#先提前编译kubeadm到100年
1、先备份 conf文件和证书文件
cp -rp /etc/kubernetes/ /etc/kubernetes.bak
2、生成新的crt 证书,默认在/etc/kubernetes/pki 路径
#先停止所有节点kubelet服务并删除所有节点原来的配置
systemctl stop kubelet
rm /etc/kubernetes/pki/* -f && rm /etc/kubernetes/*.conf -f && rm /var/lib/kubelet/pki/* -f &&rm /etc/kubernetes/pki/etcd/* -f #容器化etcd使用
for i in ca front-proxy-ca apiserver-kubelet-client front-proxy-client apiserver ;do kubeadm init phase certs $i --config kubeadm-config.yaml;done
kubeadm init phase certs sa
kubeadm init phase certs all #容器化部署etcd 使用
3、生成新的conf 文件
for i in admin kubelet controller-manager scheduler ;do kubeadm init phase kubeconfig $i --config kubeadm-config.yaml --kubeconfig-dir /etc/kubernetes/;done
#拷贝新生成的文件到另外2个master 节点
for i in 1 2;do scp /etc/kubernetes/pki/* 192.168.111.$i:/etc/kubernetes/pki/;done && for i in 1 2;do scp /etc/kubernetes/*.conf 192.168.111.$i:/etc/kubernetes/;done
#拷贝新生成的文件到work节点
for i in 3 4;do scp /etc/kubernetes/kubelet.conf 192.168.111.$i:/etc/kubernetes/;done && for i in 3 4;do scp /etc/kubernetes/pki/ca.crt 192.168.111.$i:/etc/kubernetes/pki/;done
4、重启所有节点kubelet,containerd和 kube-apiserver、kube-controller-manager、kube-scheduler、calico-kube-controller、kube-proxy、calico-node 容器化etcd要重启
systemctl restart kubelet containerd docker
nerdctl rm $(nerdctl ps -a|grep -E "kube-apiserver|kube-controller-manager|kube-scheduler"|awk '{print $1}') -f
docker restart $(docker ps|grep -E "api|controller-manager|scheduler|etcd"|awk '{print $1}')
kubectl rollout restart ds calico-node kube-proxy -n kube-system
kubectl rollout restart deployments.apps calico-kube-controllers coredns -n kube-system
5、签发证书
for i in `kubectl get csr|awk 'NR >1{print $1}'`;do kubectl certificate approve $i;done
6、验证证书是否延长100年
浙公网安备 33010602011771号