kubeadm 部署证书更新

1、备份(master1、master2、master3)

#1、证书
cp -r /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.crt.bak
cp -r /etc/kubernetes/pki/apiserver.key /etc/kubernetes/pki/apiserver.key.bak

cp -r /etc/kubernetes/pki/apiserver-kubelet-client.crt /etc/kubernetes/pki/apiserver-kubelet-client.crt.bak
cp -r /etc/kubernetes/pki/apiserver-kubelet-client.key /etc/kubernetes/pki/apiserver-kubelet-client.key.bak

cp -r /etc/kubernetes/pki/front-proxy-client.crt /etc/kubernetes/pki/front-proxy-client.crt.bak
cp -r /etc/kubernetes/pki/front-proxy-client.key /etc/kubernetes/pki/front-proxy-client.key.bak

#2、kubeconfig
cp -r /etc/kubernetes/admin.conf /etc/kubernetes/admin.conf.bak
cp -r /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.bak
cp -r /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.bak
cp -r /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.bak

2、查看kubeconfig有效性(master1、master2、master3)

cd /etc/kubernetes
kubectl get node --kubeconfig /etc/kubernetes/admin.conf
kubectl get node --kubeconfig /etc/kubernetes/scheduler.conf
kubectl get node --kubeconfig /etc/kubernetes/controller-manager.conf
kubectl get node --kubeconfig /etc/kubernetes/kubelet.conf

3、查看现有证书到期时间(master1、master2、master3)

#1、查看所有m节点
$ kubeadm alpha certs check-expiration

#2、查看具体证书
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -dates

4、更新证书(master1)

#1、master1上执行
cd /etc/kubernetes/pki
kubeadm alpha certs renew apiserver 
kubeadm alpha certs renew apiserver-kubelet-client 
kubeadm alpha certs renew front-proxy-client

#2、对应证书copy到master2、master3
/etc/kubernetes/pki/apiserver.crt
/etc/kubernetes/pki/apiserver.key

/etc/kubernetes/pki/apiserver-kubelet-client.crt
/etc/kubernetes/pki/apiserver-kubelet-client.key

/etc/kubernetes/pki/front-proxy-client.crt
/etc/kubernetes/pki/front-proxy-client.key

5、更新kubeconfig文件(master1、master2、master3)

########1、方法一#######
kubeadm alpha certs renew admin.conf
kubeadm alpha certs renew controller-manager.conf
kubeadm alpha certs renew scheduler.conf
# 以下命令中以master1为例,请根据集群实际节点名称替换。
kubeadm alpha kubeconfig user --client-name=system:node:master1 --org=system:nodes > kubelet.conf




########2、方法二#######
kubeadm alpha kubeconfig user --client-name kubernetes-admin --org system:masters > /etc/kubernetes/admin.conf
kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf
kubeadm alpha kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf

# instead of $(hostname) you may need to pass the name of the master node as in "/etc/kubernetes/kubelet.conf" file.
kubeadm alpha kubeconfig user --client-name system:node:$(hostname) --org system:nodes > /etc/kubernetes/kubelet.conf 


kubeadm alpha kubeconfig user --client-name system:node:master1 --org system:nodes > /etc/kubernetes/kubelet.conf 
kubeadm alpha kubeconfig user --client-name system:node:master2 --org system:nodes > /etc/kubernetes/kubelet.conf 
kubeadm alpha kubeconfig user --client-name system:node:master3 --org system:nodes > /etc/kubernetes/kubelet.conf

6、 重启(master1、master2、master3)对应组件

docker ps -af name=k8s_kube-apiserver* -q | xargs --no-run-if-empty docker rm -f
docker ps -af name=k8s_kube-scheduler* -q | xargs --no-run-if-empty docker rm -f
docker ps -af name=k8s_kube-controller-manager* -q | xargs --no-run-if-empty docker rm -f
systemctl restart kubelet

7、更新~/.kube/config (master1、master2、master3)

cp /etc/kubernetes/admin.conf ~/.kube/config

8、 验证~/.kube/config有效性(master1、master2、master3)

kubctl get cs

ps:参考
https://zhuanlan.zhihu.com/p/184948611
https://www.cnblogs.com/zhupengasd/articles/15827645.html

k8s 1.12参考这个

https://www.cnblogs.com/zhangrui153169/p/15814148.html

posted @ 2022-02-18 11:40  鹏程万里猪  阅读(28)  评论(0)    收藏  举报