說明
1.本文描述的k8s集群,均是通過相應版本的kubeadm工具安裝。
2.以下的操作之前,請務必先備份/etc/kubernetes目錄,以備不時之需。
3.以下更新證書的過程中,均不重新生成ca證書。(如果更新了ca證書,集群node節點均需要重新join)
kubernetes v1.13更新證書的方法
1.准備集群信息描述文件
kubeadm config view > cluster.yaml
如果證書已經過期,上述步驟難以執行成功,需要手動構建cluster.yaml文件,示例如下:
apiServer: extraArgs: authorization-mode: Node,RBAC timeoutForControlPlane: 4m0s apiVersion: kubeadm.k8s.io/v1beta1 certificatesDir: /etc/kubernetes/pki clusterName: kubernetes controlPlaneEndpoint: 10.40.53.101:6443 //根據實際情況填寫 controllerManager: {} dns: type: CoreDNS etcd: local: dataDir: /var/lib/etcd imageRepository: k8s.gcr.io kind: ClusterConfiguration kubernetesVersion: v1.13.2 //根據實際情況填寫 networking: dnsDomain: cluster.local podSubnet: 192.168.0.0/16 //此為默認值,根據實際填寫 serviceSubnet: 10.96.0.0/12 //此為默認值,根據實際填寫 scheduler: {}
2.生成etcd健康檢查連接所需證書
kubeadm alpha phase certs etcd-healthcheck-client --config cluster.yaml
3.生成etcd peer之間認證所需證書
kubeadm alpha phase certs etcd-peer --config cluster.yaml
4.生成etcd server端證書
kubeadm alpha phase certs etcd-server --config cluster.yaml
5.生成apiserver front proxy所需的證書
kubeadm alpha phase certs front-proxy-client --config cluster.yaml
注意:front-proxy證書僅在你運行kube-proxy來支持 an extension API server時需要用到。
6.生成apiserver連接etcd所需的證書
kubeadm alpha phase certs apiserver-etcd-client --config cluster.yaml
7.生成apiserver連接kubelet所需的證書
kubeadm alpha phase certs apiserver-kubelet-client --config cluster.yaml
8.生成apiserver服務端證書
kubeadm alpha phase certs apiserver --config cluster.yaml
9.重新生成新的kubeconf文件
即通過如下命令即可更新/etc/kubernetes/目錄下的*.conf文件。
kubeadm alpha phase kubeconfig all --config cluster.yaml
10.依次重啟master節點的docker和kubelet,確保master組件容器重啟運行成功。至此證書更新完成,替換~/.kube/config文件后,即可恢復對集群的控制。
kubernetes v1.14更新證書的方法
說明:
- kubeadm v1.14未提供kubeadm alpha phase kubeconfig all 之類的命令來自動生成/etc/kubernetes/*.conf文件,那只能按照下面步驟自行更新。
- 以下步驟中的 ip:port 按實際更改。
##renew all cert except ca cert
kubeadm alpha certs renew all
##generate admin.conf
kubectl config
set
-cluster kubernetes \
--certificate-authority=pki
/ca
.crt \
--embed-certs=
true
\
--server=https:
//10.10.53.101:6443
\
--kubeconfig=admin.conf
kubectl config
set
-credentials kubernetes-admin \
--client-certificate=pki
/apiserver-kubelet-client
.crt \
--client-key=pki
/apiserver-kubelet-client
.key \
--embed-certs=
true
\
--kubeconfig=admin.conf
kubectl config
set
-context kubernetes-admin@kubernetes \
--cluster=kubernetes \
--user=kubernetes-admin \
--kubeconfig=admin.conf
kubectl config use-context kubernetes-admin@kubernetes --kubeconfig=admin.conf
##generate controller-manager.conf
kubectl config
set
-cluster kubernetes \
--certificate-authority=pki
/ca
.crt \
--embed-certs=
true
\
--server=https:
//10.10.53.101:6443
\
--kubeconfig=controller-manager.conf
kubectl config
set
-credentials system:kube-controller-manager \
--client-certificate=pki
/apiserver-kubelet-client
.crt \
--client-key=pki
/apiserver-kubelet-client
.key \
--embed-certs=
true
\
--kubeconfig=controller-manager.conf
kubectl config
set
-context system:kube-controller-manager@kubernetes \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=controller-manager.conf
kubectl config use-context system:kube-controller-manager@kubernetes --kubeconfig=controller-manager.conf
##generate scheduler.conf
kubectl config
set
-cluster kubernetes \
--certificate-authority=pki
/ca
.crt \
--embed-certs=
true
\
--server=https:
//10.10.53.101:6443
\
--kubeconfig=scheduler.conf
kubectl config
set
-credentials system:kube-scheduler \
--client-certificate=pki
/apiserver-kubelet-client
.crt \
--client-key=pki
/apiserver-kubelet-client
.key \
--embed-certs=
true
\
--kubeconfig=scheduler.conf
kubectl config
set
-context system:kube-scheduler@kubernetes \
--cluster=kubernetes \
--user=system:kube-scheduler \
--kubeconfig=scheduler.conf
kubectl config use-context system:kube-scheduler@kubernetes --kubeconfig=scheduler.conf
##generate kubelet.conf
kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(
hostname
) > kubelet.conf
systemctl stop kubelet
systemctl stop docker
##clear kubelet pki
mkdir
-p
/var/lib/kubelet/pki-bak
mv
/var/lib/kubelet/pki/
*
/var/lib/kubelet/pki-bak/
systemctl start docker
systemctl start kubelet
##set admin config
cp
/etc/kubernetes/admin
.conf ~/.kube
/config
##approve node csr
kubectl get csr|
grep
$(
hostname
)|
awk
'{print $1}'
|
xargs
kubectl certificate approve
kubernetes v1.15更新證書的方法
1.更新/etc/kubernetes/pki目錄下的所有證書(不包含ca證書)
kubeadm alpha certs renew all
2.檢查csr狀態,如果沒有approved,則手動執行如下命令
kubectl get csr|grep -v NAME|awk '{print $1}'|xargs kubectl certificate approve