kubenetes证书过期之续签证书

1.执行命令报错

[root@k8s-master ~]# kubectl -version
Error: invalid argument "ersion" for "-v, --v" flag: strconv.ParseInt: parsing "ersion": invalid syntax
See 'kubectl --help' for usage.
[root@k8s-master ~]# kubectl version
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.4", GitCommit:"d360454c9bcd1634cf4cc52d1867af5491dc9c5f", GitTreeState:"clean", BuildDate:"2020-11-11T13:17:17Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"linux/amd64"}
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2022-08-10T20:36:58+08:00 is after 2022-03-23T13:56:31Z

2.查看当前证书过期时间，可以看到全部过期了

[root@k8s-master ~]# kubeadm alpha certs check-expiration
[kubelet.config.k8s.io kubeproxy.config.k8s.io]
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 23, 2022 13:56 UTC   <invalid>                               no      
apiserver                  Mar 23, 2022 13:56 UTC   <invalid>       ca                      no      
apiserver-etcd-client      Mar 23, 2022 13:56 UTC   <invalid>       etcd-ca                 no      
apiserver-kubelet-client   Mar 23, 2022 13:56 UTC   <invalid>       ca                      no      
controller-manager.conf    Mar 23, 2022 13:56 UTC   <invalid>                               no      
etcd-healthcheck-client    Mar 23, 2022 13:56 UTC   <invalid>       etcd-ca                 no      
etcd-peer                  Mar 23, 2022 13:56 UTC   <invalid>       etcd-ca                 no      
etcd-server                Mar 23, 2022 13:56 UTC   <invalid>       etcd-ca                 no      
front-proxy-client         Mar 23, 2022 13:56 UTC   <invalid>       front-proxy-ca          no      
scheduler.conf             Mar 23, 2022 13:56 UTC   <invalid>                               no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 21, 2031 13:56 UTC   8y              no      
etcd-ca                 Mar 21, 2031 13:56 UTC   8y              no      
front-proxy-ca          Mar 21, 2031 13:56 UTC   8y              no      

3.续签所有证书

[root@k8s-master ~]# kubeadm alpha certs renew all
[root@k8s-master ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 10, 2023 12:39 UTC   364d                                    no      
apiserver                  Aug 10, 2023 12:39 UTC   364d            ca                      no      
apiserver-etcd-client      Aug 10, 2023 12:39 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Aug 10, 2023 12:39 UTC   364d            ca                      no      
controller-manager.conf    Aug 10, 2023 12:39 UTC   364d                                    no      
etcd-healthcheck-client    Aug 10, 2023 12:39 UTC   364d            etcd-ca                 no      
etcd-peer                  Aug 10, 2023 12:39 UTC   364d            etcd-ca                 no      
etcd-server                Aug 10, 2023 12:39 UTC   364d            etcd-ca                 no      
front-proxy-client         Aug 10, 2023 12:39 UTC   364d            front-proxy-ca          no      
scheduler.conf             Aug 10, 2023 12:39 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 21, 2031 13:56 UTC   8y              no      
etcd-ca                 Mar 21, 2031 13:56 UTC   8y              no      
front-proxy-ca          Mar 21, 2031 13:56 UTC   8y              no      

4.重启apiserver，scheduler，controller-manager 容器

docker ps | grep apiserver
docker ps | grep scheduler
docker ps | grep controller-manager

