使用kubeadm更新k8s证书
今天操作k8s的时候,突然说证书无效:
Unable to connect to the server: x509: certificate has expired or is not yet valid通过 kubeadm alpha certs check-expiration 查看,确实是过期了:
[root@k8s-master ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
W0627 11:21:35.745166 8754 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jun 24, 2021 09:45 UTC <invalid> no
apiserver Jun 24, 2021 09:45 UTC <invalid> ca no
apiserver-etcd-client Jun 24, 2021 09:45 UTC <invalid> etcd-ca no
apiserver-kubelet-client Jun 24, 2021 09:45 UTC <invalid> ca no
controller-manager.conf Jun 24, 2021 09:45 UTC <invalid> no
etcd-healthcheck-client Jun 24, 2021 09:45 UTC <invalid> etcd-ca no
etcd-peer Jun 24, 2021 09:45 UTC <invalid> etcd-ca no
etcd-server Jun 24, 2021 09:45 UTC <invalid> etcd-ca no
front-proxy-client Jun 24, 2021 09:45 UTC <invalid> front-proxy-ca no
scheduler.conf Jun 24, 2021 09:45 UTC <invalid> no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jun 22, 2030 09:45 UTC 8y no
etcd-ca Jun 22, 2030 09:45 UTC 8y no
front-proxy-ca Jun 22, 2030 09:45 UTC 8y no那么接下来就是更新证书📄了:
下面的操作都是在 master 节点上进行
1⃣️备份
2⃣️通过 kubeadm alpha certs renew all 更新证书
3⃣️再次查看证书时间
已经更新成功了。
4⃣️查看kubectl是否可用
还不可用,需要更新更新下 kubeconfig 文件。
5⃣️通过 kubeadm init phase kubeconfig all 更新 kubeconfig 文件
6⃣️将新生成的 admin 配置文件覆盖掉原本的 admin 文件:
7⃣️再次验证证书时间
查看 apiserver 的证书的有效期来验证是否更新成功
查看命令是否可用
参考链接🔗:
最后更新于
这有帮助吗?