查看证书过期时间
kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Mar 26, 2026 02:24 UTC 364d no
apiserver Mar 07, 2025 16:29 UTC <invalid> ca no
apiserver-etcd-client Mar 07, 2025 16:29 UTC <invalid> etcd-ca no
apiserver-kubelet-client Mar 07, 2025 16:29 UTC <invalid> ca no
controller-manager.conf Mar 26, 2026 02:24 UTC 364d no
etcd-healthcheck-client Mar 07, 2025 16:29 UTC <invalid> etcd-ca no
etcd-peer Mar 07, 2025 16:29 UTC <invalid> etcd-ca no
etcd-server Mar 07, 2025 16:29 UTC <invalid> etcd-ca no
front-proxy-client Mar 07, 2025 16:29 UTC <invalid> front-proxy-ca no
scheduler.conf Mar 26, 2026 02:24 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Feb 27, 2033 02:08 UTC 7y no
etcd-ca Feb 27, 2033 02:08 UTC 7y no
front-proxy-ca Feb 27, 2033 02:08 UTC 7y no
备份证书和配置文件
mkdir /etc/kubernetes/k8s-202503261410 && cp /etc/kubernetes/*.conf /etc/kubernetes/k8s-202503261410 && cp -rf /etc/kubernetes/pki /etc/kubernetes/k8s-202503261410
更新证书
kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
kubelet 配置
查看 kubelet 状态
E0326 14:34:36.318497 3419173 bootstrap.go:265] part of the existing bootstrap client certificate is expired: 2025-03-07 16:33:15 +0000 UTC
删除配置文件和证书
rm -rf /etc/kubernetes/kubelet.conf /var/lib/kubelet/pki/kubelet-client*
重新生成配置文件
kubeadm init --kubernetes-version=v1.20.10 phase kubeconfig all --apiserver-advertise-address 192.168.174.100 --control-plane-endpoint 192.168.174.100:6443
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
重启 kubelet
systemctl restart kubelet
重启静态 Pod
临时将清单文件从 /etc/kubernetes/manifests/ 移除并等待 20 秒之后可以将文件移回去,kubelet 可以完成 Pod 的重建,而组件的证书更新操作也得以完成。
证书请求签名
查看证书请求签名
如果CONDITION显示的是Approved,Issued,说明证书签名请求CSR已经被批准,如果CONDITION显示的是Pending,则需要手动批准证书签名请求CSR
kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
csr-llhc8 46s kubernetes.io/kube-apiserver-client-kubelet system:node:paas-container-c1-master-003 Pending
批准证书请求签名
kubectl certificate approve csr-llhc8
certificatesigningrequest.certificates.k8s.io/csr-llhc8 approved
确认证书请求签名
kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
csr-llhc8 5m2s kubernetes.io/kube-apiserver-client-kubelet system:node:paas-container-c1-master-003 Approved,Issued
查看节点状态
kubelet 日志信息
Mar 26 14:53:01 paas-container-c1-master-003 kubelet[3430694]: I0326 14:53:01.588679 3430694 kubelet_node_status.go:71] Attempting to register node 192.168.174.101
Mar 26 14:53:01 paas-container-c1-master-003 kubelet[3430694]: I0326 14:53:01.601388 3430694 kubelet_node_status.go:109] Node 192.168.174.101 was previously registered
Mar 26 14:53:01 paas-container-c1-master-003 kubelet[3430694]: I0326 14:53:01.601480 3430694 kubelet_node_status.go:74] Successfully registered node 192.168.174.101
节点状态
kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.174.101 Ready control-plane,master 709d v1.20.10
192.168.174.102 Ready control-plane,master 2y25d v1.20.10
192.168.174.103 Ready control-plane,master 2y25d v1.20.10
192.168.174.104 Ready <none> 2y25d v1.20.10
192.168.174.105 Ready <none> 34d v1.20.10
192.168.174.106 Ready <none> 2y25d v1.20.10
替换工作节点 kubelet 证书
备份旧证书
cp -r /var/lib/kubelet/pki /var/lib/kubelet/pki.bak
删除旧证书
sudo rm -f /var/lib/kubelet/pki/kubelet.*
生成 kubelet.conf
在master节点执行
kubeadm init --kubernetes-version=v1.20.10 phase kubeconfig kubelet --node-name 192.168.174.106 --apiserver-advertise-address 192.168.174.100 --control-plane-endpoint 192.168.174.100:6443 --kubeconfig-dir /tmp/
复制到工作节点
scp /tmp/kubelet.conf root@192.168.174.106:/etc/kubernetes/kubelet.conf
重启 kubelet
systemctl restart kubelet
查看证书
ls -l /var/lib/kubelet/pki
total 12
-rw------- 1 root root 2810 Mar 26 15:33 kubelet-client-2025-03-26-15-33-58.pem
lrwxrwxrwx 1 root root 59 Mar 26 15:33 kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2025-03-26-15-33-58.pem
-rw-r--r-- 1 root root 2266 Mar 26 15:29 kubelet.crt
-rw------- 1 root root 1679 Mar 26 15:29 kubelet.key
查看证书有效期
openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -noout -dates
notBefore=Mar 26 06:29:22 2025 GMT
notAfter=Mar 26 06:29:22 2026 GMT
总结
| 场景 |
操作步骤 |
| 正常证书轮换 |
删除旧证书 → 重启 kubelet → 批准 CSR |
| 手动强制更新 |
生成新证书 → 替换文件 → 重启 kubelet |
| 自动轮换配置 |
修改 kubelet.conf → 重启服务 |
浙公网安备 33010602011771号