k8s 證書更新,基於kubernetes v1.19.3
阿新 • • 發佈:2020-11-19
學習記錄:
通過kubeadm安裝的K8S叢集,證書有效期為一年,一年過期後,會導致api service不可用,使用過程中會出現報錯:x509: certificate has expired or is not yet valid.
目前證書更新的方法:
1. 官方推薦一年之內使用kubeadm upgrade更新一次kubernetes系統。 2. 原始碼編譯安裝,使得證書的時間延長。 3. 一年內手動更新證書。 4. 啟用自動輪換kubelet證書。
重點記錄3、4
在master上使用如下命令檢視證書過期時間
[root@master]# kubeadm alpha certs check-expiration CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Oct 19, 2021 09:53 UTC 334d no apiserver Oct 19, 2021 09:52 UTC 334d ca no apiserver-etcd-client Oct 19, 2021 09:53 UTC 334d etcd-ca no apiserver-kubelet-client Oct 19, 2021 09:52 UTC 334d ca no controller-manager.conf Oct 19, 2021 09:53 UTC 334d no etcd-healthcheck-client Oct 19, 2021 09:53 UTC 334d etcd-ca no etcd-peer Oct 19, 2021 09:53 UTC 334d etcd-ca no etcd-server Oct 19, 2021 09:53 UTC 334d etcd-ca no front-proxy-client Oct 19, 2021 09:52 UTC 334d front-proxy-ca no scheduler.conf Oct 19, 2021 09:53 UTC 334d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Oct 17, 2030 09:52 UTC 9y no etcd-ca Oct 17, 2030 09:53 UTC 9y no front-proxy-ca Oct 17, 2030 09:52 UTC 9y no
一、手動更新證書。(證書還未過期的情況下)
1. 叢集還能訪問的情況下,使用: kubeadm config view > kube-config.yaml 生成 叢集的yaml檔案,可以提前準備好免得叢集掛掉之後不能生成。
[root@master ~]# cd /etc/kubernetes/manifests/
[root@master manifests]# kubeadm config view > kube-config.yaml
[root@master manifests]# cat kube-config.yaml
apiServer:
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.19.3
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.1.0.0/16
scheduler: {}
2. 備份原有的證書檔案
[root@master manifests]# cp -r /etc/kubernetes/pki/ /etc/kubernetes/pki_backup
3. 開始更新證書
[root@master manifests]# kubeadm alpha certs renew all --config=kube-config.yaml
4. 完成後重啟master上kube-apiserver,kube-controller,kube-scheduler,etcd這4個容器,如果有多臺master,則將第一臺生成的相關證書拷貝到其餘master即可
[root@master pki]# docker restart `docker ps | grep etcd | awk '{print $1}'`
8b09bcb64cd0
eb63e6c341e4
[root@master pki]# docker restart `docker ps | grep kube-apiserver | awk '{print $1}'`
6d8afc50d03a
84261c9cb25f
[root@master pki]# docker restart `docker ps | grep kube-controller | awk '{print $1}'`
ba3cc2a57987
[root@master pki]# docker restart `docker ps | grep kube-scheduler | awk '{print $1}'`
5fd115b29da1
8011162e1cc8
5. 檢視pod叢集狀態,檢查剛剛重啟的status是否為Running(一般會等待2分鐘左右)
kubectl get pods --all-namespaces -o wide
6. 檢視當前叢集的證書時間,RESIDUAL TIME,為364d,續期一年。
[root@master pki]# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Nov 19, 2021 08:47 UTC 364d no apiserver Nov 19, 2021 08:47 UTC 364d ca no apiserver-etcd-client Nov 19, 2021 08:47 UTC 364d etcd-ca no apiserver-kubelet-client Nov 19, 2021 08:47 UTC 364d ca no controller-manager.conf Nov 19, 2021 08:47 UTC 364d no etcd-healthcheck-client Nov 19, 2021 08:47 UTC 364d etcd-ca no etcd-peer Nov 19, 2021 08:47 UTC 364d etcd-ca no etcd-server Nov 19, 2021 08:47 UTC 364d etcd-ca no front-proxy-client Nov 19, 2021 08:47 UTC 364d front-proxy-ca no scheduler.conf Nov 19, 2021 08:47 UTC 364d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Oct 17, 2030 09:52 UTC 9y no etcd-ca Oct 17, 2030 09:53 UTC 9y no front-proxy-ca Oct 17, 2030 09:52 UTC 9y no
# 當前通過手動的方式更新證書完成