Closed leeningli closed 6 years ago
是的,快过期之前再用kubeadm重新生成一次证书就可以了。
证书重新生成有单独的步骤吗?不是在kubeadm init时候生成的吗?中途重新生成的方法是怎么样的?对集群以及集群上的业务会有影响的吧。
还有1年的时效限制啊,是每个master中ca.key和ca.crt要更换,还是使用ca.key和ca.crt签署apiserver证书?
不过1年时间,早就换了N个版本了···
@leeningli
$ kubeadm alpha phase certs --help
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha phase certs [command]
Aliases:
certs, certificates
Available Commands:
all Generates all PKI assets necessary to establish the control plane
apiserver Generates an API server serving certificate and key
apiserver-etcd-client Generates a client certificate for the API server to connect to etcd securely
apiserver-kubelet-client Generates a client certificate for the API server to connect to the kubelets securely
ca Generates a self-signed kubernetes CA to provision identities for components of the cluster
etcd-ca Generates a self-signed CA to provision identities for etcd
etcd-healthcheck-client Generates a client certificate for liveness probes to healthcheck etcd
etcd-peer Generates an etcd peer certificate and key
etcd-server Generates an etcd serving certificate and key
front-proxy-ca Generates a front proxy CA certificate and key for a Kubernetes cluster
front-proxy-client Generates a front proxy CA client certificate and key for a Kubernetes cluster
sa Generates a private key for signing service account tokens along with its public key
如果ca证书没有过期,是不需要替换的。v1.13的kubeam开始支持cert renew,官方推荐的方式。 如果你是用v1.11.X版本,建议进行升级,最近爆出来高危漏洞,可获取集群所有节点的root权限,建议进行升级到v1.11.5。 @dotbalo
还没有,但是据说已经不是alpha了
RT