k8s更新證書記錄
阿新 • • 發佈:2021-07-05
手動更新證書
由 kubeadm 生成的客戶端證書預設只有一年有效期,我們可以通過 check-expiration 命令來檢查證書是否過期:
kubeadm alpha certs check-expiration
備份原來的證書
mkdir /etc/kubernetes.bak
cp -r /etc/kubernetes/pki/ /etc/kubernetes.bak
cp /etc/kubernetes/*.conf /etc/kubernetes.bak
備份 etcd 資料目錄:
cp -r /var/lib/etcd /var/lib/etcd.bak
接下來執行更新證書的命令:
kubeadm alpha certs renew all --config=kubeadm.yaml kubeadm alpha certs renew all --config=kubeadm.yaml certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healthcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed
通過上面的命令證書就一鍵更新完成了,這個時候檢視上面的證書可以看到過期時間已經是一年後的時間了:
kubeadm alpha certs check-expiration
然後記得更新下 kubeconfig 檔案:
kubeadm init phase kubeconfig all --config kubeadm.yaml [kubeconfig] Using kubeconfig folder "/etc/kubernetes" [kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/admin.conf" [kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/kubelet.conf" [kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/controller-manager.conf" [kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/scheduler.conf"
將新生成的 admin 配置檔案覆蓋掉原本的 admin 檔案:
mv $HOME/.kube/config $HOME/.kube/config.old
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
在三臺Master上執行重啟kube-apiserver、kube-controller、kube-scheduler、etcd這4個容器,以便使證書生效。
docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart