kubernetes 1.15版本之后,官方文档有证书过期方式
但是1.14版本及以前的,更新证书经常出现问题,现在整理一下
1 查看证书过期时间
find /etc/kubernetes/pki -name "*.crt"|xargs -I{} openssl x509 -in {} -noout -dates|grep notAfter
2 备份证书
cp -r /etc/kubernetes /etc/kubernetes.bak
3 更新证书
3.1 更新证书
kubeadm config view > cluster.yaml
kubeadm alpha certs renew all --config cluster.yaml
kubeadm alpha kubeconfig user --client-name=admin
kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin > /etc/kubernetes/admin.conf
kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf
kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > /etc/kubernetes/kubelet.conf
kubeadm alpha kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf
3.2 copy证书
mv ~/.kube ~/.kube.bak
mkdir ~/.kube
cp /etc/kubernetes/admin.conf ~/.kube/config
3.3 重启apiserver容器
docker restart $(docker ps | grep kube-apiserver | grep pause |awk '{print $1}')
docker restart $(docker ps | grep kube-apiserver | grep -v pause |awk '{print $1}')
systemctl restart kubelet.service
证书更新成功
4 如果是多台master
需要在每个master上面执行上面的步骤
网友评论