前戏
登录测试环境查看 pod 时保持如下内容
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-03-16T23:18:09+08:00 is after 2023-02-23T14:45:50Z
查看是 k8s master 节点证书过期了
k8s解决证书过期官方文档:点击查看
登录master服务器,进入 /etc/kubernetes/ 查看:
[root@k8s-master1 ~]# cd /etc/kubernetes
[root@k8s-master1 kubernetes]# ls
admin.conf controller-manager.conf kubelet.conf manifests pki scheduler.conf
[root@k8s-master1 kubernetes]# cd pki/
[root@k8s-master1 pki]# openssl x509 -in apiserver.crt -noout -text |grep ' Not ' # 查看是否过期
Not Before: Feb 23 14:45:50 2022 GMT
Not After : Feb 23 14:45:50 2023 GMT
[root@k8s-master1 pki]# kubeadm certs check-expiration # 检查证书是否过期
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Feb 23, 2023 14:45 UTC <invalid> no
apiserver Feb 23, 2023 14:45 UTC <invalid> ca no
!MISSING! apiserver-etcd-client
apiserver-kubelet-client Feb 23, 2023 14:45 UTC <invalid> ca no
controller-manager.conf Feb 23, 2023 14:45 UTC <invalid> no
!MISSING! etcd-healthcheck-client
!MISSING! etcd-peer
!MISSING! etcd-server
front-proxy-client Feb 23, 2023 14:45 UTC <invalid> front-proxy-ca no
scheduler.conf Feb 23, 2023 14:45 UTC <invalid> no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Feb 21, 2032 14:45 UTC 8y no
!MISSING! etcd-ca
front-proxy-ca Feb 21, 2032 14:45 UTC 8y no
[root@k8s-master1 pki]#
经查看 k8s master 组件 证书过期了
- 备份一下 /etc /kubernetes /pki 目录下的所有文件
- 手动更新所有证书,执行命令
kubeadm certs renew all
- 查看证书有效期是否更新
[root@k8s-master1 pki]# openssl x509 -in apiserver.crt -noout -text |grep ' Not ' # 查看是否过期
Not Before: Feb 23 14:45:50 2022 GMT
Not After : Mar 15 15:37:05 2024 GMT
- 在 master 节点上将 /etc/kubernetes 目录下的所有配置文件备份
- 更新用户配置:执行下面多个命令
kubeadm kubeconfig user --client-name=admin
kubeadm kubeconfig user --org system:masters --client-name kubernetes-admin > /etc/kubernetes/admin.conf
kubeadm kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf
kubeadm kubeconfig user --org system:nodes --client-name system:node:$(hostname) > /etc/kubernetes/kubelet.conf
kubeadm kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf
- 用更新后的admin.conf替换/root/.kube/config文件
cp -i /etc/kubernetes/admin.conf /root/.kube/config
- 重启所有 maste r节点上的 apiserver 和 scheduler 两个系统组件正常 tar 包部署的 k8s 可以使用下面的命令重启:
systemctl restart kube-apiserver
systemctl restart kube-scheduler
此时证书更新全部完成
标签:k8s,Feb,14,kubernetes,证书,45,到期,conf,K8S From: https://blog.51cto.com/u_15222272/6129748