记录k8s证书过期的证书更新

root@master01:~# kubectl get nodes 
E0828 10:29:54.481489   47445 memcache.go:265] couldn't get current server API group list: Get "https://192.168.91.150:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-08-28T10:29:54+08:00 is after 2024-08-09T06:16:19Z
E0828 10:29:54.490936   47445 memcache.go:265] couldn't get current server API group list: Get "https://192.168.91.150:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-08-28T10:29:54+08:00 is after 2024-08-09T06:16:19Z
E0828 10:29:54.504782   47445 memcache.go:265] couldn't get current server API group list: Get "https://192.168.91.150:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-08-28T10:29:54+08:00 is after 2024-08-09T06:16:19Z
E0828 10:29:54.521207   47445 memcache.go:265] couldn't get current server API group list: Get "https://192.168.91.150:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-08-28T10:29:54+08:00 is after 2024-08-09T06:16:19Z
E0828 10:29:54.530188   47445 memcache.go:265] couldn't get current server API group list: Get "https://192.168.91.150:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-08-28T10:29:54+08:00 is after 2024-08-09T06:16:19Z
Unable to connect to the server: tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-08-28T10:29:54+08:00 is after 2024-08-09T06:16:19Z

在master01节点执行kubectl get nodes 指令返回如下信息:

E0828 10:29:54.481489   47445 memcache.go:265] couldn't get current server API group list: Get "https://192.168.91.150:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-08-28T10:29:54+08:00 is after 2024-08-09T06:16:19Z

这段话的意思就是这个错误是因为证书已经过期或者尚未生效。当前时间是 2024 年 8 月 28 日 10:15:16,而证书的有效期截止到 2024 年 8 月 9 日 06:16:19。

查看证书有效期

root@master01:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 09, 2024 06:16 UTC   <invalid>       ca                      no      
apiserver                  Aug 09, 2024 06:16 UTC   <invalid>       ca                      no      
apiserver-etcd-client      Aug 09, 2024 06:16 UTC   <invalid>       etcd-ca                 no      
apiserver-kubelet-client   Aug 09, 2024 06:16 UTC   <invalid>       ca                      no      
controller-manager.conf    Aug 09, 2024 06:16 UTC   <invalid>       ca                      no      
etcd-healthcheck-client    Aug 09, 2024 06:16 UTC   <invalid>       etcd-ca                 no      
etcd-peer                  Aug 09, 2024 06:16 UTC   <invalid>       etcd-ca                 no      
etcd-server                Aug 09, 2024 06:16 UTC   <invalid>       etcd-ca                 no      
front-proxy-client         Aug 09, 2024 06:16 UTC   <invalid>       front-proxy-ca          no      
scheduler.conf             Aug 09, 2024 06:16 UTC   <invalid>       ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 07, 2033 06:16 UTC   8y              no      
etcd-ca                 Aug 07, 2033 06:16 UTC   8y              no      
front-proxy-ca          Aug 07, 2033 06:16 UTC   8y              no    

释义:
1.证书列表:列出了 Kubernetes 集群中使用的各种证书,包括管理员证书 (admin.conf)、API 服务器证书 (apiserver)、与 etcd 通信的证书 (apiserver-etcd-client)、kubelet 与 API 服务器通信的证书 (apiserver-kubelet-client) 等。
2.过期时间:每个证书都有一个预计的过期时间。例如,apiserver 证书将在 Aug 09, 2024 06:16 UTC 过期。
3.剩余时间:显示了每个证书的剩余有效期,但这里显示为 ,这可能意味着证书已经过期,或者在检查时遇到了问题。
4.证书颁发机构 (CA):显示了哪个 CA 签名了该证书。例如,apiserver 证书由 ca 签名。
5.外部管理:指出证书是否由外部系统管理。这里的 no 表示这些证书不是由外部系统管理的。
6.证书颁发机构 (CA) 列表:显示了集群中的 CA 证书,包括主 CA (ca)、etcd 的 CA (etcd-ca) 和前端代理的 CA (front-proxy-ca),以及它们的过期时间和剩余有效期。
7.错误信息:在检查开始时,有一个错误信息提示无法从集群读取配置,但命令回退到使用默认配置。
8.配置提示:提示如果需要查看或修改集群的 kubeadm 配置,可以使用 kubectl 命令查看或编辑 kube-system 命名空间下的 kubeadm-config 配置映射。
进入维护模式

kubectl cordon
kubectl drain master01 --ignore-daemonsets

更新证书有效期
1.备份证书

cp -r /etc/kubernetes/ /etc/kubernetes.old

2.更新证书

# 自动更新 Kubernetes 集群中所有自签名的证书
kubeadm certs renew all
# 仅更新指定的 组件 证书
kubeadm alpha certs renew apiserver

这里我的证书都过期了,所以全部更新

root@master01:~# kubeadm certs renew all 
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

