一.第一种解决方法
1.修改/etc/systemd/system/kube-controller-manager.service添加或者修改如下内容
--experimental-cluster-signing-duration=87600h \
然后执行以下命令重启kube-controller-manager
systemctl daemon-reload
systemctl restart kube-controller-manager
2.执行以下步骤重新生成kubelet证书,xx.xx.xx.xx为k8s apiserver的 IP
mkdir -p /app/k8s
cd /app/k8s
export KUBE_APISERVER="https://xx.xx.xx.xx:6443"
export node_name="kube-node1"
# 创建 token
export BOOTSTRAP_TOKEN=$(kubeadm token create \
--description kubelet-bootstrap-token \
--groups system:bootstrappers:${node_name} \
--kubeconfig ~/.kube/config)
# 设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/cert/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kubelet-bootstrap-${node_name}.kubeconfig
# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
--token=${BOOTSTRAP_TOKEN} \
--kubeconfig=kubelet-bootstrap-${node_name}.kubeconfig
# 设置上下文参数
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=kubelet-bootstrap-${node_name}.kubeconfig
# 设置默认上下文
kubectl config use-context default --kubeconfig=kubelet-bootstrap-${node_name}.kubeconfig
kubeadm token list --kubeconfig ~/.kube/config
rm -rf /etc/kubernetes/kubelet-bootstrap.kubeconfig
cp kubelet-bootstrap-${node_name}.kubeconfig /etc/kubernetes/kubelet-bootstrap.kubeconfig
rm -rf /etc/kubernetes/cert/kubelet-client*
service kubelet restart
sleep 5
kubectl get csr | awk '{print $1}' | grep -v "NAME"|xargs kubectl certificate approve
3.在kulebet服务器执行以下命令验证kubelet证书的有效期,如果是10年代表修改成功
cd /etc/kubernetes/cert/
openssl x509 -in kubelet-client-current.pem -noout -text | grep "Not"
kubectl get no
root
@iZbp1dey0fcjb1t6dhtnadZ
:[/root]cd /etc/kubernetes/cert/
root
@iZbp1dey0fcjb1t6dhtnadZ
:[/etc/kubernetes/cert]ls
ca-config.json kube-controller-manager-key.pem kubelet-client-
2019
-
12
-
23
-
09
-
28
-
00
.pem kubelet.key metrics-server-key.pem
ca-key.pem kube-controller-manager.pem kubelet-client-current.pem kubernetes-key.pem metrics-server.pem
ca.pem kubelet-client-
2018
-
12
-
23
-
00
-
19
-
36
.pem kubelet.crt kubernetes.pem
root
@iZbp1dey0fcjb1t6dhtnadZ
:[/etc/kubernetes/cert]openssl x509 -in kubelet-client-current.pem -noout -text | grep
"Not"
Not Before: Dec
23
01
:
23
:
00
2019
GMT
Not After : Dec
20
01
:
23
:
00
2029
GMT
root
@iZbp1dey0fcjb1t6dhtnadZ
:[/etc/kubernetes/cert]kubectl get no
NAME STATUS ROLES AGE VERSION
192.168
.
1.177
Ready <none> 169d v1.
13.1
192.168
.
1.178
Ready <none> 169d v1.
13.1
192.168
.
1.180
Ready <none> 169d v1.
13.1
192.168
.
1.183
Ready <none> 169d v1.
13.1
192.168
.
1.184
Ready <none> 169d v1.
13.1
192.168
.
1.186
Ready <none> 2d18h v1.
13.1
|
二.第二种解决方法
1.修改/etc/systemd/system/kubelet.service添加如下内容
--feature-gates=RotateKubeletServerCertificate=true --feature-gates=RotateKubeletClientCertificate=true --rotate-certificates \
2.修改/etc/systemd/system/kube-controller-manager.service添加如下内容
# 证书有效期为10年
--experimental-cluster-signing-duration=87600h0m0s --feature-gates=RotateKubeletServerCertificate=true \
3.创建自动批准相关CSR请求的ClusterRole
3.1.vim tls-instructs-csr.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
rules:
- apiGroups: [
"certificates.k8s.io"
]
resources: [
"certificatesigningrequests/selfnodeserver"
]
verbs: [
"create"
]
|
3.2.kubectl apply -f tls-instructs-csr.yaml
4.自动批准 kubelet-bootstrap 用户 TLS bootstrapping 首次申请证书的 CSR 请求
kubectl create clusterrolebinding node-client-auto-approve-csr --clusterrole=system:certificates.k8s.io:certificatesigningrequests:nodeclient --user=kubelet-bootstrap
5.自动批准 system:nodes 组用户更新 kubelet 10250 api 端口证书的 CSR 请求
kubectl create clusterrolebinding node-client-auto-renew-crt --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeclient --group=system:nodes
6.重启kube-controller-manager服务
systemctl daemon-reload
systemctl restart kube-controller-manager
7.进入到ssl配置目录,删除 kubelet 证书
cd /etc/kubernetes/cert
rm -f kubelet-client*.pem kubelet.key kubelet.crt
8.重启kubelet服务
systemctl daemon-reload
systemctl restart kubelet
9.进入到ssl配置目录,查看kubelet-client证书有效期
cd /etc/kubernetes/cert
openssl x509 -in kubelet-client-current.pem -noout -text | grep "Not"
Not Before: May 13 02:36:00 2019 GMT
Not After : May 10 02:36:00 2029 GMT
参考:https://blog.csdn.net/qq_24794401/article/details/103245796