k8s-v1.15证书过期处理-已解决

因为是笔记本虚拟机搭建所以好久没打开k8s集群了，开机后先是提示：Unable to connect to the server: x509: certificate has expired or is not yet，一会后就提示：The connection to the server 192.168.37.201:6443 was refused - did you specify the right host or port?，排查后发现为证书过期。

1：先查看集群证书过期时间：

sudo openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '

输出：

            Not Before: May 24 03:32:37 2019 GMT

            Not After : May 23 03:32:38 2020 GMT

2：在当前目录编辑kubeadm.conf配置文件：

sion: kubeadm.k8s.io/v1beta1

kind: ClusterConfiguration

kubernetesVersion: v1.15.0  # kubernetes 版本

apiServer:

  certSANs:

  - 192.168.10.xxx # master 所有节点IP地址，包括master和slave

  - 192.168.10.xxx # slave1

  - 192.168.10.xxx # slave2

  extraArgs:

    service-node-port-range: 80-32767

    advertise-address: 0.0.0.0

controlPlaneEndpoint: "192.168.10.xxx:6443"  # APIserver 地址,也就是master节点地址

imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers #这里使用国内阿里云的镜像仓库

3：更新证书

kubeadm alpha certs renew all --config kubeadm.conf

sudo openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '

输出：

            Not Before: Jun 24 10:55:40 2019 GMT

            Not After : Jul 27 08:37:35 2021 GMT

4：重新生成配置文件

mv /etc/kubernetes/*.conf ~/.

kubeadm init phase kubeconfig all --config kubeadm.conf

5：更新.kube下的配置文件：

mv $HOME/.kube/config $HOME/.kube/config.old

sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

sudo chown $(id -u):$(id -g) $HOME/.kube/config

6：重启kube-apiserver,kube-controller,kube-scheduler,etcd这4个容器：(一定要ps -a要不有可能服务容器没启动)

docker ps -a | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash

7：重启容器后发现节点都为NotReady状态

[root@k8s-master kubernetes]# kubectl get nodes

NAME        STATUS    ROLES    AGE    VERSION

k8s-master  NotReady  master  384d  v1.15.0

k8s-node1    NotReady  node    384d  v1.15.0

[root@k8s-master pki]# cd /var/lib/kubelet/pki/

[root@k8s-master pki]# ls

kubelet-client-2019-12-17-18-50-01.pem  kubelet-client-2019-12-17-18-50-52.pem 

kubelet-client-current.pem  kubelet.crt  kubelet.key

8：master节点中kubelet证书也需要更新，重新生成证书，删除kubelet配置文件kubelet会向apiserver发起一个csr

[root@k8s-master pki]# mkdir bakup

[root@k8s-master pki]# mv kubelet* bakup/

[root@k8s-master pki]# lsbakup

[root@k8s-master pki]# systemctl restart kubelet

[root@k8s-master pki]# systemctl status kubelet

[root@k8s-master pki]# openssl x509 -in kubelet.crt -noout -text |grep ' Not ' Not Before: Jan 5 09:25:07 2021 GMT Not After : Jan 5 09:25:07 2022 GMT

//查看未授权的CSR请求：

[root@k8s-master pki]# kubectl get csr

//approve CSR 请求，有则同意，没有则不管：

[root@k8s-master pki]# kubectl certificate approve csr-4pw6gNAME        AGE      REQUESTOR          CONDITIONcsr-4pw6g  1h        kubelet-bootstrap  Approved,Issued

//验证结果

[root@k8s-master kubernetes]# kubectl get nodes

NAME        STATUS  ROLES    AGE    VERSIONk8s-master  Ready    master  384d  v1.15.0

9：master节点就更新完成了，然后获取token在更新slave节点时要用

[root@k8s-master kubernetes]# kubeadm token create

[root@k8s-master kubernetes]# kubeadm token listTOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPSyszrm3.d1zaj2uwj1pfo627 23h 2021-01-06T18:14:57+08:00 authentication,signing system:bootstrappers:kubeadm:default-node-token

10：node节点添加进集群（需删除原先kubelet配置文件，否则加入失败）

[root@k8s-node2 ~]# rm -rf /etc/kubernetes/kubelet.conf

[root@k8s-node2 ~]# rm -rf /etc/kubernetes/pki/ca.crt

[root@k8s-node2 ~]# rm -rf /etc/kubernetes/bootstrap-kubelet.conf

[root@k8s-node2 ~]# systemctl stop kubelet

[root@k8s-node2 ~]# kubeadm join --token=yszrm3.d1zaj2uwj1pfo627  192.168.10.XXX:6443 --node-name k8s-node2 --discovery-token-unsafe-skip-ca-verification

11：验证结果

[root@k8s-master kubernetes]# kubectl get nodes

NAME STATUS ROLES AGE VERSION

k8s-master Ready master 384d v1.15.0

k8s-node1 Ready node 384d v1.15.0

k8s-node2 Ready 11m v1.15.0