kubernetes实战(十七):k8s证书过期处理
时间:2019-01-05 12:11:50
收藏:0
阅读:8130
1、说明
一般正常安装k8s集群,集群证书的有效期是一年,包括以下证书:
- apiserver
- apiserver-kubelet-client
- apiserver-etcd-client
- front-proxy-client
- etcd/server
- etcd/peer
- etcd/healthcheck-client
2、证书过期问题解决办法
对于手动生成的证书
手动安装过程中,只需指定证书的过期时间为N天即可对于kubeadm
方式一:升级K8S集群,自动更新证书
方式二:修改kubeadm并重新编译
方式三:重新生成证书3、过期处理
报错信息
[root@k8s-master03 ~]# kubectl get po
Unable to connect to the server: x509: certificate has expired or is not yet valid日志信息
The currently active client certificate has expired, but the server is not responsive. A restart may be necessary to retrieve new initial credentials.证书备份
cp -rp /etc/kubernetes /etc/kubernetes.bakapiserver证书
[root@k8s-master03 ~]# rm -f /etc/kubernetes/pki/apiserver*front-proxy-client证书
[root@k8s-master03 ~]# rm -f /etc/kubernetes/pki/front-proxy-client.*etcd证书
rm -rf /etc/kubernetes/pki/etcd/healthcheck-client.*
rm -rf /etc/kubernetes/pki/etcd/server.*
rm -rf /etc/kubernetes/pki/etcd/peer.*重新生成证书
[root@k8s-master02 ~]# /opt/kubeadm alpha phase certs all --config kubeadm-config.yaml
[certificates] Generated apiserver-kubelet-client certificate and key.
[certificates] Generated apiserver certificate and key.
[certificates] apiserver serving cert is signed for DNS names [k8s-master02 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local k8s-master01 k8s-master02 k8s-master03 k8s-master-lb] and IPs [10.96.0.1 192.168.20.21 192.168.20.10 192.168.20.20 192.168.20.21 192.168.20.22 192.168.20.10]
[certificates] Generated front-proxy-client certificate and key.
[certificates] Generated etcd/healthcheck-client certificate and key.
[certificates] Generated apiserver-etcd-client certificate and key.
[certificates] Generated etcd/server certificate and key.
[certificates] etcd/server serving cert is signed for DNS names [k8s-master02 localhost k8s-master02] and IPs [127.0.0.1 ::1 192.168.20.21]
[certificates] Generated etcd/peer certificate and key.
[certificates] etcd/peer serving cert is signed for DNS names [k8s-master02 localhost k8s-master02] and IPs [192.168.20.21 127.0.0.1 ::1 192.168.20.21]
[certificates] valid certificates and keys now exist in "/etc/kubernetes/pki"
[certificates] Using the existing sa key.
重新生成配置文件
[root@k8s-master02 ~]# mv /etc/kubernetes/
admin.conf kubelet.conf pki/ scheduler.conf
controller-manager.conf manifests/ pki.bak/ tmp/
[root@k8s-master02 ~]# mv /etc/kubernetes/*.conf /tmp/
[root@k8s-master02 ~]# /opt/kubeadm alpha phase kubeconfig all --config kubeadm-config.yaml
[endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/scheduler.conf"重启kubelet
[root@k8s-master01 ~]# systemctl restart kubelet
4、集群确认
证书过期时间确认
# 注意:cfssl需要自行安装
[root@k8s-master01 ~]# cfssl-certinfo -cert /etc/kubernetes/pki/etcd/server.crt | grep not
"not_before": "2018-11-30T07:45:08Z",
"not_after": "2117-11-16T06:07:00Z",集群状态确认
[root@k8s-master01 ~]# kubectl get no
NAME STATUS ROLES AGE VERSION
k8s-master01 Ready master 6d22h v1.12.3
k8s-master02 Ready master 6d22h v1.12.3
k8s-master03 Ready master 6d22h v1.12.3
k8s-node01 Ready <none> 6d21h v1.12.3
k8s-node02 Ready <none> 6d21h v1.12.3
评论(0)