kubernetes集群證書更新

kubeadm 默認證書為一年，一年過期后，會導致api service不可用，使用過程中會出現：x509: certificate has expired or is not yet valid.

方案一 通過修改kubeadm 調整證書過期時間

修改代碼，調整過期時間

方案二　通過自動輪換證書默認開啟

以下方案通過第二種方法模擬集群證書過期

准備

本次集群版本1.15

備份集群證書（略)

cd /etc/kubernetes

tar czvf kubernetes.tar.gz kubernetes

Master節點：

[root@k8s-master .kube]# hwclock --show

2020年01月21日 星期二 15時16分34秒  -0.856601 秒

[root@k8s-master .kube]# kubectl get nodes

NAME         STATUS   ROLES    AGE    VERSION

k8s-master   Ready    master   167d   v1.15.0

k8s-node1    Ready    node     166d   v1.15.0

[root@k8s-master .kube]# kubeadm alpha certs check-expiration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED

admin.conf                 Jan 20, 2021 07:09 UTC   364d            no      

apiserver                  Jan 20, 2021 07:09 UTC   364d            no      

apiserver-etcd-client      Jan 20, 2021 07:09 UTC   364d            no      

apiserver-kubelet-client   Jan 20, 2021 07:09 UTC   364d            no      

controller-manager.conf    Jan 20, 2021 07:09 UTC   364d            no      

etcd-healthcheck-client    Jan 20, 2021 07:09 UTC   364d            no      

etcd-peer                  Jan 20, 2021 07:09 UTC   364d            no      

etcd-server                Jan 20, 2021 07:09 UTC   364d            no      

front-proxy-client         Jan 20, 2021 07:09 UTC   364d            no      

scheduler.conf             Jan 20, 2021 07:09 UTC   364d            no      

[root@k8s-master .kube]#

 

先生成集群配置文件

kubeadm config view > /root/kubeadm.yaml　

要提前備份一下集群配置文件,當集群證書過期后　此命令也不能執行了

 

修改時間讓集群過期

[root@k8s-master .kube]# date -s "2021-08-08"

2021年 08月 08日 星期日 00:00:00 CST

[root@k8s-master .kube]# date

2021年 08月 08日 星期日 00:00:02 CST

[root@k8s-master .kube]# kubectl get nodes

Unable to connect to the server: x509: certificate has expired or is not yet valid

[root@k8s-master .kube]#

 

 

更新證書

[root@k8s-master ~]# kubeadm alpha certs renew all --config=/root/kubeadm.yaml

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed

certificate for serving the Kubernetes API renewed

certificate the apiserver uses to access etcd renewed

certificate for the API server to connect to kubelet renewed

certificate embedded in the kubeconfig file for the controller manager to use renewed

certificate for liveness probes to healtcheck etcd renewed

certificate for etcd nodes to communicate with each other renewed

certificate for serving etcd renewed

certificate for the front proxy client renewed

certificate embedded in the kubeconfig file for the scheduler manager to use renewed

[root@k8s-master ~]# kubeadm alpha certs check-expiration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED

admin.conf                 Aug 07, 2022 16:02 UTC   364d            no      

apiserver                  Aug 07, 2022 16:02 UTC   364d            no      

apiserver-etcd-client      Aug 07, 2022 16:02 UTC   364d            no      

apiserver-kubelet-client   Aug 07, 2022 16:02 UTC   364d            no      

controller-manager.conf    Aug 07, 2022 16:02 UTC   364d            no      

etcd-healthcheck-client    Aug 07, 2022 16:02 UTC   364d            no      

etcd-peer                  Aug 07, 2022 16:02 UTC   364d            no      

etcd-server                Aug 07, 2022 16:02 UTC   364d            no      

front-proxy-client         Aug 07, 2022 16:02 UTC   364d            no      

scheduler.conf             Aug 07, 2022 16:02 UTC   364d            no

 

 

重啟master節點三個容器：

[root@k8s-master .kube]# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd'|xargs docker restart

98257170f1fb

k8s_kube-apiserver_kube-apiserver-k8s-master_kube-system_db9cf46161351d3a7f76537093caa0b8_10

82c07f5d9b6f

k8s_etcd_etcd-k8s-master_kube-system_2da345f314df09b06ba8257f5457dbed_6

Error response from daemon: No such container: 201c7a840312

Error response from daemon: No such container: kube-apiserver --ad…

Error response from daemon: No such container: 18

Error response from daemon: No such container: months

Error response from daemon: No such container: ago

Error response from daemon: No such container: Up

Error response from daemon: No such container: 18

Error response from daemon: No such container: months

Error response from daemon: No such container: 2c4adeb21b4f

Error response from daemon: No such container: etcd --advertise-cl…

Error response from daemon: No such container: 18

Error response from daemon: No such container: months

Error response from daemon: No such container: ago

Error response from daemon: No such container: Up

Error response from daemon: No such container: 18

Error response from daemon: No such container: months

[root@k8s-master .kube]# kubectl get nodes

NAME         STATUS   ROLES    AGE    VERSION

k8s-master   Ready    master   2y1d   v1.15.0

k8s-node1    Ready    node     2y1d   v1.15.0

[root@k8s-master .kube]# date

2021年 08月 08日 星期日 00:04:33 CST

[root@k8s-master .kube]#

 

 

注意同步配置文件：

cp /etc/kubernetes/admin.conf /root/.kube/config

刪除.kube下的緩存目錄

 

總結

當集群證書過期時操作步驟：

1.提前備份集群配置文件

　kubeadm config view > /root/kubeadm.yaml

2.更新集群證書

  kubeadm alpha certs renew all --config=/root/kubeadm.yaml

3.同步配置文件，清除.kube下緩存

  cp /etc/kubernetes/admin.conf /root/.kube/config