kubernetes证书过期更新

Posted 冬眠的熊哎

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了kubernetes证书过期更新相关的知识,希望对你有一定的参考价值。

反馈k8s接口调用不了

[root@master ~]# kubectl get node
The connection to the server IP:6443 was refused - did you specify

发现k8s命令执行不了,查看kubelet.service状态,发现状态是running

[root@master ~]# systemctl start kubelet.service

查看kubelet的日志 ,发现k8s证书过期

[root@master ~]# journalctl -xeu kubelet
Part of the existing bootstrap client certificate is expired: 2022-06-28 06:21:42 +0000 UTC
6月 28 16:58:09 master kubelet[3733]: F0628 16:58:09.640047 3733 server.go:265] failed to run Kubelet: unable to load bootstrap kubeconfig: stat /etc/kubernetes/bootstrap-kubelet.conf:
6月 28 16:58:09 master systemd[1]: kubelet.service: main process exited, code=exited, status=255/n/a
6月 28 16:58:09 master systemd[1]: Unit kubelet.service entered failed state.
6月 28 16:58:09 master systemd[1]: kubelet.service failed.

推荐一个好用的脚本,该脚本可将 kubeadm 生成的证书有效期更新为 10 年,该脚本只需在master节点上执行,无需在node节点执行
脚本地址:https://github.com/yuyicai/update-kube-cert

[root@master ~]# ./update-kubeadm-cert.sh all
CERTIFICATE                                       EXPIRES                       
/etc/kubernetes/controller-manager.config         Jun 28 06:21:43 2022 GMT      
/etc/kubernetes/scheduler.config                  Jun 28 06:21:43 2022 GMT      
/etc/kubernetes/admin.config                      Jun 28 06:21:42 2022 GMT      
/etc/kubernetes/pki/ca.crt                        Jun 26 06:21:39 2031 GMT      
/etc/kubernetes/pki/apiserver.crt                 Jun 28 06:21:40 2022 GMT      
/etc/kubernetes/pki/apiserver-kubelet-client.crt  Jun 28 06:21:39 2022 GMT      
/etc/kubernetes/pki/front-proxy-ca.crt            Jun 26 06:21:40 2031 GMT      
/etc/kubernetes/pki/front-proxy-client.crt        Jun 28 06:21:40 2022 GMT      
/etc/kubernetes/pki/etcd/ca.crt                   Jun 26 06:21:41 2031 GMT      
/etc/kubernetes/pki/etcd/server.crt               Jun 28 06:21:41 2022 GMT      
/etc/kubernetes/pki/etcd/peer.crt                 Jun 28 06:21:41 2022 GMT      
/etc/kubernetes/pki/etcd/healthcheck-client.crt   Jun 28 06:21:41 2022 GMT      
/etc/kubernetes/pki/apiserver-etcd-client.crt     Jun 28 06:21:41 2022 GMT      
[2022-06-28T17:03:33.38+0800][INFO] backup /etc/kubernetes to /etc/kubernetes.old-20220628
[2022-06-28T17:03:33.38+0800][INFO] updating...
[2022-06-28T17:03:33.45+0800][INFO] updated /etc/kubernetes/pki/etcd/server.conf
[2022-06-28T17:03:33.52+0800][INFO] updated /etc/kubernetes/pki/etcd/peer.conf
[2022-06-28T17:03:33.58+0800][INFO] updated /etc/kubernetes/pki/etcd/healthcheck-client.conf
[2022-06-28T17:03:33.64+0800][INFO] updated /etc/kubernetes/pki/apiserver-etcd-client.conf
[2022-06-28T17:03:33.73+0800][INFO] restarted etcd
[2022-06-28T17:03:33.80+0800][INFO] updated /etc/kubernetes/pki/apiserver.crt
[2022-06-28T17:03:33.86+0800][INFO] updated /etc/kubernetes/pki/apiserver-kubelet-client.crt
[2022-06-28T17:03:33.93+0800][INFO] updated /etc/kubernetes/controller-manager.conf
[2022-06-28T17:03:34.00+0800][INFO] updated /etc/kubernetes/scheduler.conf
[2022-06-28T17:03:34.05+0800][INFO] updated /etc/kubernetes/admin.conf
[2022-06-28T17:03:34.06+0800][INFO] backup /root/.kube/config to /root/.kube/config.old-20220628
[2022-06-28T17:03:34.06+0800][INFO] copy the admin.conf to /root/.kube/config
[2022-06-28T17:03:34.12+0800][INFO] updated /etc/kubernetes/kubelet.conf
[2022-06-28T17:03:34.17+0800][INFO] updated /etc/kubernetes/pki/front-proxy-client.crt
[2022-06-28T17:03:34.25+0800][INFO] restarted apiserver
[2022-06-28T17:03:34.58+0800][INFO] restarted controller-manager
[2022-06-28T17:03:34.88+0800][INFO] restarted scheduler
[2022-06-28T17:03:34.89+0800][INFO] restarted kubelet
[2022-06-28T17:03:34.89+0800][INFO] done!!!
CERTIFICATE                                       EXPIRES                       
/etc/kubernetes/controller-manager.config         Jun 25 09:03:33 2032 GMT      
/etc/kubernetes/scheduler.config                  Jun 25 09:03:33 2032 GMT      
/etc/kubernetes/admin.config                      Jun 25 09:03:34 2032 GMT      
/etc/kubernetes/pki/ca.crt                        Jun 26 06:21:39 2031 GMT      
/etc/kubernetes/pki/apiserver.crt                 Jun 25 09:03:33 2032 GMT      
/etc/kubernetes/pki/apiserver-kubelet-client.crt  Jun 25 09:03:33 2032 GMT      
/etc/kubernetes/pki/front-proxy-ca.crt            Jun 26 06:21:40 2031 GMT      
/etc/kubernetes/pki/front-proxy-client.crt        Jun 25 09:03:34 2032 GMT      
/etc/kubernetes/pki/etcd/ca.crt                   Jun 26 06:21:41 2031 GMT      
/etc/kubernetes/pki/etcd/server.crt               Jun 25 09:03:33 2032 GMT      
/etc/kubernetes/pki/etcd/peer.crt                 Jun 25 09:03:33 2032 GMT      
/etc/kubernetes/pki/etcd/healthcheck-client.crt   Jun 25 09:03:33 2032 GMT      
/etc/kubernetes/pki/apiserver-etcd-client.crt     Jun 25 09:03:33 2032 GMT

以上是关于kubernetes证书过期更新的主要内容,如果未能解决你的问题,请参考以下文章

Kubernetes集群实践-排错(01)Node节点证书过期

云原生之kubernetes实战kubernetes集群的证书管理

Kubernetes 证书默认1年过期时间修改

Kubernetes (k3s):集群上的过期证书

k8s 1.14版本证书过期问题解决

k8s 证书更新操作