前戏

登录测试环境查看 pod 时保持如下内容

Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-03-16T23:18:09+08:00 is after 2023-02-23T14:45:50Z

K8S 证书到期解决方法_证书过期

查看是 k8s master 节点证书过期了

k8s解决证书过期官方文档:​​点击查看​​

登录master服务器,进入 /etc/kubernetes/ 查看:

[root@k8s-master1 ~]# cd /etc/kubernetes
[root@k8s-master1 kubernetes]# ls
admin.conf controller-manager.conf kubelet.conf manifests pki scheduler.conf
[root@k8s-master1 kubernetes]# cd pki/
[root@k8s-master1 pki]# openssl x509 -in apiserver.crt -noout -text |grep ' Not ' # 查看是否过期
Not Before: Feb 23 14:45:50 2022 GMT
Not After : Feb 23 14:45:50 2023 GMT
[root@k8s-master1 pki]# kubeadm certs check-expiration # 检查证书是否过期
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Feb 23, 2023 14:45 UTC no
apiserver Feb 23, 2023 14:45 UTC ca no
!MISSING! apiserver-etcd-client
apiserver-kubelet-client Feb 23, 2023 14:45 UTC ca no
controller-manager.conf Feb 23, 2023 14:45 UTC no
!MISSING! etcd-healthcheck-client
!MISSING! etcd-peer
!MISSING! etcd-server
front-proxy-client Feb 23, 2023 14:45 UTC front-proxy-ca no
scheduler.conf Feb 23, 2023 14:45 UTC no

CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Feb 21, 2032 14:45 UTC 8y no
!MISSING! etcd-ca
front-proxy-ca Feb 21, 2032 14:45 UTC 8y no
[root@k8s-master1 pki]#

经查看 k8s master 组件 证书过期了

  1. 备份一下 /etc /kubernetes /pki 目录下的所有文件
  2. 手动更新所有证书,执行命令
kubeadm  certs renew all
  1. 查看证书有效期是否更新
[root@k8s-master1 pki]# openssl x509 -in apiserver.crt -noout -text |grep ' Not '   # 查看是否过期 
Not Before: Feb 23 14:45:50 2022 GMT
Not After : Mar 15 15:37:05 2024 GMT
  1. 在 master 节点上将 /etc/kubernetes 目录下的所有配置文件备份
  2. 更新用户配置:执行下面多个命令
kubeadm  kubeconfig user --client-name=admin
kubeadm kubeconfig user --org system:masters --client-name kubernetes-admin > /etc/kubernetes/admin.conf
kubeadm kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf
kubeadm kubeconfig user --org system:nodes --client-name system:node:$(hostname) > /etc/kubernetes/kubelet.conf
kubeadm kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf
  1. 用更新后的admin.conf替换/root/.kube/config文件
cp -i /etc/kubernetes/admin.conf /root/.kube/config
  1. 重启所有 maste r节点上的 apiserver 和 scheduler 两个系统组件正常 tar 包部署的 k8s 可以使用下面的命令重启:
systemctl restart kube-apiserver
systemctl restart kube-scheduler

​此时证书更新全部完成