因为是笔记本虚拟机搭建所以好久没打开k8s集群了,开机后先是提示:Unable to connect to the server: x509: certificate has expired or is not yet,一会后就提示:The connection to the server 192.168.37.201:6443 was refused - did you specify the right host or port?,排查后发现为证书过期。
1:先查看集群证书过期时间:
sudo openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '
输出:
Not Before: May 24 03:32:37 2019 GMT
Not After : May 23 03:32:38 2020 GMT
2:在当前目录编辑kubeadm.conf配置文件:
sion: kubeadm.k8s.io/v1beta1
kind: ClusterConfiguration
kubernetesVersion: v1.15.0 # kubernetes 版本
apiServer:
certSANs:
- 192.168.10.xxx # master 所有节点IP地址,包括master和slave
- 192.168.10.xxx # slave1
- 192.168.10.xxx # slave2
extraArgs:
service-node-port-range: 80-32767
advertise-address: 0.0.0.0
controlPlaneEndpoint: "192.168.10.xxx:6443" # APIserver 地址,也就是master节点地址
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers #这里使用国内阿里云的镜像仓库
3:更新证书
kubeadm alpha certs renew all --config kubeadm.conf
sudo openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '
输出:
Not Before: Jun 24 10:55:40 2019 GMT
Not After : Jul 27 08:37:35 2021 GMT
4:重新生成配置文件
mv /etc/kubernetes/*.conf ~/.
kubeadm init phase kubeconfig all --config kubeadm.conf
5:更新.kube下的配置文件:
mv $HOME/.kube/config $HOME/.kube/config.old
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
6:重启kube-apiserver,kube-controller,kube-scheduler,etcd这4个容器:(一定要ps -a要不有可能服务容器没启动)
docker ps -a | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash
7:重启容器后发现节点都为NotReady状态
[root@k8s-master kubernetes]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master NotReady master 384d v1.15.0
k8s-node1 NotReady node 384d v1.15.0
[root@k8s-master pki]# cd /var/lib/kubelet/pki/
[root@k8s-master pki]# ls
kubelet-client-2019-12-17-18-50-01.pem kubelet-client-2019-12-17-18-50-52.pem
kubelet-client-current.pem kubelet.crt kubelet.key
8:master节点中kubelet证书也需要更新,重新生成证书,删除kubelet配置文件kubelet会向apiserver发起一个csr
[root@k8s-master pki]# mkdir bakup
[root@k8s-master pki]# mv kubelet* bakup/
[root@k8s-master pki]# lsbakup
[root@k8s-master pki]# systemctl restart kubelet
[root@k8s-master pki]# systemctl status kubelet
[root@k8s-master pki]# openssl x509 -in kubelet.crt -noout -text |grep ' Not ' Not Before: Jan 5 09:25:07 2021 GMT Not After : Jan 5 09:25:07 2022 GMT
//查看未授权的CSR请求:
[root@k8s-master pki]# kubectl get csr
//approve CSR 请求,有则同意,没有则不管:
[root@k8s-master pki]# kubectl certificate approve csr-4pw6gNAME AGE REQUESTOR CONDITIONcsr-4pw6g 1h kubelet-bootstrap Approved,Issued
//验证结果
[root@k8s-master kubernetes]# kubectl get nodes
NAME STATUS ROLES AGE VERSIONk8s-master Ready master 384d v1.15.0
9:master节点就更新完成了,然后获取token在更新slave节点时要用
[root@k8s-master kubernetes]# kubeadm token create
[root@k8s-master kubernetes]# kubeadm token listTOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPSyszrm3.d1zaj2uwj1pfo627 23h 2021-01-06T18:14:57+08:00 authentication,signing system:bootstrappers:kubeadm:default-node-token
10:node节点添加进集群(需删除原先kubelet配置文件,否则加入失败)
[root@k8s-node2 ~]# rm -rf /etc/kubernetes/kubelet.conf
[root@k8s-node2 ~]# rm -rf /etc/kubernetes/pki/ca.crt
[root@k8s-node2 ~]# rm -rf /etc/kubernetes/bootstrap-kubelet.conf
[root@k8s-node2 ~]# systemctl stop kubelet
[root@k8s-node2 ~]# kubeadm join --token=yszrm3.d1zaj2uwj1pfo627 192.168.10.XXX:6443 --node-name k8s-node2 --discovery-token-unsafe-skip-ca-verification
11:验证结果
[root@k8s-master kubernetes]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 384d v1.15.0
k8s-node1 Ready node 384d v1.15.0
k8s-node2 Ready 11m v1.15.0