首页 > 其他分享 >k8s 证书过期处理

k8s 证书过期处理

时间:2024-06-06 11:56:20浏览次数:30  
标签:UTC 06 no 过期 ca 证书 etcd Feb k8s

问题

kubeadm 安装的集群默认签发的证书有效期为1年,到期后集群组件之间无法正常通信。

证书修复流程

1. 检查当前证书状态

$ kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Feb 16, 2024 14:06 UTC   <invalid>                               no      
apiserver                  Jul 01, 2024 07:38 UTC   25d             ca                      no      
apiserver-etcd-client      Feb 16, 2024 14:06 UTC   <invalid>       etcd-ca                 no      
apiserver-kubelet-client   Feb 16, 2024 14:06 UTC   <invalid>       ca                      no      
controller-manager.conf    Feb 16, 2024 14:06 UTC   <invalid>                               no      
etcd-healthcheck-client    Feb 16, 2024 14:06 UTC   <invalid>       etcd-ca                 no      
etcd-peer                  Feb 16, 2024 14:06 UTC   <invalid>       etcd-ca                 no      
etcd-server                Feb 16, 2024 14:06 UTC   <invalid>       etcd-ca                 no      
front-proxy-client         Feb 16, 2024 14:06 UTC   <invalid>       front-proxy-ca          no      
scheduler.conf             Feb 16, 2024 14:06 UTC   <invalid>                               no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Feb 13, 2033 14:06 UTC   8y              no      
etcd-ca                 Feb 13, 2033 14:06 UTC   8y              no      
front-proxy-ca          Feb 13, 2033 14:06 UTC   8y              no

2. 重新签发证书

$ kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

3. 重启控制面组件

由于控制面组件是由静态pod方式启动,重启kubelet即可重启所有静态pod组件
systemctl restart kubelet
重新检查有效期:

 kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jun 06, 2025 03:10 UTC   364d                                    no      
apiserver                  Jun 06, 2025 03:10 UTC   364d            ca                      no      
apiserver-etcd-client      Jun 06, 2025 03:10 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Jun 06, 2025 03:10 UTC   364d            ca                      no      
controller-manager.conf    Jun 06, 2025 03:10 UTC   364d                                    no      
etcd-healthcheck-client    Jun 06, 2025 03:10 UTC   364d            etcd-ca                 no      
etcd-peer                  Jun 06, 2025 03:10 UTC   364d            etcd-ca                 no      
etcd-server                Jun 06, 2025 03:10 UTC   364d            etcd-ca                 no      
front-proxy-client         Jun 06, 2025 03:10 UTC   364d            front-proxy-ca          no      
scheduler.conf             Jun 06, 2025 03:10 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Feb 13, 2033 14:06 UTC   8y              no      
etcd-ca                 Feb 13, 2033 14:06 UTC   8y              no      
front-proxy-ca          Feb 13, 2033 14:06 UTC   8y              no

标签:UTC,06,no,过期,ca,证书,etcd,Feb,k8s
From: https://www.cnblogs.com/f66666/p/18234867

相关文章

  • node基于自签名证书搭建https服务
    原文链接:https://www.cnblogs.com/yalong/p/18232314描述基于node.js搭建一个https静态资源服务,由于只是本地用,所以使用自签名的ssl证书就行了我用的mac系统,系统自带有openssl的,其他系统如果没有请先安装使用Openssl生成CA证书生成root密钥:opensslgenrsa-outroot......
  • k8s配置节点亲和性yaml示例:根据节点名称来配置节点亲和性(node affinity)
    在Kubernetes中,根据节点名称来配置节点亲和性(nodeaffinity)通常不是直接通过节点名称实现的,而是通过为节点添加特定的标签,然后在Pod的亲和性规则中匹配这些标签。不过,有一种特殊情况是使用NodeAffinity的nodeSelectorTerms中的matchExpressions,通过设置operator为In并使用......
  • k8s - 二进制部署[阿里云]
    概述部署前先了解一下k8s需要的组件和所处的位置,并且为了保证安全,k8s各组件之间通信都需要信任,这就引出了k8s从入门到放弃的证书部署步骤我这次是在阿里云上部署,所以包括了一些云产品云产品介绍eip动态公网ip,和nat网关绑定后,内网服务器才可以访问公网nat网关,所有k8s......
  • 手动二进制部署的 kubernetes 集群证书过期处理
    原文链接:https://maoqide.live/posts/cloud/kubernetes-certs-renew现象一个二进制部署的kubernetes集群,突然发现无法连接到apiserver,执行kubectl时报错:Unabletoconnecttotheserver:x509:certificatehasexpiredorisnotyetvalid:currenttime2024-05-31T15......
  • 搭建高可用k8s
    搭建k8s高可用高可用只针对于api-server,需要用到nginx+keepalived,nginx提供4层负载,keepalived提供vip(虚拟IP)系统采用openEuler22.03LTS1.前期准备因为机器内存只有16G,所有我采用3master+1node主机名IPVIPmaster01192.168.200.163192.168.200.200mast......
  • 快速一键化部署后端服务到k8s
    首先具备1、创建DockerfileFROMopenjdk:17RUNecho"Asia/Shanghai">/etc/timezoneWORKDIR/appCOPY*.jar/app/COPYpod_start.sh/app/RUNchmod+x/app/pod_start.shENTRYPOINT["/app/pod_start.sh"]2、pod_start.sh#!/bin/bashecho&......
  • 爬虫中关于SSL证书的处理(requests库)
    SSL证书是方法一:暴力verify=Falseresponse=requests.get('https://example.com',verify=False)#强烈建议不要在生产环境中使用verify=False,#因为它会使你的请求容易受到中间人攻击(Man-in-the-Middle,MITM)。#当SSL证书验证被绕过时,任何位于你和目标服务器之间......
  • Redis-3-过期时间淘汰策略与内存淘汰策略
    目录1.Redis过期时间淘汰策略1.1惰性删除1.2定期删除1.3主动扫描2.Redis内存淘汰策略2.1最大内存配置2.2LRU最近最少使用2.2.1传统LRU2.2.2Redis中的LRU2.2.3LRU的缺点2.3访问频率最低2.3.1传统LFU2.3.2Redis的LFU2.3.2.1时间衰减函数2.3.2.2热度值函数2.3.2.3总结2......
  • k8s 对外服务-Ingress
    一、Ingress简介:service的作用体现在两个方面,对集群内部,它不断跟踪pod的变化,更新endpoint中对应pod的对象,提供了ip不断变化的pod的服务发现机制;对集群外部,他类似负载均衡器,可以在集群内外部对pod进行访问。在Kubernetes中,Pod的IP地址和service的ClusterIP仅可以在集群网络内......
  • AnolisOS7.9(CentOS7)部署K8s(1.22.4)集群
    一.安装K8s集群1.准备工作,2台服务器①192.168.5.140-做为master节点#在该节点运行命令设置主机名:hostnamectlset-hostnamemaster②192.168.5.141-做为node1节点,在该节点运行命令设置主机名:#在该节点运行命令设置主机名:hostnamectlset-hostna......