更新 ~/.kube/config文件
~/.kube/config 文件是 Kubernetes 集群的配置文件,它通常用于存储集群的访问信息,包括 API 服务器地址、使用的上下文(context)、认证信息(如证书)等。这个文件允许用户通过 kubectl 命令行工具与 Kubernetes 集群进行交互。

root@master01:~# mv /root/.kube/config /root/.kube/config.old 
root@master01:~# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
root@master01:~# chown $(id -u):$(id -g) $HOME/.kube/config
root@master01:~# sudo chmod 644 $HOME/.kube/config

重启相关组件

# 如果你的集群使用的是 systemd 管理服务
sudo systemctl restart kubelet
# 对于独立运行的 etcd,使用以下命令
sudo systemctl restart etcd

验证

root@master01:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 28, 2025 03:15 UTC   364d            ca                      no      
apiserver                  Aug 28, 2025 03:15 UTC   364d            ca                      no      
apiserver-etcd-client      Aug 28, 2025 03:15 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Aug 28, 2025 03:15 UTC   364d            ca                      no      
controller-manager.conf    Aug 28, 2025 03:15 UTC   364d            ca                      no      
etcd-healthcheck-client    Aug 28, 2025 03:15 UTC   364d            etcd-ca                 no      
etcd-peer                  Aug 28, 2025 03:15 UTC   364d            etcd-ca                 no      
etcd-server                Aug 28, 2025 03:15 UTC   364d            etcd-ca                 no      
front-proxy-client         Aug 28, 2025 03:15 UTC   364d            front-proxy-ca          no      
scheduler.conf             Aug 28, 2025 03:15 UTC   364d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 07, 2033 06:16 UTC   8y              no      
etcd-ca                 Aug 07, 2033 06:16 UTC   8y              no      
front-proxy-ca          Aug 07, 2033 06:16 UTC   8y              no   
root@master01:~# kubectl get nodes
NAME       STATUS   ROLES           AGE    VERSION
master01   Ready    control-plane   383d   v1.27.0
node01     Ready    <none>          383d   v1.27.0
node02     Ready    <none>          383d   v1.27.0
root@master01:~# kubectl get pods --all-namespaces
NAMESPACE              NAME                                         READY   STATUS    RESTARTS   AGE
kube-system            calico-kube-controllers-5585f6d55d-qcpmb     1/1     Running   0          383d
kube-system            calico-node-b65lt                            1/1     Running   0          383d
kube-system            calico-node-c9bmn                            1/1     Running   0          383d
kube-system            calico-node-zzqj2                            1/1     Running   0          383d
kube-system            coredns-65dcc469f7-2pzxw                     1/1     Running   0          383d
kube-system            coredns-65dcc469f7-g8dbx                     1/1     Running   0          383d
kube-system            etcd-master01                                1/1     Running   0          383d
kube-system            kube-apiserver-master01                      1/1     Running   0          383d
kube-system            kube-controller-manager-master01             1/1     Running   0          383d
kube-system            kube-proxy-9z8c2                             1/1     Running   0          383d
kube-system            kube-proxy-l6pfq                             1/1     Running   0          383d
kube-system            kube-proxy-tw46c                             1/1     Running   0          383d
kube-system            kube-scheduler-master01                      1/1     Running   0          383d
kube-system            metrics-server-f4d79949f-4sfdj               1/1     Running   0          383d
kubernetes-dashboard   dashboard-metrics-scraper-7b87d6575b-qmh78   1/1     Running   0          383d
kubernetes-dashboard   kubernetes-dashboard-555d8dbffd-7xsbz        1/1     Running   0          383d

退出维护模式

kubectl uncordon master01

你可能感兴趣的:(kubernetes,kubernetes,linux,服务器,容器,微服务)