首页 > 其他分享 >kubeSphere+kubenetes 集群更新证书

kubeSphere+kubenetes 集群更新证书

时间:2022-10-27 10:00:10浏览次数:54  
标签:25 17 16 kubeSphere 集群 kubenetes kube root Oct

模拟问题点

使用kubernetes时错误提示

yang@master:~$ kubectl get nodes

Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2022-10-25T09:04:19+08:00 is after 2022-09-25T08:17:20Z

解决办法:

一、查看证书过期时间

yang@master:~$ sudo kubeadm certs check-expiration
[sudo] password for yang: 
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W1027 09:27:32.225497   46147 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 25, 2023 08:17 UTC   363d            ca                      no      
apiserver                  Oct 25, 2023 08:17 UTC   363d            ca                      no      
apiserver-kubelet-client   Oct 25, 2023 08:17 UTC   363d            ca                      no      
controller-manager.conf    Oct 25, 2023 08:17 UTC   363d            ca                      no      
front-proxy-client         Oct 25, 2023 08:17 UTC   363d            front-proxy-ca          no      
scheduler.conf             Oct 25, 2023 08:17 UTC   363d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 22, 2032 08:17 UTC   9y              no      
front-proxy-ca          Oct 22, 2032 08:17 UTC   9y              no      
yang@master:~$ kubectl get nodes
NAME     STATUS   ROLES                         AGE   VERSION
master   Ready    control-plane,master,worker   41h   v1.22.10
node     Ready    worker                        39h   v1.22.10

二、备份现有证书和重新生成新证书

1.备份现有证书

yang@master:~$ ll /etc/kubernetes/
total 292
drwxr-xr-x   5 kube root   4096 Oct 25 16:18 ./
drwxr-xr-x 101 root root   4096 Oct 26 10:38 ../
drwxrwxr-x   2 kube root   4096 Oct 25 16:18 addons/
-rw-------   1 kube root   5659 Oct 25 16:17 admin.conf
-rw-------   1 kube root   5681 Oct 25 16:17 controller-manager.conf
-rw-r--r--   1 kube root    925 Oct 25 16:18 coredns-svc.yaml
-rw-r--r--   1 kube root   2670 Oct 25 16:17 kubeadm-config.yaml
-rw-------   1 kube root   1979 Oct 25 16:18 kubelet.conf
drwxr-xr-x   2 kube root   4096 Oct 25 16:17 manifests/
-rw-r--r--   1 kube root 230001 Oct 25 16:18 network-plugin.yaml
-rw-r--r--   1 kube root   1040 Oct 25 16:18 nodelocaldnsConfigmap.yaml
-rw-r--r--   1 kube root   2775 Oct 25 16:18 nodelocaldns.yaml
drwxr-xr-x   2 kube root   4096 Oct 25 16:17 pki/
-rw-------   1 kube root   5633 Oct 25 16:17 scheduler.conf
yang@master:/home$ sudo mkdir config-back
yang@master:/home$ cd
yang@master:~$ ll /home/config-back/kubernetes/
total 292
drwxr-xr-x 5 kube root   4096 Oct 25 16:18 ./
drwxr-xr-x 3 root root   4096 Oct 27 09:29 ../
drwxrwxr-x 2 kube root   4096 Oct 25 16:18 addons/
-rw------- 1 kube root   5659 Oct 25 16:17 admin.conf
-rw------- 1 kube root   5681 Oct 25 16:17 controller-manager.conf
-rw-r--r-- 1 kube root    925 Oct 25 16:18 coredns-svc.yaml
-rw-r--r-- 1 kube root   2670 Oct 25 16:17 kubeadm-config.yaml
-rw------- 1 kube root   1979 Oct 25 16:18 kubelet.conf
drwxr-xr-x 2 kube root   4096 Oct 25 16:17 manifests/
-rw-r--r-- 1 kube root 230001 Oct 25 16:18 network-plugin.yaml
-rw-r--r-- 1 kube root   1040 Oct 25 16:18 nodelocaldnsConfigmap.yaml
-rw-r--r-- 1 kube root   2775 Oct 25 16:18 nodelocaldns.yaml
drwxr-xr-x 2 kube root   4096 Oct 25 16:17 pki/
-rw------- 1 kube root   5633 Oct 25 16:17 scheduler.conf

