在上一篇Kubernetes专题系列-部署篇中忘记说个事,就是在部署之前一定要记得配置时间服务器,确保k8s中每个节点的时间要一致。
k8s版本:v1.16.8,部署方式是kubespray,以下无特殊说明均在master节点操作。
查看集群信息:
[root@node111 ~]# kubectl get node -o wideNAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIMEnode111 Ready master 161d v1.16.8 192.168.0.111 <none> CentOS Linux 7 (Core) 3.10.0-1062.18.1.el7.x86_64 docker://19.3.8node112 Ready master 161d v1.16.8 192.168.0.112 <none> CentOS Linux 7 (Core) 3.10.0-1062.18.1.el7.x86_64 docker://19.3.8node113 Ready <none> 161d v1.16.8 192.168.0.113 <none> CentOS Linux 7 (Core) 3.10.0-1062.18.1.el7.x86_64 docker://19.3.8
[root@node111 ~]# kubeadm alpha certs check-expiration --config=/etc/kubernetes/kubeadm-config.yamlW0930 14:31:41.401845 11811 defaults.go:199] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDadmin.conf May 13, 2021 05:22 UTC 224d noapiserver Apr 21, 2021 14:23 UTC 203d noapiserver-kubelet-client Apr 21, 2021 14:23 UTC 203d nocontroller-manager.conf May 13, 2021 05:22 UTC 224d nofront-proxy-client Apr 21, 2021 14:23 UTC 203d noscheduler.conf May 13, 2021 05:22 UTC 224d no
[root@node111 ~]# date -s "2021-09-01"
[root@node111 ~]# kubeadm alpha certs check-expiration --config=/etc/kubernetes/kubeadm-config.yamlW0901 00:00:13.441409 12881 defaults.go:199] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDadmin.conf May 13, 2021 05:22 UTC <invalid> noapiserver Apr 21, 2021 14:23 UTC <invalid> noapiserver-kubelet-client Apr 21, 2021 14:23 UTC <invalid> nocontroller-manager.conf May 13, 2021 05:22 UTC <invalid> nofront-proxy-client Apr 21, 2021 14:23 UTC <invalid> noscheduler.conf May 13, 2021 05:22 UTC <invalid> no[root@node111 ~]# kubectl get node -o wideUnable to connect to the server: x509: certificate has expired or is not yet valid
[root@node111 ~]# mkdir etc/kubernetes.bak[root@node111 ~]# cp -r etc/kubernetes/pki/ etc/kubernetes.bak[root@node111 ~]# cp etc/kubernetes/*.conf etc/kubernetes.ba
[root@node111 ~]#cp -r var/lib/etcd var/lib/etcd.bak
[root@node111 ~]# kubeadm alpha certs renew all --config etc/kubernetes/kubeadm-config.yaml
上述命令执行后再check一下证书是否已更新:
[root@node111 ~]# kubeadm alpha certs check-expiration --config=/etc/kubernetes/kubeadm-config.yamlCERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDadmin.conf Aug 31, 2022 16:08 UTC 364d noapiserver Aug 31, 2022 16:08 UTC 364d noapiserver-kubelet-client Apr 21, 2021 14:23 UTC <invalid> nocontroller-manager.conf May 13, 2021 05:22 UTC <invalid> nofront-proxy-client Apr 21, 2021 14:23 UTC <invalid> noscheduler.conf May 13, 2021 05:22 UTC <invalid> no
我的没有更新成功(问题待查),如果未更新可以分开更新:
[root@node111 ~]#kubeadm alpha certs renew admin.conf --config=/etc/kubernetes/kubeadm-config.yaml[root@node111 ~]#kubeadm alpha certs renew apiserver --config=/etc/kubernetes/kubeadm-config.yaml[root@node111 ~]#kubeadm alpha certs renew apiserver-kubelet-client --config=/etc/kubernetes/kubeadm-config.yaml[root@node111 ~]#kubeadm alpha certs renew controller-manager.conf --config=/etc/kubernetes/kubeadm-config.yaml[root@node111 ~]#kubeadm alpha certs renew front-proxy-client --config=/etc/kubernetes/kubeadm-config.yaml[root@node111 ~]#kubeadm alpha certs renew scheduler.conf --config=/etc/kubernetes/kubeadm-config.yaml
[root@node111 ~]# kubeadm alpha certs check-expiration --config=/etc/kubernetes/kubeadm-config.yamlCERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDadmin.conf Aug 31, 2022 16:12 UTC 364d noapiserver Aug 31, 2022 16:12 UTC 364d noapiserver-kubelet-client Aug 31, 2022 16:12 UTC 364d nocontroller-manager.conf Aug 31, 2022 16:12 UTC 364d nofront-proxy-client Aug 31, 2022 16:12 UTC 364d noscheduler.conf Aug 31, 2022 16:12 UTC 364d no
[root@node111 ~]# mv etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.bak[root@node111 ~]# kubeadm init phase kubeconfig kubelet --config /etc/kubernetes/kubeadm-config.yaml[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/kubelet.conf"
[root@node111 ~]# mv $HOME/.kube/config $HOME/.kube/config.old[root@node111 ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config[root@node111 ~]# chown $(id -u):$(id -g) $HOME/.kube/config
[root@node111 ~]# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restartcf25631947c98c7ef641819cb2635e60039a
[root@node111 ~]# echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddatenotAfter=Aug 31 16:12:52 2022 GMT
[root@node111 ~]# kubectl get nodeNAME STATUS ROLES AGE VERSIONnode111 Ready master 568d v1.16.8node112 NotReady master 568d v1.16.8node113 NotReady <none> 568d v1.16.8
如果有多个master步骤按照上面的再来一次即可,当然,更新kubernetes证书方法有很多种,如果你是实打实的通过kubeadm部署的kubernetes集群,直接renew all 再调整一下config即可,如果是使用第三方部署工具部署的,需要具体看下部署工具这块证书生成的具体步骤和脚本,但万变不离其宗。
下一篇我们讲,如果遇到特殊情况,该配置在Node节点没有配置,需要手工签发该怎么操作?
参考文章:
https://www.qikqiak.com/post/update-k8s-10y-expire-certs/
https://www.jianshu.com/p/bb973ab1029b
文章转载自运维及时雨,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
