K8S证书管理
2024-08-07 本文已影响0人
87d6dc4b11a7
E0808 10:05:45.004331 2558 memcache.go:238] couldn't get current server API group list: Get "https://lb.kubesphere.local:6443/api?timeout=32s": x509: certificate has expired or is not yet valid: current time 2024-08-08T10:05:45+08:00 is after 2024-07-19T01:36:48Z
E0808 10:05:45.007252 2558 memcache.go:238] couldn't get current server API group list: Get "https://lb.kubesphere.local:6443/api?timeout=32s": x509: certificate has expired or is not yet valid: current time 2024-08-08T10:05:45+08:00 is after 2024-07-19T01:36:48Z
E0808 10:05:45.010006 2558 memcache.go:238] couldn't get current server API group list: Get "https://lb.kubesphere.local:6443/api?timeout=32s": x509: certificate has expired or is not yet valid: current time 2024-08-08T10:05:45+08:00 is after 2024-07-19T01:36:48Z
E0808 10:05:45.013265 2558 memcache.go:238] couldn't get current server API group list: Get "https://lb.kubesphere.local:6443/api?timeout=32s": x509: certificate has expired or is not yet valid: current time 2024-08-08T10:05:45+08:00 is after 2024-07-19T01:36:48Z
E0808 10:05:45.016043 2558 memcache.go:238] couldn't get current server API group list: Get "https://lb.kubesphere.local:6443/api?timeout=32s": x509: certificate has expired or is not yet valid: current time 2024-08-08T10:05:45+08:00 is after 2024-07-19T01:36:48Z
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2024-08-08T10:05:45+08:00 is after 2024-07-19T01:36:48Z
1、手动更新证书
root@shawn-virtual-machine:/etc/kubernetes/pki# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W0808 10:29:20.458063 20548 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
# 查看证书的到期日期
root@shawn-virtual-machine:/etc/kubernetes/pki# openssl x509 -in apiserver.crt -noout -text |grep ' Not '
Not Before: Jul 20 01:36:48 2023 GMT
Not After : Aug 8 02:29:20 2025 GMT
2、重启 kube-apiserver, kube-controller-manager, kube-scheduler 和etcd,使其可以使用新的证书
# 重启 kube-apiserver
crictl pods --name=kube-apiserver* -q | xargs -I% --no-run-if-empty bash -c 'crictl stopp % && crictl rmp %'
# 重启 kube-controller-manager
crictl pods --name=kube-controller-manager* -q | xargs -I% --no-run-if-empty bash -c 'crictl stopp % && crictl rmp %'
# 重启 kube-scheduler
crictl pods --name=kube-scheduler* -q | xargs -I% --no-run-if-empty bash -c 'crictl stopp % && crictl rmp %'
# 同时重启 kube-apiserver / kube-controller-manager / kube-scheduler
crictl pods --namespace kube-system --name 'kube-scheduler-*|kube-controller-manager-*|kube-apiserver-*|etcd-*' -q | xargs crictl rmp -f
3、用更新后的admin.conf替换/root/.kube/config文件
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
kubeadm certs
kubeadm certs 提供管理证书的工具
# Kubernetes 集群检查证书的到期时间
kubeadm certs check-expiration
https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/
https://kubernetes.io/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-certs/
