k8s 集群证书过期处理方法
2022-03-25 本文已影响0人
carvin
Unable to connect to the server: x509: certificate has expired or is not yet
1.备份pki目录证书
cd /etc/kubernetes
tar -zcvf pki_bk.tar.gz pki
2.更新所有的证书
kubeadm alpha certs renew all
3.检查证书的更新时间
[root@master kubernetes]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Mar 25, 2023 05:17 UTC 364d no
apiserver Mar 25, 2023 05:17 UTC 364d ca no
apiserver-etcd-client Mar 25, 2023 05:17 UTC 364d etcd-ca no
apiserver-kubelet-client Mar 25, 2023 05:17 UTC 364d ca no
controller-manager.conf Mar 25, 2023 05:17 UTC 364d no
etcd-healthcheck-client Mar 25, 2023 05:17 UTC 364d etcd-ca no
etcd-peer Mar 25, 2023 05:17 UTC 364d etcd-ca no
etcd-server Mar 25, 2023 05:17 UTC 364d etcd-ca no
front-proxy-client Mar 25, 2023 05:17 UTC 364d front-proxy-ca no
scheduler.conf Mar 25, 2023 05:17 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Mar 20, 2031 08:20 UTC 8y no
etcd-ca Mar 20, 2031 08:20 UTC 8y no
front-proxy-ca Mar 20, 2031 08:20 UTC 8y no
4.更新config认证
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
5.检查命令是否正常
[root@master .kube]# kubectl get node
NAME STATUS ROLES AGE VERSION
master Ready master 367d v1.18.6
master2 Ready master 367d v1.18.6
master3 Ready master 58d v1.18.6
node1 Ready <none> 200d v1.18.6
node5 Ready <none> 273d v1.18.6
node7 Ready <none> 308d v1.18.6
node8 Ready <none> 272d v1.18.6
6.其他master 更新也是如此。config文件从master1 拷贝到master2,master3。
scp /etc/kubernetes/admin.conf root@master2:/root/.kube/
scp /etc/kubernetes/admin.conf root@master3:/root/.kube/
