K8S 集群证书过期续签操作

──╼ # kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 22, 2025 02:40 UTC   <invalid>       ca                      no      
apiserver                  Jul 22, 2025 02:40 UTC   <invalid>       ca                      no      
apiserver-etcd-client      Jul 22, 2025 02:40 UTC   <invalid>       etcd-ca                 no      
apiserver-kubelet-client   Jul 22, 2025 02:40 UTC   <invalid>       ca                      no      
controller-manager.conf    Jul 22, 2025 02:40 UTC   <invalid>       ca                      no      
etcd-healthcheck-client    Jul 22, 2025 02:40 UTC   <invalid>       etcd-ca                 no      
etcd-peer                  Jul 22, 2025 02:40 UTC   <invalid>       etcd-ca                 no      
etcd-server                Jul 22, 2025 02:40 UTC   <invalid>       etcd-ca                 no      
front-proxy-client         Jul 22, 2025 02:40 UTC   <invalid>       front-proxy-ca          no      
scheduler.conf             Jul 22, 2025 02:40 UTC   <invalid>       ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jul 20, 2034 02:40 UTC   8y              no      
etcd-ca                 Jul 20, 2034 02:40 UTC   8y              no      
front-proxy-ca          Jul 20, 2034 02:40 UTC   8y              no      

# 备份证书目录
sudo cp -r /etc/kubernetes/pki /etc/kubernetes/pki.backup
# 备份配置文件
sudo cp -r /etc/kubernetes/*.conf /etc/kubernetes/conf.backup
# 如果需要，备份etcd证书（如果etcd证书也过期了）
sudo cp -r /var/lib/etcd /var/lib/etcd.backup


└──╼ # sudo kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

[renew] Error reading configuration from the Cluster. Falling back to default configuration

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

# 更新admin.conf
sudo kubeadm init phase kubeconfig admin
# 将新的admin.conf复制到用户目录
mkdir -p $HOME/.kube
sudo cp /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

docker ps | grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' | xargs docker restart

sudo systemctl restart kubelet

kubeadm certs check-expiration

kubectl get nodes