問題分析
master ip地址變更以后,我們首先應該檢查以下內容:
-
/etc/kubernetes/manifests下面的config配置文件,替換里面對應的ip -
相關的證書文件
-
客戶端文件
解決步驟
准備config文件
如果環境能出國網則不用進行該步驟,此文件為kubeadm.config
使用該文件時候注意替換相關的API地址和端口等信息
apiVersion: kubeadm.k8s.io/v1beta2 bootstrapTokens: - groups: - system:bootstrappers:kubeadm:default-node-token token: abcdef.0123456789abcdef ttl: 24h0m0s usages: - signing - authentication kind: InitConfiguration localAPIEndpoint: advertiseAddress: 100.64.139.62 bindPort: 6443 nodeRegistration: criSocket: /var/run/dockershim.sock name: k8s-master-2 taints: - effect: NoSchedule key: node-role.kubernetes.io/master --- apiServer: timeoutForControlPlane: 4m0s apiVersion: kubeadm.k8s.io/v1beta2 certificatesDir: /etc/kubernetes/pki clusterName: kubernetes controllerManager: {} dns: type: CoreDNS etcd: local: dataDir: /var/lib/etcd kind: ClusterConfiguration imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers kubernetesVersion: v1.16.0 networking: dnsDomain: cluster.local serviceSubnet: 10.96.0.0/12 scheduler: {}
修改配置文件
[root@k8s-master-2 kubernetes]# cd /etc/kubernetes [root@k8s-master-2 kubernetes]# find . -type f |xargs grep 100.64.139.60 |awk '{print $1}' |sort |uniq ./admin.conf: ./controller-manager.conf: ./kubelet.conf: ./manifests/etcd.yaml: ./manifests/kube-apiserver.yaml: ./scheduler.conf:
其中幾個conf文件為kubeadm自動生成的帶證書的客戶端配置文件,需要修改的為etcd.yaml,kube-apiserver.yaml兩個配置文件。將里面對應的ip地址修改為新的ip地址。
生成新證書
方法一:部分刪除生成證書
備份原始證書,根據find命令的輸出,以下相關的服務證書需要更換kubelt api proxy
# 備份原始證書
mv /etc/kubernetes/pki/apiserver.key /etc/kubernetes/pki/apiserver.key.old mv /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.crt.old mv /etc/kubernetes/pki/apiserver-kubelet-client.crt /etc/kubernetes/pki/apiserver-kubelet-client.crt.old mv /etc/kubernetes/pki/apiserver-kubelet-client.key /etc/kubernetes/pki/apiserver-kubelet-client.key.old mv /etc/kubernetes/pki/front-proxy-client.crt /etc/kubernetes/pki/front-proxy-client.crt.old mv /etc/kubernetes/pki/front-proxy-client.key /etc/kubernetes/pki/front-proxy-client.key.old
# 生成新證書
kubeadm init phase certs apiserver --config kubeadm.config kubeadm init phase certs apiserver-kubelet-client --config kubeadm.config kubeadm init phase certs front-proxy-client --config kubeadm.config
kubeadm init phase certs apiserver --config kubeadm.config
kubeadm init phase certs apiserver-kubelet-client --config kubeadm.config
kubeadm init phase certs front-proxy-client --config kubeadm.config
方法二:全部刪除生成證書
# 全部刪除證書
mv /etc/kubernetes/pki /etc/kubernetes/pki.old
# 生成新證書kubeadm init phase certs all --config kubeadm.config
生成新的客戶端文件
方法一:分步驟生成
kubeadm init phase kubeconfig admin --config kubeadm.config kubeadm init phase kubeconfig controller-manager --config kubeadm.config kubeadm init phase kubeconfig kubelet --config kubeadm.config kubeadm init phase kubeconfig scheduler --config kubeadm.config
方法二:一次全部生成
mv /etc/kubernetes/*.conf /tmp
kubeadm init phase kubeconfig all --config kubeadm.config
查看證書過期時間
[root@k8s-master-2 pki]# kubeadm alpha certs check-expiration CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED admin.conf Dec 10, 2020 05:31 UTC 364d no apiserver Dec 10, 2020 05:30 UTC 364d no apiserver-etcd-client Dec 10, 2020 05:31 UTC 364d no apiserver-kubelet-client Dec 10, 2020 05:30 UTC 364d no controller-manager.conf Dec 10, 2020 05:31 UTC 364d no etcd-healthcheck-client Dec 10, 2020 05:31 UTC 364d no etcd-peer Dec 10, 2020 05:31 UTC 364d no etcd-server Dec 10, 2020 05:30 UTC 364d no front-proxy-client Dec 10, 2020 05:30 UTC 364d no scheduler.conf Dec 10, 2020 05:31 UTC 364d no
重啟服務
service docker restart
service kubelet restart