查看证书有效期
# 查询api-server证书有效期 openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout | grep Not
# 查询所有证书有效期 for tls in `find /etc/kubernetes/pki -maxdepth 2 -name "*.crt"`; do echo ===============$tls===============; openssl x509 -in $tls -text| grep Not; done
===============/etc/kubernetes/pki/front-proxy-ca.crt=============== Not Before: Aug 7 06:10:58 2020 GMT Not After : Aug 5 06:10:58 2030 GMT ===============/etc/kubernetes/pki/etcd/server.crt=============== Not Before: Aug 7 06:10:57 2020 GMT Not After : Mar 10 02:49:33 2022 GMT ===============/etc/kubernetes/pki/etcd/healthcheck-client.crt=============== Not Before: Aug 7 06:10:57 2020 GMT Not After : Mar 10 02:49:33 2022 GMT ===============/etc/kubernetes/pki/etcd/ca.crt=============== Not Before: Aug 7 06:10:57 2020 GMT Not After : Aug 5 06:10:57 2030 GMT ===============/etc/kubernetes/pki/etcd/peer.crt=============== Not Before: Aug 7 06:10:57 2020 GMT Not After : Mar 10 02:49:34 2022 GMT ===============/etc/kubernetes/pki/apiserver-etcd-client.crt=============== Not Before: Aug 7 06:10:57 2020 GMT Not After : Mar 10 02:49:34 2022 GMT ===============/etc/kubernetes/pki/ca.crt=============== Not Before: Aug 7 06:10:58 2020 GMT Not After : Aug 5 06:10:58 2030 GMT ===============/etc/kubernetes/pki/apiserver-kubelet-client.crt=============== Not Before: Aug 7 06:10:58 2020 GMT Not After : Mar 10 02:49:35 2022 GMT ===============/etc/kubernetes/pki/front-proxy-client.crt=============== Not Before: Aug 7 06:10:58 2020 GMT Not After : Mar 10 02:49:33 2022 GMT ===============/etc/kubernetes/pki/apiserver.crt=============== Not Before: Aug 7 06:10:58 2020 GMT Not After : Mar 10 02:49:34 2022 GMT
################# master ###################
1、备份已有配置
cp -r /etc/kubernetes /etc/kubernetes_old
2、获取集配配置
# 证书即将过期(未过期),可以利用命令直接获取集群配置 kubeadm config view > kubeadm.yaml # 证书已过期,需要手动编写集群配置 vim kubeadm.yaml apiVersion: kubeadm.k8s.io/v1beta1 imageRepository: k8s.gcr.io kind: ClusterConfiguration kubernetesVersion: v1.13.0
3、更新所有证书
# 根据配置文件,更新所有证书 kubeadm alpha certs renew all --config kubeadm.yaml # 再次查看证书有效期 openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ‘ Not ‘
4、更新集群配置
# 删除已有配置(已备份,无需担心) rm -rf /etc/kubernetes/*.conf # 根据配置文件,重新生成所有配置 kubeadm init phase kubeconfig all --config kubeadm.yaml # 更新kubectl配置并赋予权限 \cp /etc/kubernetes/admin.conf $HOME/.kube/config chown $(id -u):$(id -g) $HOME/.kube/config
5、重启核心组件容器
docker ps |grep -E ‘kube-apiserver|kube-controller-manager|kube-scheduler|etcd_etcd‘ | awk -F ‘ ‘ ‘{print $1}‘ |xargs docker restart # 查看所有服务是否正常 kubectl get pod --all-namespaces
################# node ###################
1、备份kubelet配置
cp /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf_bak
2、更新kubelet配置
# 重新生成节点kubelet配置 kubeadm init phase kubeconfig kubelet --node-name <节点名称> --kubeconfig-dir /tmp/ --apiserver-advertise-address <集群VIP> # 更新节点kubelet配置 scp /tmp/kubelet.conf root@192.168.73.130:/etc/kubernetes/ # 重启节点kubelet systemctl restart kubelet
实战日志(以下通过更改系统时间,模拟证书过期)
