檢查證書有限期 kubeadm 部署集群默認證書有效期為一年
cd /etc/kubernetes/pki
openssl x509 -in apiserver.crt -text -noout
Validity
Not Before: Jun 12 04:41:18 2019 GMT
Not After : Jun 12 04:41:18 2020 GMT
go 環境部署
wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz
tar -xf go1.12.1.linux-amd64.tar.gz -C /usr/local
vi /etc/profile export PATH=$PATH:/usr/local/go/bin
source /etc/profile
下載源碼
git clone https://github.com/kubernetes/kubernetes.git
查看當前版本
kubeadm version
[root@k8s-master kubernetes]# pwd /root/kubernetes
git checkout -b remotes/origin/release-1.14.0 v1.14.0 #修改至當前版本
修改 Kubeadm 源碼包更新證書策略
vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
增加 const duration3650d = time.Hour * 24 * 365 * 100 #表示一小時24365 表示100年 NotAfter: time.Now().Add(duration36500d).UTC(), #這一行在下面修改add的值就行,如下
make WHAT=cmd/kubeadm GOFLAGS=-v #只編譯kubeadm
cp _output/bin/kubeadm /root/kubeadm-new
更新 kubeadm
將 kubeadm 進行替換
cp /usr/bin/kubeadm /usr/bin/kubeadm.old
cp /root/kubeadm-new /usr/bin/kubeadm
chmod a+x /usr/bin/kubeadm
證書更新
cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old
cd /etc/kubernetes/pki
kubeadm alpha certs renew all 有提示可忽略 查看證書有限期 100年
cd /etc/kubernetes/pki
openssl x509 -in apiserver.crt -text -noout
Validity
Not Before: Jun 12 04:41:18 2019 GMT
Not After : Nov 18 11:22:53 2119 GMT
生成一個集群配置的yaml文件 kubeadm config view > /root/cluster.yaml
cd /etc/kubernetes
mkdir conf.old
mv *.conf conf.old
生效 /etc/kubernetes *.conf
kubeadm init phase kubeconfig all /root/cluster.yaml
$ ll
total 40
-rw------- 1 root root 5455 Dec 12 19:30 admin.conf
drwxr-xr-x 2 root root 93 Dec 12 19:25 conf.old
-rw------- 1 root root 5491 Dec 12 19:30 controller-manager.conf
-rw------- 1 root root 5471 Dec 12 19:30 kubelet.conf
drwxr-xr-x 2 root root 109 Jun 20 14:16 manifests
drwxr-xr-x 3 root root 4096 Jun 12 2019 pki
drwxr-xr-x 3 root root 4096 Dec 12 17:40 pki.old
-rw------- 1 root root 5439 Dec 12 19:30 scheduler.conf
已經生成最新配置文件
其他master 節點
scp -qpr master01:/usr/bin/kubeadm master02:/usr/bin/kubeadm 然后 進行證書更新操作 和 集群配置文件生成操作
完成后依次重啟 etcd kube-apiserver kube-controller-manager kube-proxy kube-scheduler 查看各個日志 沒有報錯則沒有錯
systemctl restart kubelet
$ kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-c7b458cf-fxjpp 1/1 Running 0 6h26m
coredns-c7b458cf-gfsqt 0/1 Terminating 0 31d
coredns-c7b458cf-sxlps 1/1 Running 8 7h18m
etcd-master01 1/1 Running 214 183d
etcd-master02 1/1 Running 229 183d
etcd-master03 1/1 Running 210 183d
kube-apiserver-master01 1/1 Running 2216 72m
kube-apiserver-master02 1/1 Running 1823 73m
kube-apiserver-master03 1/1 Running 2155 74m
kube-controller-manager-master01 1/1 Running 9441 71m
kube-controller-manager-master02 1/1 Running 9780 70m
kube-controller-manager-master03 1/1 Running 9431 71m
kube-proxy-glqvn 1/1 Running 0 63m
kube-proxy-m4fhg 1/1 Running 0 65m
kube-proxy-rjrlp 1/1 Running 0 62m
kube-proxy-s4pfg 1/1 Running 0 66m
kube-proxy-snl7s 1/1 Running 0 62m
kube-proxy-v5dfz 0/1 Terminating 0 128d
kube-scheduler-master01 1/1 Running 9341 69m
kube-scheduler-master02 1/1 Running 9687 69m
kube-scheduler-master03 0/1 Error 9374 68m