docker restart containerID

5.更新kubectl证书

cp /etc/kubernetes/admin.conf ~/.kube/config

6.更新kubeclet证书

[root@k8s-master pki]# cd  /var/lib/kubelet/pki/
[root@k8s-master pki]# openssl x509 -in kubelet.crt -text -noout 
[root@k8s-master pki]# openssl genrsa -out kubelet.key 2048
[root@k8s-master pki]# openssl x509 -req -in kubelet.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -out kubelet.crt -days 3600 -CAcreateserial
[root@k8s-master pki]# cat kubelet.crt > kubelet-client-2021-03-23-21-56-34.pem 
[root@k8s-master pki]# cat kubelet.key >> kubelet-client-2021-03-23-21-56-34.pem 
[root@k8s-master pki]# cat /etc/kubernetes/pki/ca.crt |base64
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Fo
a2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1ETXlN
ekV6TlRZek1Wb1hEVE14TURNeU1URXpOVFl6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVa
WFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSm1WClBPQStz
MkpVNStMVm5CbDEvdC95S1U2U2pwS0w4N0JaMTB5RVVVU3d4RHlObFE0ZG9CSE9CME1KQlExVVJI
VGYKWDdSZ1BTeHpobExyc1d4b04zRGlla3lMWjdpaUlrNWdSZjI2YkhCVndkVDFyb1FOM0Nmem9j
blNteEFPZGpJcgo4K1A5aUEwajhaQzhGZjZRMlBNNDBSSkgwOWZDWkJSNDdkR0YzbFZYS2Eva1ov
WFNKdG8zNlYwSldTUkxyMGdUClJQUTVFWmc0SHdEN2JIKzB6bVV3dWRQWDR1ZTNGc21CWjFPUDJj
YmtneDlnQjk0eHRPN2JNZVZ6T2ZsazNrSW4KSGljSG9aTVd4L0JTcXpDejJZVFFVcGw3T3c2bGVZ
VldUdUVJcmkvTmNRakxqT2duMWZkNlRsWW9wUjBrQ25RbQoxMTZQK0g3dXNCUWJHS3JIc2Q4Q0F3
RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hR
WURWUjBPQkJZRUZCOU9nNVp0T2pKaWRXa0o0NGdJYldQZzY3Q1dNQTBHQ1NxR1NJYjMKRFFFQkN3
VUFBNElCQVFCRTRBMEJOd2gvRFRRY3M3L0tiRlFVaUorTnlXbXdKMlZBQnRKWUE0eVJRaDAvREpX
Mwp5NHU2QjFpNk1UWkVxZERFMGdUL2NxUHl0OE5nYk9IbE80VFl1dStsY2xxMUUyZElHQkhlRE80
RjFsWkY3TnF4CnM4T0hrV0ZTTDEydHBjTVNjWlM0TEJRYXozeU52NVRhY0FJWkU3S2FqckRLY3du
akRzd2Q2L1d6Zk45VEVMbUMKR1FnZWlDL2VOaHk3K2hPWitWU0dqMFY4KzR4WTZwMnhGMlAzbEFi
ZDZQN0Y1VFVZYXZPMGFYdC8xbmdwbHBtZwpzYVdyQUM5VXJLTU9HMGhlcHpoei9ONUJIckd4MkFr
Q09GTzR6SDRENFkybUtQWVNGbFFsa2Q0cG1ZZVc3blBaCk8xUTBUSG9mWFdvelcvRzhOZURrWE5U
VDlvUmJ3ZVdpWE9KOAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

[root@k8s-master pki]# vim /etc/kubernetes/kubelet.conf 
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1ETXlNekV6TlRZek1Wb1hEVE14TURNeU1URXpOVFl6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSm1WClBPQStzMkpVNStMVm5CbDEvdC95S1U2U2pwS0w4N0JaMTB5RVVVU3d4RHlObFE0ZG9CSE9CME1KQlExVVJIVGYKWDdSZ1BTeHpobExyc1d4b04zRGlla3lMWjdpaUlrNWdSZjI2YkhCVndkVDFyb1FOM0Nmem9jblNteEFPZGpJcgo4K1A5aUEwajhaQzhGZjZRMlBNNDBSSkgwOWZDWkJSNDdkR0YzbFZYS2Eva1ovWFNKdG8zNlYwSldTUkxyMGdUClJQUTVFWmc0SHdEN2JIKzB6bVV3dWRQWDR1ZTNGc21CWjFPUDJjYmtneDlnQjk0eHRPN2JNZVZ6T2ZsazNrSW4KSGljSG9aTVd4L0JTcXpDejJZVFFVcGw3T3c2bGVZVldUdUVJcmkvTmNRakxqT2duMWZkNlRsWW9wUjBrQ25RbQoxMTZQK0g3dXNCUWJHS3JIc2Q4Q0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZCOU9nNVp0T2pKaWRXa0o0NGdJYldQZzY3Q1dNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCRTRBMEJOd2gvRFRRY3M3L0tiRlFVaUorTnlXbXdKMlZBQnRKWUE0eVJRaDAvREpXMwp5NHU2QjFpNk1UWkVxZERFMGdUL2NxUHl0OE5nYk9IbE80VFl1dStsY2xxMUUyZElHQkhlRE80RjFsWkY3TnF4CnM4T0hrV0ZTTDEydHBjTVNjWlM0TEJRYXozeU52NVRhY0FJWkU3S2FqckRLY3duakRzd2Q2L1d6Zk45VEVMbUMKR1FnZWlDL2VOaHk3K2hPWitWU0dqMFY4KzR4WTZwMnhGMlAzbEFiZDZQN0Y1VFVZYXZPMGFYdC8xbmdwbHBtZwpzYVdyQUM5VXJLTU9HMGhlcHpoei9ONUJIckd4MkFrQ09GTzR6SDRENFkybUtQWVNGbFFsa2Q0cG1ZZVc3blBaCk8xUTBUSG9mWFdvelcvRzhOZURrWE5UVDlvUmJ3ZVdpWE9KOAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
[root@k8s-master ~]# systemctl restart kubelet
[root@k8s-master ~]# systemctl status kubelet