ZhangSIming-blyq
commented
1 year ago 2022年底,自己服务器的私有kubernetes集群证书过期了,这次的证书更新操作流程为:
- 查看证书哪些过期了
$ kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Dec 05, 2022 03:12 UTC
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Dec 03, 2031 03:12 UTC 8y no etcd-ca Dec 03, 2031 03:12 UTC 8y no front-proxy-ca Dec 03, 2031 03:12 UTC 8y no
2. renew所有证书
```shell
$ kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.- 事后检查
$ kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Jan 05, 2024 07:12 UTC 364d no apiserver Jan 05, 2024 07:12 UTC 364d ca no apiserver-etcd-client Jan 05, 2024 07:12 UTC 364d etcd-ca no apiserver-kubelet-client Jan 05, 2024 07:12 UTC 364d ca no controller-manager.conf Jan 05, 2024 07:12 UTC 364d no etcd-healthcheck-client Jan 05, 2024 07:12 UTC 364d etcd-ca no etcd-peer Jan 05, 2024 07:12 UTC 364d etcd-ca no etcd-server Jan 05, 2024 07:12 UTC 364d etcd-ca no front-proxy-client Jan 05, 2024 07:12 UTC 364d front-proxy-ca no scheduler.conf Jan 05, 2024 07:12 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Dec 03, 2031 03:12 UTC 8y no etcd-ca Dec 03, 2031 03:12 UTC 8y no front-proxy-ca Dec 03, 2031 03:12 UTC 8y no
重启master组件,替换/etc/kubernetes/admin.conf
$ k get cs --kubeconfig /etc/kubernetes/admin.conf
Warning: v1 ComponentStatus is deprecated in v1.19+
NAME STATUS MESSAGE ERROR
scheduler Unhealthy Get "http://127.0.0.1:10251/healthz": dial tcp 127.0.0.1:10251: connect: connection refused
controller-manager Healthy ok
etcd-0 Healthy {"health":"true","reason":""}
4. 检查确认,sa秘钥对没有更新,不影响线上ServiceAccount,至此升级完毕
谈谈kubernetes 证书认证那些事儿 | bailiyingqi's blog
kubernetes各个组件都是加密通信的, 那么都有哪些证书、各个证书怎么交互、这些证书什么时候过期,这个就变得至关重要; 本文引用了一些其他网络内容(均已附上原文链接),并适当补充完善,用于让新手完善熟悉kubernetes证书体系(如有侵权联系邮箱可以删除)。 一、数
https://zhangsiming-blyq.github.io/post/kubernetes-certificate/