1、查看证书时间
for i in /etc/kubernetes/pki/*.crt;do echo $i; openssl x509 -in $i -text -noout|egrep "Not Before|Not After";echo "-----------";done
2、备份原证书、更新证书
cp -a /etc/kubernetes/* /root/bak
#cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old
kubeadm alpha certs renew all --config=./kubeadm-config.yaml
#(kubeadm config view >./kubeadm-config.yaml 这个命令可以导出配置文件;)
因为我的etcd证书不在k8s内部,所以会有以下报错,etcd证书无效;导致只更新了一个apiserver.crt后面我们单独把其他证书和配置更新下就行
需要更新的如下红框:
#更新命令
kubeadm alpha certs renew apiserver-kubelet-client
kubeadm alpha certs renew controller-manager.conf
kubeadm alpha certs renew front-proxy-client
kubeadm alpha certs renew scheduler.conf
cp /etc/kubernetes/admin.conf ~/.kube/config
#重启k8s的api、controller、scheduler组件
docker ps | grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler' | awk -F ' ' '{print $1}' | xargs docker restart
3、拷贝证书到其他master节点
scp -r /etc/kubernetes/pki/ root@192.168.2.242:/etc/kubernetes/
scp -r /etc/kubernetes/pki/ root@192.168.2.243:/etc/kubernetes/
#每个节点执行
docker ps | grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler' | awk -F ' ' '{print $1}' | xargs docker restart
cp /etc/kubernetes/admin.conf ~/.kube/config
image
etcd在k8s内部更新证书办法
https://blog.csdn.net/GX_1_11_real/article/details/119248894
网友评论