自建k8s集群證書到期的更換

2021-10-22 09:26:53 字數 4734 閱讀 6872

1、說明

一般正常安裝k8s集群,集群證書的有效期是一年,包括以下證書:

- apiserver

- apiserver-kubelet-client

- apiserver-etcd-client

- front-proxy-client

- etcd/server

- etcd/peer

- etcd/healthcheck-client

2、證書過期問題解決辦法

對於手動生成的證書

手動安裝過程中,只需指定證書的過期時間為n天即可

對於kubeadm

方式一:公升級k8s集群,自動更新證書

方式二:修改kubeadm並重新編譯

方式三:重新生成證書

3、過期處理

報錯資訊

[root@k8s-master03 ~]# kubectl get po

unable to connect to the server: x509: certificate has expired or is not yet valid

日誌資訊

the currently active client certificate has expired, but the server is not responsive. a restart may be necessary to retrieve new initial credentials.

證書備份

cp -rp /etc/kubernetes /etc/kubernetes.bak

apiserver證書

[root@k8s-master03 ~]# rm -f /etc/kubernetes/pki/apiserver*

front-proxy-client證書

[root@k8s-master03 ~]# rm -f /etc/kubernetes/pki/front-proxy-client.*

etcd證書

rm -rf /etc/kubernetes/pki/etcd/healthcheck-client.*

rm -rf /etc/kubernetes/pki/etcd/server.*

rm -rf /etc/kubernetes/pki/etcd/peer.*

重新生成證書

[root@k8s-master02 ~]# /opt/kubeadm alpha phase certs all --config kubeadm-config.yaml 

[certificates] generated apiserver-kubelet-client certificate and key.

[certificates] generated apiserver certificate and key.

[certificates] apiserver serving cert is signed for dns names [k8s-master02 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local k8s-master01 k8s-master02 k8s-master03 k8s-master-lb] and ips [10.96.0.1 192.168.20.21 192.168.20.10 192.168.20.20 192.168.20.21 192.168.20.22 192.168.20.10]

[certificates] generated front-proxy-client certificate and key.

[certificates] generated etcd/healthcheck-client certificate and key.

[certificates] generated apiserver-etcd-client certificate and key.

[certificates] generated etcd/server certificate and key.

[certificates] etcd/server serving cert is signed for dns names [k8s-master02 localhost k8s-master02] and ips [127.0.0.1 ::1 192.168.20.21]

[certificates] generated etcd/peer certificate and key.

[certificates] etcd/peer serving cert is signed for dns names [k8s-master02 localhost k8s-master02] and ips [192.168.20.21 127.0.0.1 ::1 192.168.20.21]

[certificates] valid certificates and keys now exist in "/etc/kubernetes/pki"

[certificates] using the existing sa key.

重新生成配置檔案

[root@k8s-master02 ~]# mv /etc/kubernetes/

admin.conf               kubelet.conf             pki/                     scheduler.conf

controller-manager.conf  manifests/               pki.bak/                 tmp/

[root@k8s-master02 ~]# mv /etc/kubernetes/*.conf /tmp/

[root@k8s-master02 ~]# /opt/kubeadm alpha phase kubeconfig all --config kubeadm-config.yaml 

[endpoint] warning: port specified in controlplaneendpoint overrides bindport in the controlplane address

[kubeconfig] wrote kubeconfig file to disk: "/etc/kubernetes/admin.conf"

[kubeconfig] wrote kubeconfig file to disk: "/etc/kubernetes/kubelet.conf"

[kubeconfig] wrote kubeconfig file to disk: "/etc/kubernetes/controller-manager.conf"

[kubeconfig] wrote kubeconfig file to disk: "/etc/kubernetes/scheduler.conf"

重啟kubelet

[root@k8s-master01 ~]# systemctl restart kubelet

4、集群確認

證書過期時間確認

# 注意:cfssl需要自行安裝

[root@k8s-master01 ~]# cfssl-certinfo -cert /etc/kubernetes/pki/etcd/server.crt | grep not

"not_before": "2018-11-30t07:45:08z",

"not_after": "2117-11-16t06:07:00z",

集群狀態確認

[root@k8s-master01 ~]# kubectl get no

name           status   roles    age     version

k8s-master01   ready    master   6d22h   v1.12.3

k8s-master02   ready    master   6d22h   v1.12.3

k8s-master03   ready    master   6d22h   v1.12.3

k8s-node01     ready    6d21h   v1.12.3

k8s-node02     ready    6d21h   v1.12.3

檢查證書到期時間

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' not '

openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt -noout -text |grep ' not '

openssl x509 -in /etc/kubernetes/pki/apiserver-kubelet-client.crt -noout -text |grep ' not '

openssl x509 -in /etc/kubernetes/pki/front-proxy-client.crt -noout -text |grep ' not '

openssl x509 -in /etc/kubernetes/pki/etcd/healthcheck-client.crt -noout -text |grep ' not '

openssl x509 -in /etc/kubernetes/pki/etcd/peer.crt -noout -text |grep ' not '

openssl x509 -in /etc/kubernetes/pki/etcd/server.crt -noout -text |grep ' not '

k8s 集群概念

kubernetes是google開源的容器集群管理系統,提 用部署 維護 擴充套件機制等功能,利用kubernetes能方便管理跨集群執行容器化的應用,簡稱 k8s k與s之間有8個字母 二 基本概念 pod 若干相關容器的組合,pod包含的容器執行在同一host上,這些容器使用相同的網路命令空間...

K8S 集群安裝

1 作業系統 centos 7.4 2 主機資訊 k8smaster主機 kb master 001 192.168 0.11 kb master 002 192.168 0.12 kb master 003 192.168 0.13 k8snode主機 kb node 001 192.168 0....

K8S集群安裝

node設定 部署k8s的dashboard 本文記錄在centoos7上安裝k8s集群。環境配置 master 10.192.33.249 node1 10.192.33.248 兩台機器均已安裝docker18.06,沒有配置docker的registry,且都已經配置為自啟動 timedate...