kubernetes集群更新证书(kubeadm方式)
一.kubernets证书详情
1.查看证书
tree /etc/kubernetes/pki/
/etc/kubernetes/pki/
├── apiserver.crt
├── apiserver-etcd-client.crt
├── apiserver-etcd-client.key
├── apiserver.key
├── apiserver-kubelet-client.crt
├── apiserver-kubelet-client.key
├── ca.crt
├── ca.key
├── etcd
│ ├── ca.crt
│ ├── ca.key
│ ├── healthcheck-client.crt
│ ├── healthcheck-client.key
│ ├── peer.crt
│ ├── peer.key
│ ├── server.crt
│ └── server.key
├── front-proxy-ca.crt
├── front-proxy-ca.key
├── front-proxy-client.crt
├── front-proxy-client.key
├── sa.key
└── sa.pub
2.各个证书过期时间
/etc/kubernetes/pki/apiserver.crt #1年有效期
/etc/kubernetes/pki/front-proxy-ca.crt #10年有效期
/etc/kubernetes/pki/ca.crt #10年有效期
/etc/kubernetes/pki/apiserver-etcd-client.crt #1年有效期
/etc/kubernetes/pki/front-proxy-client.crt #1年有效期
/etc/kubernetes/pki/etcd/server.crt #1年有效期
/etc/kubernetes/pki/etcd/ca.crt #10年有效期
/etc/kubernetes/pki/etcd/peer.crt #1年有效期
/etc/kubernetes/pki/etcd/healthcheck-client.crt #1年有效期
/etc/kubernetes/pki/apiserver-kubelet-client.crt #1年有效期3.查看各个证书过期时间
kubeadm alpha certs check-expirations
[root@master01 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jan 24, 2023 16:12 UTC 275d no
apiserver Jan 24, 2023 16:12 UTC 275d ca no
apiserver-etcd-client Jan 24, 2023 16:12 UTC 275d etcd-ca no
apiserver-kubelet-client Jan 24, 2023 16:12 UTC 275d ca no
controller-manager.conf Jan 24, 2023 16:12 UTC 275d no
etcd-healthcheck-client Jan 24, 2023 16:12 UTC 275d etcd-ca no
etcd-peer Jan 24, 2023 16:12 UTC 275d etcd-ca no
etcd-server Jan 24, 2023 16:12 UTC 275d etcd-ca no
front-proxy-client Jan 24, 2023 16:12 UTC 275d front-proxy-ca no
scheduler.conf Jan 24, 2023 16:12 UTC 275d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Apr 14, 2030 02:18 UTC 7y no
etcd-ca Apr 14, 2030 02:18 UTC 7y no
front-proxy-ca Apr 14, 2030 02:18 UTC 7y no
二.更新证书方法一(证书还没有过期的情况)
1.导出配置文件(master01)
kubeadm config view > kubeadm-cluster.yaml2.备份原有证书文件(master01)
cp -rp /etc/kubernetes /etc/kubernetes-$(date +%Y%m%d).bak3.备份etcd数据目录(master01)
cp -r /var/lib/etcd /var/lib/etcd-$(date +%Y%m%d).bak4.更新全部证书(master01)
kubeadm alpha certs renew all --config=/tmp/cluster.yaml5.确认证书更新(master01)
kubeadm alpha certs check-expiration6.更新其他master节点(按照步骤)
scp cluster.yaml [email protected]:/tmp
cp -rp /etc/kubernetes /etc/kubernetes-$(date +%Y%m%d).bak
cp -r /var/lib/etcd /var/lib/etcd-$(date +%Y%m%d).bak
kubeadm alpha certs renew all --config=/tmp/cluster.yaml
kubeadm alpha certs check-expiration7.在三台Master上执行重启kube-apiserver、kube-controller、kube-scheduler、etcd这4个容器,以便使证书生效
建议先重启Etcd,再重启kube-apiserver、kube-controller、kube-scheduler
重启Etcd数据库
docker ps |grep -E 'k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart
重启kube-apiserver、kube-controller、kube-scheduler
docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler' | awk -F ' ' '{print $1}' |xargs docker restart更新证书二(证书已经过期)
1.修改系统时间到证书有效期时间内(三个master节点都要操作,确保证书在有效期)
date -s “2022-04-25”2.备份配置文件
kubeadm config view > /root/kubeadm.yaml3.备份原有证书
cp -rp /etc/kubernetes /etc/kubernetes-$(date +%Y%m%d).bak4.备份ETCD数据库
cp -r /var/lib/etcd /var/lib/etcd-$(date +%Y%m%d).bak5.更新证书
kubeadm alpha certs renew all6.重启 apiserver、kube-controller、kube-scheduler、etcd 容器
docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash7.执行过之后发现etcd容器持续重启,不能正常,重启docker和kubelet
systemctl restart docker && systemctl restart kubelet8.同步时间
ntpdate ntp1.aliyun.com9.确认集群状态
kubectl get node
kubectl get pod -n kube-system