在默认情况下,Kubernetes 的证书每隔一年需要 renew 一次,下面是记录的一次证书更新过程。
1. 查看证书
在 Master 节点上查看证书过期时间:
1
2
3
4
5
6
7
8
9
10
11
12
13
| kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Apr 02, 2023 09:53 UTC 296d no
apiserver Apr 02, 2023 09:53 UTC 296d ca no
apiserver-kubelet-client Apr 02, 2023 09:53 UTC 296d ca no
controller-manager.conf Apr 02, 2023 09:53 UTC 296d no
front-proxy-client Apr 02, 2023 09:53 UTC 296d front-proxy-ca no
scheduler.conf Apr 02, 2023 09:53 UTC 296d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Mar 30, 2032 09:53 UTC 9y no
front-proxy-ca Mar 30, 2032 09:53 UTC 9y no
|
低版本的集群下,执行命令会报错,可以执行命令: kubeadm alpha certs check-expiration
2. 备份相关文件
这里可以直接备份整个 Kubernetes 配置文件
1
| cp -r /etc/kubernetes /etc/kubernetes.old
|
3. 在每个 Master 节点上执行命令更新证书
1
2
3
4
5
6
7
8
9
10
| kubeadm certs renew all
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
|
低版本的集群下,执行命令会报错,可以执行命令: kubeadm alpha certs renew all
4. 在每个 Master 节点上重启相关服务
1
| docker ps |egrep "k8s_kube-apiserver|k8s_kube-scheduler|k8s_kube-controller"|awk '{print $1}'|xargs docker restart
|
如果 etcd 使用容器启动,也需要重启。
5. 更新 ~/.kube/config 文件
1
2
| sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
|
