Kubernetes证书时间修改(Kubeadm 1.13)

K8S CA证书是10年,但是组件证书的日期只有1年,为了证书一直可用状态需要更新,目前主流的一共有3钟:

  1. 版本升级,只要升级就会让各个证书延期1年,官方设置1年有效期的目的就是希望用户在一年内能升级1次,
  2. 通过命令续期 ,但只能续1年(重点讲解这种)
  3. 编译源码Kubeadm,设置10年

[root@bogon ~]# date -s "2030-1-1"          # 模拟证书过期
Tue Jan  1 00:00:00 HKT 2030
[root@bogon ~]# kubectl get pod -n kube-system
Unable to connect to the server: x509: certificate has expired or is not yet valid

备份一下,方便还原

注意:不能cp,否则还会使用原来的配置文件

mv /etc/kubernetes/*.conf /k8s_bak/

生成证书

[root@bogon ~]# kubeadm alpha certs renew all  --config=/root/kubeadm-config-init.yaml         #这里指你在安装k8s时候的配置文件

查看证书日期

[root@bogon ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout | grep Not
            Not Before: Jan  1 13:13:08 2025 GMT
            Not After : Dec 31 16:02:42 2030 GMT

重新生成新的配置文件

[root@bogon ~]# kubeadm init phase kubeconfig all  --config=/root/kubeadm-config-init.yaml
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file

删除之前的缓存文件

rm -fr /root/.kube/
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

重启所有master和kubelet服务

    systemctl restart docker
    systemctl restart kubelet
    # 默认只需要重启apiservercontroller-managerscheduleretcd即可,我这边省事直接重启容器了 -.-
    # docker ps | egrep "etcd|kube-apiserver|kube-controller-manager|kube-scheduler" | grep -v pause | awk '{print $1}' | xargs -i docker restart {}

重新查看所有Pod 都正常了(^-^)V

[root@bogon ~]# kubectl get pod -n kube-system
NAME                            READY   STATUS    RESTARTS   AGE
coredns-78d4cf999f-6ch5s        1/1     Running   1          5y0d
coredns-78d4cf999f-9mwch        1/1     Running   1          5y0d
etcd-bogon                      1/1     Running   1          5y0d
kube-apiserver-bogon            1/1     Running   1          5y0d
kube-controller-manager-bogon   1/1     Running   3          5y0d
kube-flannel-ds-amd64-87n42     1/1     Running   1          5y0d
kube-proxy-pgqv2                1/1     Running   1          5y0d
kube-scheduler-bogon            1/1     Running   2          5y0d

参考链接:https://www.cnblogs.com/netonline/archive/2019/07/18/11207765.html https://www.jianshu.com/p/b204114460c2https://www.cnblogs.com/skymyyang/p/11093686.html

发表评论