                      no      

controller-manager.conf    Jul 26, 2023 01:18 UTC   364d                                    no      

etcd-healthcheck-client    Jul 26, 2023 01:18 UTC   364d            etcd-ca                 no      

etcd-peer                  Jul 26, 2023 01:18 UTC   364d            etcd-ca                 no      

etcd-server                Jul 26, 2023 01:18 UTC   364d            etcd-ca                 no      

front-proxy-client         Jul 26, 2023 01:18 UTC   364d            front-proxy-ca          no      

scheduler.conf             Jul 26, 2023 01:18 UTC   364d                                    no      


CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED

ca                      Jun 17, 2031 09:48 UTC   8y              no      

etcd-ca                 Jun 17, 2031 09:48 UTC   8y              no      

front-proxy-ca          Jun 17, 2031 09:48 UTC   8y              no      

[root@test35 ~]# 


5.新證書替換老的證書憑證

[root@test35 ~]# cp -a ~/.kube/config /home/ssl-back/

[root@test35 ~]# cp /etc/kubernetes/admin.conf  ~/.kube/config

cp: overwrite ‘/root/.kube/config’? y

[root@test35 ~]# 


6.測試叢集狀態是否正常

[root@test35 ~]# kubectl  get nodes     --k8s可以正常使用了。

NAME     STATUS   ROLES                  AGE    VERSION

test01   Ready    control-plane,master   401d   v1.21.2

test02   Ready    node                   401d   v1.21.2

test03   Ready    node                   401d   v1.21.2

[root@test35 ~]# 


來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/25854343/viewspace-2907563/,如需轉載,請註明出處,否則將追究法律責任。

相關文章