手動更新證書
由 kubeadm 生成的客戶端證書預設只有一年有效期，我們可以通過 check-expiration 命令來檢查證書是否過期：

kubeadm alpha certs check-expiration

備份原來的證書

mkdir /etc/kubernetes.bak
cp -r /etc/kubernetes/pki/ /etc/kubernetes.bak
cp /etc/kubernetes/*.conf /etc/kubernetes.bak

備份 etcd 資料目錄：

cp -r /var/lib/etcd /var/lib/etcd.bak

接下來執行更新證書的命令：

kubeadm alpha certs renew all --config=kubeadm.yaml
kubeadm alpha certs renew all --config=kubeadm.yaml
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
 

通過上面的命令證書就一鍵更新完成了，這個時候檢視上面的證書可以看到過期時間已經是一年後的時間了：

kubeadm alpha certs check-expiration

然後記得更新下 kubeconfig 檔案：

kubeadm init phase kubeconfig all --config kubeadm.yaml
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/admin.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/scheduler.conf"
 

將新生成的 admin 配置檔案覆蓋掉原本的 admin 檔案:

mv $HOME/.kube/config $HOME/.kube/config.old
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config

在三臺Master上執行重啟kube-apiserver、kube-controller、kube-scheduler、etcd這4個容器，以便使證書生效。

docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart