K8s集群证书过期或延期(kubeadm)

标签：10 15 过期 ca 42 Jan etcd kubeadm K8s

不同的K8S版本操作有些许不同，所以建议在遇到问题时先查询K8S官方文档

1、连接 Api-server 失败，报证书已过期不可用

$ kubectl get node,pod
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-01-31T16:55:27+08:00 is after 2023-01-16T04:47:34Z

2、实践环境

集群版本及其节点描述:

# 集群版本
$ kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.1", GitCommit:"86ec240af8cbd1b60bcc4c03c20da9b98005b92e", GitTreeState:"clean", BuildDate:"2021-12-16T11:39:51Z", GoVersion:"go1.17.5", Compiler:"gc", Platform:"linux/amd64"}

# 集群节点
$ data -s "2023-01-01"
$ kubectl get node
NAME       STATUS   ROLES                  AGE    VERSION
weiyigeek-107   Ready    control-plane,master   381d   v1.23.1
weiyigeek-108   Ready    control-plane,master   380d   v1.23.1
weiyigeek-109   Ready    control-plane,master   380d   v1.23.1
weiyigeek-223   Ready    work                   380d   v1.23.1
weiyigeek-224   Ready    work                   380d   v1.23.1
weiyigeek-225   Ready    work                   381d   v1.23.1
weiyigeek-226   Ready    work                   220d   v1.23.1

# 论保存过程配置文件的重要性，在搭建k8s集群时建议备份资源清单。
kubectl -n kube-system get cm kubeadm-config -o yaml > kubeadm-config-v1.23.1.yaml

3、实践证书续签

高可用K8S集群，证书续签操作流程步骤如下:
0.在进行操作前一定要进行备份，便于回退处理，此处我在三台master节点之一的weiyigeek-107机器上操作，后续默认也在此机器上操作，若需在其他机器上操作我会进行说明

# 备份旧的配置文件。
cp -a /etc/kubernetes{,.bak}
cp -a /var/lib/kubelet{,.bak}
cp -a /var/lib/etcd /var/lib/etcd.bak

# 备份集群配置 (当证书到期时是无法执行的此步骤可跳过)但可以利用date命令将系统时间设置到过期前。
data -s "2023-01-01" || timedatectl set-time "2023-01-01"
kubectl -n kube-system get cm kubeadm-config -o yaml > kubeadm-init-config.yaml     # 后续会用到此原始配置文件。

使用openssl命令查询单个证书可用时间及其相关信息

# k8s 集群的 ca.crt 证书有效期为 十年
# k8s 集群的 apiserver.crt 、kubelet.crt、etcd.crt 证书默认有效期为 一年，当然你也可以自行修改为十年（后续有文章进行讲解）
$ for i in $(ls /etc/kubernetes/pki/*.crt /etc/kubernetes/pki/etcd/*.crt); do echo "===== $i ====="; openssl x509 -in $i -text -noout | grep -A 3 'Validity' ; done
# for item in `find /etc/kubernetes/pki -maxdepth 2 -name "*.crt"`;do echo ======================$item===============;openssl x509 -in $item -text -noout| grep -A 3 Not;done
===== /etc/kubernetes/pki/apiserver.crt =====
        Validity
            Not Before: Jan 15 10:42:56 2022 GMT  # 颁发时间
            Not After : Jan 15 10:42:57 2023 GMT  # 到期时间
        Subject: CN = kube-apiserver              # 通用名称
===== /etc/kubernetes/pki/apiserver-etcd-client.crt =====
        Validity
            Not Before: Jan 15 10:42:58 2022 GMT
            Not After : Jan 15 10:42:59 2023 GMT
        Subject: O = system:masters, CN = kube-apiserver-etcd-client
===== /etc/kubernetes/pki/apiserver-kubelet-client.crt =====
        Validity
            Not Before: Jan 15 10:42:56 2022 GMT
            Not After : Jan 15 10:42:57 2023 GMT
        Subject: O = system:masters, CN = kube-apiserver-kubelet-client
===== /etc/kubernetes/pki/ca.crt =====
        Validity
            Not Before: Jan 15 10:42:56 2022 GMT
            Not After : Jan 13 10:42:56 2032 GMT
        Subject: CN = kubernetes
===== /etc/kubernetes/pki/etcd/ca.crt =====
        Validity
            Not Before: Jan 15 10:42:58 2022 GMT
            Not After : Jan 13 10:42:58 2032 GMT
        Subject: CN = etcd-ca
===== /etc/kubernetes/pki/etcd/healthcheck-client.crt =====
        Validity
            Not Before: Jan 15 10:42:58 2022 GMT
            Not After : Jan 15 10:42:59 2023 GMT
        Subject: O = system:masters, CN = kube-etcd-healthcheck-client
===== /etc/kubernetes/pki/etcd/peer.crt =====
        Validity
            Not Before: Jan 15 10:42:58 2022 GMT
            Not After : Jan 15 10:42:59 2023 GMT
        Subject: CN = weiyigeek-107
===== /etc/kubernetes/pki/etcd/server.crt =====
        Validity
            Not Before: Jan 15 10:42:58 2022 GMT
            Not After : Jan 15 10:42:59 2023 GMT
        Subject: CN = weiyigeek-107
===== /etc/kubernetes/pki/front-proxy-ca.crt =====
        Validity
            Not Before: Jan 15 10:42:58 2022 GMT
            Not After : Jan 13 10:42:58 2032 GMT
        Subject: CN = front-proxy-ca
===== /etc/kubernetes/pki/front-proxy-client.crt =====
        Validity
            Not Before: Jan 15 10:42:58 2022 GMT
            Not After : Jan 15 10:42:58 2023 GMT
        Subject: CN = front-proxy-client

查看当前集群证书相关信息，包含所有证书名称以及证书颁发机构、到期时间等, 此处可以看到均已经到期。

sudo kubeadm certs check-expiration
  # [check-expiration] Reading configuration from the cluster...
  # [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
  # [check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
  
  # CERTIFICATE                EXPIRES(过期时间)         RESIDUAL TIME(剩余时间)   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED(是否是外部管理)
  # admin.conf                 Jan 15, 2023 10:43 UTC   <invalid>       ca                      no
  # apiserver                  Jan 15, 2023 10:42 UTC   <invalid>       ca                      no
  # apiserver-etcd-client      Jan 15, 2023 10:42 UTC   <invalid>       etcd-ca                 no
  # apiserver-kubelet-client   Jan 15, 2023 10:42 UTC   <invalid>       ca                      no
  # controller-manager.conf    Jan 15, 2023 10:43 UTC   <invalid>       ca                      no
  # etcd-healthcheck-client    Jan 15, 2023 10:42 UTC   <invalid>       etcd-ca                 no
  # etcd-peer                  Jan 15, 2023 10:42 UTC   <invalid>       etcd-ca                 no
  # etcd-server                Jan 15, 2023 10:42 UTC   <invalid>       etcd-ca                 no
  # front-proxy-client         Jan 15, 2023 10:42 UTC   <invalid>       front-proxy-ca          no
  # scheduler.conf             Jan 15, 2023 10:43 UTC   <invalid>       ca                      no
  
  # CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
  # ca                      Jan 13, 2032 10:42 UTC   8y              no
  # etcd-ca                 Jan 13, 2032 10:42 UTC   8y              no
  # front-proxy-ca          Jan 13, 2032 10:42 UTC   8y              no

如果 Etcd 是由Kubeadm创建和托管的此时也可以通过下面的方式进行证书的续期, 如果是外部高可用环境管理需要则手动进行更新证书配置;

使用 certs 的 renew 子命令刷新集群所有证书的到期时间进行再续期一年, 此处 --config 参数指定的是我当初创建集群的初始化配置清单，若没有可以安装步骤0进行生成。

