7.Kubernetes 证书续期

7.Kubernetes 证书续期

现状

由 kubeadm 生成的客户端证书在 1 年后到期,过期之后需要进行续期操作

[M1]查看证书过期时间

kubeadm certs check-expiration
CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
admin.conf                 Mar 15, 2022 09:54 UTC   364d            no      
apiserver                  Mar 15, 2022 09:54 UTC   364d            no      
apiserver-etcd-client      Mar 15, 2022 09:54 UTC   364d            no      
apiserver-kubelet-client   Mar 15, 2022 09:54 UTC   364d            no      
controller-manager.conf    Mar 15, 2022 09:54 UTC   364d            no      
etcd-healthcheck-client    Mar 15, 2022 09:54 UTC   364d            no      
etcd-peer                  Mar 15, 2022 09:54 UTC   364d            no      
etcd-server                Mar 15, 2022 09:54 UTC   364d            no      
front-proxy-client         Mar 15, 2022 09:54 UTC   364d            no      
scheduler.conf             Mar 15, 2022 09:54 UTC   364d            no

[M1]方案一

查看是否有未批准的CSR请求

kubectl get csr --sort-by=.metadata.creationTimestamp

如果有,手动审批

kubectl certificate approve csr-xxxx

重启服务使证书生效

systemctl restart kubelet

Docker

docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' |xargs docker restart

Containerd

crictl ps | grep -E "etcd|scheduler|controller|apiserver" |awk '{print $1}'|xargs crictl  stop

方案二

[m1]手动证书续签

所有Master全部需要执行

kubeadm certs renew all

输出

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healtcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

[M1]方案三

如果已经过期,或者上一个命令无法续签的情况下使用
所有Master全部需要执行
kubernetesVersion 异常可以忽略

kubeadm alpha certs renew all --config /etc/kuber/kubeadm/kubeadm-config.yaml

输出

W0315 18:29:28.231020   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
W0315 18:29:28.384120   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate for serving the Kubernetes API renewed
W0315 18:29:29.190988   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate the apiserver uses to access etcd renewed
W0315 18:29:29.491685   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate for the API server to connect to kubelet renewed
W0315 18:29:30.067720   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate embedded in the kubeconfig file for the controller manager to use renewed
W0315 18:29:31.046075   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate for liveness probes to healtcheck etcd renewed
W0315 18:29:31.445792   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate for etcd nodes to communicate with each other renewed
W0315 18:29:31.906409   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate for serving etcd renewed
W0315 18:29:32.431430   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate for the front proxy client renewed
W0315 18:29:32.547497   17297 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error converting YAML to JSON: yaml: unmarshal errors:
  line 5: key "kubernetesVersion" already set in map
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
posted @ 2024-08-01 03:30  ArcherBrian  阅读(80)  评论(0)    收藏  举报