[root@192 k8s]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ‘ Not ‘ Not Before: Apr 12 07:01:12 2021 GMT Not After : Apr 12 07:01:12 2022 GMT[root@192 k8s]# [root@192 k8s]# date -s "2022-3-12" Sat Mar 12 00:00:00 PST 2022 [root@192 k8s]# kubectl get pod --all-namespaces NAMESPACE NAME READY STATUS RESTARTS AGE ingress-nginx nginx-ingress-controller-77b474c665-lh8tt 1/1 Running 0 334d kube-system coredns-86c58d9df4-7bq94 1/1 Running 0 334d kube-system coredns-86c58d9df4-dm6jb 1/1 Running 0 334d kube-system etcd-192.168.73.129 1/1 Running 0 334d kube-system heapster-7856548f99-2l8fp 1/1 Running 0 334d kube-system kube-apiserver-192.168.73.129 1/1 Running 0 334d kube-system kube-controller-manager-192.168.73.129 1/1 Running 0 334d kube-system kube-flannel-ds-amd64-qcmbq 1/1 Running 0 334d kube-system kube-proxy-kh7xn 1/1 Running 0 334d kube-system kube-scheduler-192.168.73.129 1/1 Running 0 334d kube-system nvidia-device-plugin-daemonset-6xzxj 1/1 Running 0 334d [root@192 k8s]# [root@192 k8s]# cd /etc/kubernetes [root@192 kubernetes]# ls admin.conf controller-manager.conf kubeadm.yaml kubelet.conf manifests pki scheduler.conf [root@192 kubernetes]# kubeadm config view > kubeadm.yaml [root@192 kubernetes]# kubeadm alpha certs renew all --config kubeadm.yaml [root@192 kubernetes]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ‘ Not ‘ Not Before: Apr 12 07:01:12 2021 GMT Not After : Mar 12 08:00:22 2023 GMT [root@192 kubernetes]# rm -rf /etc/kubernetes/*.conf [root@192 kubernetes]# kubeadm init phase kubeconfig all --config kubeadm.yaml [kubeconfig] Using kubeconfig folder "/etc/kubernetes" [kubeconfig] Writing "admin.conf" kubeconfig file [kubeconfig] Writing "kubelet.conf" kubeconfig file [kubeconfig] Writing "controller-manager.conf" kubeconfig file [kubeconfig] Writing "scheduler.conf" kubeconfig file [root@192 kubernetes]# \cp /etc/kubernetes/admin.conf $HOME/.kube/config [root@192 kubernetes]# chown $(id -u):$(id -g) $HOME/.kube/config [root@192 kubernetes]# docker ps |grep -E ‘kube-apiserver|kube-controller-manager|kube-scheduler|etcd_etcd‘ | awk -F ‘ ‘ ‘{print $1}‘ |xargs docker restart b53d7fb8e1db c7b6ae222bc1 15707e4219d9 110e23ea3b00 d3f29c8e72be 518d4399e197 4793e86b83ad [root@192 kubernetes]# kubectl get pod --all-namespaces NAMESPACE NAME READY STATUS RESTARTS AGE ingress-nginx nginx-ingress-controller-77b474c665-lh8tt 1/1 Running 0 334d kube-system coredns-86c58d9df4-7bq94 1/1 Running 0 334d kube-system coredns-86c58d9df4-dm6jb 1/1 Running 0 334d kube-system etcd-192.168.73.129 1/1 Running 0 334d kube-system heapster-7856548f99-2l8fp 1/1 Running 0 334d kube-system kube-apiserver-192.168.73.129 1/1 Running 0 334d kube-system kube-controller-manager-192.168.73.129 1/1 Running 0 334d kube-system kube-flannel-ds-amd64-qcmbq 1/1 Running 0 334d kube-system kube-proxy-kh7xn 1/1 Running 0 334d kube-system kube-scheduler-192.168.73.129 1/1 Running 0 334d kube-system nvidia-device-plugin-daemonset-6xzxj 1/1 Running 0 334d [root@192 kubernetes]# [root@192 kubernetes]# date -s "2023-2-12" Sun Feb 12 00:00:00 PST 2023 [root@192 kubernetes]# kubectl get pod --all-namespaces NAMESPACE NAME READY STATUS RESTARTS AGE ingress-nginx nginx-ingress-controller-77b474c665-lh8tt 1/1 Running 0 671d kube-system coredns-86c58d9df4-7bq94 1/1 Running 0 671d kube-system coredns-86c58d9df4-dm6jb 1/1 Running 0 671d kube-system etcd-192.168.73.129 1/1 Running 0 671d kube-system heapster-7856548f99-2l8fp 1/1 Running 0 671d kube-system kube-apiserver-192.168.73.129 1/1 Running 0 671d kube-system kube-controller-manager-192.168.73.129 1/1 Running 0 671d kube-system kube-flannel-ds-amd64-qcmbq 1/1 Running 0 671d kube-system kube-proxy-kh7xn 1/1 Running 0 671d kube-system kube-scheduler-192.168.73.129 1/1 Running 0 671d kube-system nvidia-device-plugin-daemonset-6xzxj 1/1 Running 0 671d
参考>>> https://blog.csdn.net/lihongbao80/article/details/109001639
作者:Leozhanggg
出处:https://www.cnblogs.com/leozhanggg/p/14648636.html
本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利。