2.生成新证书

yang@master:~$ sudo  kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W1027 09:29:53.913902   49108 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

三、查看证书有效期

yang@master:~$ sudo kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W1027 09:31:31.191076   51350 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 27, 2023 01:29 UTC   364d            ca                      no      
apiserver                  Oct 27, 2023 01:29 UTC   364d            ca                      no      
apiserver-kubelet-client   Oct 27, 2023 01:29 UTC   364d            ca                      no      
controller-manager.conf    Oct 27, 2023 01:29 UTC   364d            ca                      no      
front-proxy-client         Oct 27, 2023 01:29 UTC   364d            front-proxy-ca          no      
scheduler.conf             Oct 27, 2023 01:29 UTC   364d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 22, 2032 08:17 UTC   9y              no      
front-proxy-ca          Oct 22, 2032 08:17 UTC   9y              no 

四、新证书替换老的证书凭证

yang@master:~$ sudo cp -a ~/.kube/config /home/config-back/
yang@master:~$ sudo cp /etc/kubernetes/admin.conf  ~/.kube/config

五、查看集群状态 

yang@master:~$ kubectl  get nodes
NAME     STATUS   ROLES                         AGE   VERSION
master   Ready    control-plane,master,worker   41h   v1.22.10
node     Ready    worker                        39h   v1.22.10

 

标签:25,17,16,kubeSphere,集群,kubenetes,kube,root,Oct
From: https://www.cnblogs.com/yangzp/p/16831127.html

相关文章

  • etcdctl 查看 etcd 集群状态或者数据脚本
    #!/bin/bash#Author:MichaelLee#Email:[email protected]#Date:07/26/2022#Filename:etcd.sh#定义变量url="https://github.com/etcd-io/etcd/releases/downlo......
  • HELM chart 部署mongodb 到k8s 集群 pod 无法解析dns 问题
    1,正常拉取bitbami的包部署mongodb到k8s集群,运行前一切正常2,部署到mongodb-1的时候,卡主,查看日志,arbiter报无法连接mongodb-0或者mongodb-headless 3,搜到早些年的issu......
  • 【MSSQL】AlwaysOn集群增加发布订阅
    在现有AlwaysOn集群增加发布订阅节点配置前提节点1、节点2在AlwaysOn集群,节点3作为集群外节点使用订阅复制集群数据同步发布对象必须要有主键步骤登录节点3配置分......
  • kubeSphere v3.3.0+kubemetes v1.22.10 集群部署
    概述KubeSphere是 GitHub 上的一个开源项目,是成千上万名社区用户的聚集地。很多用户都在使用KubeSphere运行工作负载。对于在Linux上的安装,KubeSphere既可以部署......
  • 野火IM 社区版IM Server集群部署思路
    IMServer集群部署难点在于hazelcast本地缓存与集群缓存之间状态变更通知1.将hazelcast切换成jetcache二级缓存或多级缓存,我使用的是三级缓存 Caffeine+Redis+......
  • Hadoop集群 切换 (Active - Standby)
    最近在使用Hadoop集群的时候,一直无法从Standby切换回Active模式,导致无法使用,寻找方法数小时,未果。最终解决问题方法一:linux没有安装psmisc在每台机器上安装一下yum......
  • Linux搭建ES集群环境
    搭建ES集群环境准备三台服务器其中一台为主机节点ES安装自行上传到各个节点home路径下并解压重命名集群名称:cluster-big-data同一个集群多个节点,集群名称必须相同,节......
  • docker swarm快速部署redis分布式集群
    环境准备四台虚拟机192.168.2.38(管理节点)192.168.2.81(工作节点)192.168.2.100(工作节点)192.168.2.102(工作节点)时间同步每台机器都执行yuminstall-yntpcat<<EO......
  • Vmware虚拟机RAC集群绑定共享磁盘方法
    作者:IT邦德中国DBA联盟(ACDU)成员,目前从事DBA及程序编程(Web\java\Python)工作,主要服务于生产制造现拥有Oracle11gOCP/OCM、Mysql、Oceanbase(OBCA)认证分布式TBase\TDSQL数......
  • 为k8s集群安装docker私有仓库6
    为k8s集群安装docker私有仓库6接下来我们为k8s集群配置一个仓库,仓库我们选择dockerregistry,比较省资源,一个harbor没有2G的内存带不动,所以我们选择功能简单,配置也少的regi......