kubeadm 默認證書為一年,一年過期后,會導致api service不可用,使用過程中會出現:x509: certificate has expired or is not yet valid.
證書默認存放目錄:/etc/kubernetes/pki
1,查詢當前證書過期時間
kubeadm alpha certs check-expiration
也可以直接查看證書 for i in `ll /etc/kubernetes/pki | grep crt | awk '{print $9}'`;do echo $i && openssl x509 -in $i -noout -text |grep Not;done
2,備份
cp -R /etc/kubernetes/pki /etc/kubernetes/pki_bakup
3,生成集群當前配置文件
#kubeadm alpha phase kubeconfig all --config cluster.yaml (后面用這個文件來續期證書)
apiServer:
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: apiserver.shiji:6443
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.17.0
networking:
dnsDomain: cluster.local
podSubnet: 10.100.0.1/16
serviceSubnet: 10.96.0.0/16
scheduler: {}
4,續期證書
kubeadm alpha certs renew all --config=/root/cluster.yaml
也可以單個更新
5,再次查看證書有效期
參考文檔
https://www.cnblogs.com/skymyyang/p/11093686.html
https://www.cnblogs.com/dolphintwo/p/11388644.html