k8s证书过期了怎么办?别慌,有救!

说明

1.本文描述的k8s集群,均是通过相应版本的kubeadm工具安装。

2.以下的操作之前,请务必先备份/etc/kubernetes目录,以备不时之需。

3.以下更新证书的过程中,均不重新生成ca证书。(如果更新了ca证书,集群node节点均需要重新join)

kubernetes v1.13更新证书的方法

1.准备集群信息描述文件

kubeadm config view > cluster.yaml

如果证书已经过期,上述步骤难以执行成功,需要手动构建cluster.yaml文件,示例如下:

apiServer:
  extraArgs:
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta1
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: 10.40.53.101:6443   //根据实际情况填写
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: v1.13.2   //根据实际情况填写
networking:
  dnsDomain: cluster.local
  podSubnet: 192.168.0.0/16  //此为默认值,根据实际填写
  serviceSubnet: 10.96.0.0/12   //此为默认值,根据实际填写
scheduler: {}

 

2.生成etcd健康检查连接所需证书

kubeadm alpha phase certs etcd-healthcheck-client --config cluster.yaml

 

3.生成etcd peer之间认证所需证书
kubeadm alpha phase certs etcd-peer --config cluster.yaml

 

4.生成etcd server端证书
kubeadm alpha phase certs etcd-server --config cluster.yaml

 

5.生成apiserver front proxy所需的证书
kubeadm alpha phase certs front-proxy-client --config cluster.yaml

注意:front-proxy证书仅在你运行kube-proxy来支持 an extension API server时需要用到。

 

6.生成apiserver连接etcd所需的证书
kubeadm alpha phase certs apiserver-etcd-client --config cluster.yaml

 

7.生成apiserver连接kubelet所需的证书

kubeadm alpha phase certs apiserver-kubelet-client --config cluster.yaml

 

8.生成apiserver服务端证书
kubeadm alpha phase certs apiserver --config cluster.yaml

 

9.重新生成新的kubeconf文件

即通过如下命令即可更新/etc/kubernetes/目录下的*.conf文件。

kubeadm alpha phase kubeconfig all --config cluster.yaml

 

10.依次重启master节点的docker和kubelet,确保master组件容器重启运行成功。至此证书更新完成,替换~/.kube/config文件后,即可恢复对集群的控制。

 

kubernetes v1.14更新证书的方法

说明:

  • kubeadm v1.14未提供kubeadm alpha phase kubeconfig all 之类的命令来自动生成/etc/kubernetes/*.conf文件,那只能按照下面步骤自行更新。
  • 以下步骤中的 ip:port 按实际更改。

 

1.更新/etc/kubernetes/pki下的所有证书文件(不含ca证书)。
##renew all cert except ca cert
kubeadm alpha certs renew all
 
2.以下是手动生成/etc/kubernetes/*.conf文件的方法。
##generate admin.conf
kubectl config set-cluster kubernetes \
--certificate-authority=pki/ca.crt  \
--embed-certs=true \
--server=https://10.10.53.101:6443 \
--kubeconfig=admin.conf
 
kubectl config set-credentials kubernetes-admin \
--client-certificate=pki/apiserver-kubelet-client.crt \
--client-key=pki/apiserver-kubelet-client.key \
--embed-certs=true \
--kubeconfig=admin.conf
 
kubectl config set-context kubernetes-admin@kubernetes \
--cluster=kubernetes \
--user=kubernetes-admin \
--kubeconfig=admin.conf
 
kubectl config use-context kubernetes-admin@kubernetes --kubeconfig=admin.conf
 
##generate controller-manager.conf
kubectl config set-cluster kubernetes \
--certificate-authority=pki/ca.crt \
--embed-certs=true \
--server=https://10.10.53.101:6443 \
--kubeconfig=controller-manager.conf
 
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=pki/apiserver-kubelet-client.crt \
--client-key=pki/apiserver-kubelet-client.key \
--embed-certs=true \
--kubeconfig=controller-manager.conf
 
kubectl config set-context system:kube-controller-manager@kubernetes \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=controller-manager.conf
 
kubectl config use-context system:kube-controller-manager@kubernetes --kubeconfig=controller-manager.conf
 
##generate scheduler.conf
kubectl config set-cluster kubernetes \
--certificate-authority=pki/ca.crt \
--embed-certs=true \
--server=https://10.10.53.101:6443 \
--kubeconfig=scheduler.conf
 
kubectl config set-credentials system:kube-scheduler \
--client-certificate=pki/apiserver-kubelet-client.crt \
--client-key=pki/apiserver-kubelet-client.key \
--embed-certs=true \
--kubeconfig=scheduler.conf
 
kubectl config set-context system:kube-scheduler@kubernetes \
--cluster=kubernetes \
--user=system:kube-scheduler \
--kubeconfig=scheduler.conf
 
kubectl config use-context system:kube-scheduler@kubernetes --kubeconfig=scheduler.conf
 
##generate kubelet.conf
kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > kubelet.conf
 
systemctl stop kubelet
systemctl stop docker
 
##clear kubelet pki
mkdir -p /var/lib/kubelet/pki-bak
mv /var/lib/kubelet/pki//var/lib/kubelet/pki-bak/
 
systemctl start docker
systemctl start kubelet
##set admin config
cp /etc/kubernetes/admin.conf ~/.kube/config
 
##approve node csr
kubectl get csr|grep $(hostname)|awk '{print $1}'|xargs kubectl certificate approve

 

kubernetes v1.15更新证书的方法

1.更新/etc/kubernetes/pki目录下的所有证书(不包含ca证书)

kubeadm alpha certs renew all

 

2.检查csr状态,如果没有approved,则手动执行如下命令

kubectl get csr|grep -v NAME|awk '{print $1}'|xargs kubectl certificate approve

 

posted @ 2020-05-27 09:03  shliph  阅读(5858)  评论(0编辑  收藏  举报