~/.k8s$ sudo kubeadm certs renew all --config=./kubeadm-init-config.yaml

  # W1212 17:17:16.721037 1306627 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
  # certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed  # 嵌入在kubeconfig文件中的证书，供管理员使用，并对kubeadm本身进行更新 (admin.conf )
  # certificate for serving the Kubernetes API renewed               # 更新Kubernetes API服务证书
  # certificate the apiserver uses to access etcd renewed            # 服务器访问etcd所使用的证书已更新
  # certificate for the API server to connect to kubelet renewed     # API服务器连接到kubelet的证书已更新
  # certificate embedded in the kubeconfig file for the controller manager to use renewed  # 证书嵌入在kubeconfig文件中，供控制器管理器使用更新 (controller-manager.conf)
  # certificate for liveness probes to healthcheck etcd renewed        # 健康检查etcd激活探针证书续期
  # certificate for etcd nodes to communicate with each other renewed  # 用于etcd节点之间通信的证书更新
  # certificate for serving etcd renewed                               # 续期etcd“服务证书”
  # certificate for the front proxy client renewed                     # 前代理客户端的证书更新
  # certificate embedded in the kubeconfig file for the scheduler manager to use renewed # 证书嵌入在kubeconfig文件中，供调度器管理器使用更新 (scheduler.conf  )

若看到已完成续订证书，您必须重新启动kube apiserver、kube控制器管理器、kube调度器等，以便它们可以使用新证书，表示证书续期成功

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

检查证书续签以及到期时间

~/.k8s$ kubeadm certs check-expiration
  # [check-expiration] Reading configuration from the cluster...
  # [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
  
  # CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
  # admin.conf                 Jan 31, 2024 09:26 UTC   364d            ca                      no
  # apiserver                  Jan 31, 2024 09:26 UTC   364d            ca                      no
  # apiserver-etcd-client      Jan 31, 2024 09:26 UTC   364d            etcd-ca                 no
  # apiserver-kubelet-client   Jan 31, 2024 09:26 UTC   364d            ca                      no
  # controller-manager.conf    Jan 31, 2024 09:26 UTC   364d            ca                      no
  # etcd-healthcheck-client    Jan 31, 2024 09:26 UTC   364d            etcd-ca                 no
  # etcd-peer                  Jan 31, 2024 09:26 UTC   364d            etcd-ca                 no
  # etcd-server                Jan 31, 2024 09:26 UTC   364d            etcd-ca                 no
  # front-proxy-client         Jan 31, 2024 09:26 UTC   364d            front-proxy-ca          no
  # scheduler.conf             Jan 31, 2024 09:26 UTC   364d            ca                      no
  
  # CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
  # ca                      Jan 13, 2032 10:42 UTC   8y              no
  # etcd-ca                 Jan 13, 2032 10:42 UTC   8y              no
  # front-proxy-ca          Jan 13, 2032 10:42 UTC   8y              no

使用stat命令查看 apiserver.key 与 apiserver.crt 证书修改时间

/etc/kubernetes/pki$ stat apiserver.key  apiserver.crt
  #   File: apiserver.key
  #   Size: 1675            Blocks: 8          IO Block: 4096   regular file
  # Device: fd00h/64768d    Inode: 3670556     Links: 1
  # Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
  # Access: 2022-04-28 12:55:13.456040564 +0800 最近访问：
  # Modify: 2023-01-31 17:26:51.108767670 +0800 最近更改：
  # Change: 2023-01-31 17:26:51.108767670 +0800 最近改动：
  #   Birth: -
  
  #   File: apiserver.crt
  #   Size: 1338            Blocks: 8          IO Block: 4096   regular file
  # Device: fd00h/64768d    Inode: 3670557     Links: 1
  # Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
  # Access: 2023-01-31 17:28:58.104917185 +0800
  # Modify: 2023-01-31 17:26:51.108767670 +0800
  # Change: 2023-01-31 17:26:51.108767670 +0800
  #   Birth: -

完成证书更新后，此时我们需要重新生成新的K8S集群master节点所需的相关配置文件，例如 /etc/kubernetes 目录下的 admin.conf / controller-manager.conf / kubelet.conf / scheduler.conf 相关文件。

标签：10,15,过期,ca,42,Jan,etcd,kubeadm,K8s
From： https://www.cnblogs.com/dgp-zjz/p/17108192.html

K8s集群证书过期或延期(kubeadm)

相关文章

赞助商

阅读排行