当使用以下方法超时时，我们可以自己制作证书，来达到替换证书的目的。

$ kubeadm alpha phase certs apiserver --apiserver-advertise-address 127.0.0.1
unable to get URL "https://dl.k8s.io/release/stable-1.11.txt": Get https://dl.k8s.io/release/stable-1.11.txt: dial tcp 35.201.71.162:443: i/o timeout

创建证书

我们只需要在一个节点上进行证书生成，生成的证书分发到其他节点即可

• 创建服务端证书签名请求配置文件openssl-server.cnf

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = k8s-m1
DNS.2 = kubernetes
DNS.3 = kubernetes.default
DNS.4 = kubernetes.default.svc
DNS.5 = kubernetes.default.svc.cluster.local
DNS.6 = node01
DNS.7 = node02
DNS.8 = node03
IP.1 = 10.96.0.1
IP.2 = 192.168.1.61
IP.3 = 192.168.1.61
IP.4 = 192.168.1.62
IP.5 = 192.168.1.63

• 创建CA客户端证书签名请求配置文件openssl-client.cnf

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage=clientAuth

• 拷贝kubernetes CA证书到本地目录，kubernetes CA证书通常放在/etc/kubernetes/pki
• 创建证书

# 生成apiserver的私钥
openssl genrsa -out apiserver.key 2048 > /dev/null 2>&1
# 使用私钥和CA证书自签名
openssl req -new -key apiserver.key -out apiserver.csr -subj "/CN=kube-apiserver" -config openssl-server.cnf
openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -days 3650 -extensions v3_req -extfile openssl-server.cnf
 
# APIServerKubeletClientCert
openssl genrsa -out apiserver-kubelet-client.key 2048
openssl req -new -key apiserver-kubelet-client.key -out apiserver-kubelet-client.csr -subj "/CN=kube-apiserver-kubelet-client /O=system:masters" -config openssl-client.cnf
openssl x509 -req -in apiserver-kubelet-client.csr  -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver-kubelet-client.crt -days 3650 -extensions v3_req -extfile openssl-client.cnf
 
# 创建proxy的CA证书
openssl genrsa -out front-proxy-ca.key 2048 > /dev/null 2>&1
openssl req -new -x509 -days 3650 -key front-proxy-ca.key -out front-proxy-ca.crt -subj "/CN=kubernetes"
 
# ProxyClientCert
openssl genrsa -out front-proxy-client.key 2048 > /dev/null 2>&1
openssl req -new -key front-proxy-client.key -out front-proxy-client.csr -subj "/CN=front-proxy-client" -config openssl-client.cnf
openssl x509 -req -in front-proxy-client.csr  -CA front-proxy-ca.crt -CAkey front-proxy-ca.key -CAcreateserial -out front-proxy-client.crt -days 3650 -extensions v3_req -extfile openssl-client.cnf

更新证书

我们只需要在一个节点上进行配置更新，更新后的配置分发到其他节点后稍作修改即可。

master 节点证书更新

# 更新admin.conf
kubectl config set-cluster kubernetes --certificate-authority=ca.crt --embed-certs=true --server=https://192.168.12.11:6443 --kubeconfig=/etc/kubernetes/admin.conf
kubectl config set-credentials kubernetes-admin --client-certificate=apiserver.crt --client-key=apiserver.key --embed-certs=true --kubeconfig=/etc/kubernetes/admin.conf
kubectl config set-context kubernetes-admin@kubernetes --cluster=kubernetes --user=kubernetes-admin --kubeconfig=/etc/kubernetes/admin.conf
kubectl config use-context kubernetes-admin@kubernetes --kubeconfig=/etc/kubernetes/admin.conf
 
# 更新controller-manager.conf
kubectl config set-cluster kubernetes --certificate-authority=ca.crt --embed-certs=true --server=https://192.168.12.11:6443 --kubeconfig=/etc/kubernetes/controller-manager.conf
kubectl config set-credentials system:kube-controller-manager --client-certificate=apiserver-kubelet-client.crt --client-key=apiserver-kubelet-client.key --embed-certs=true --kubeconfig=/etc/kubernetes/controller-manager.conf
kubectl config set-context system:kube-controller-manager@kubernetes --cluster=kubernetes --user=system:kube-controller-manager --kubeconfig=/etc/kubernetes/controller-manager.conf
kubectl config use-context system:kube-controller-manager@kubernetes --kubeconfig=/etc/kubernetes/controller-manager.conf
 
# 更新scheduler.conf
kubectl config set-cluster kubernetes --certificate-authority=ca.crt --embed-certs=true --server=https://192.168.12.11:6443 --kubeconfig=/etc/kubernetes/scheduler.conf
kubectl config set-credentials system:kube-scheduler --client-certificate=apiserver-kubelet-client.crt --client-key=apiserver-kubelet-client.key --embed-certs=true --kubeconfig=/etc/kubernetes/scheduler.conf
kubectl config set-context system:kube-scheduler@kubernetes --cluster=kubernetes --user=system:kube-scheduler --kubeconfig=/etc/kubernetes/scheduler.conf
kubectl config use-context system:kube-scheduler@kubernetes --kubeconfig=/etc/kubernetes/scheduler.conf
 
# 更新kubelet.conf
kubectl config set-cluster kubernetes --certificate-authority=ca.crt --embed-certs=true --server=https://192.168.12.11:6443 --kubeconfig=/etc/kubernetes/kubelet.conf
kubectl config set-credentials system:node:node1 --client-certificate=apiserver-kubelet-client.crt --client-key=apiserver-kubelet-client.key --embed-certs=true --kubeconfig=/etc/kubernetes/kubelet.conf
kubectl config set-context system:node:node1@kubernetes --cluster=kubernetes --user=system:node:node1 --kubeconfig=/etc/kubernetes/kubelet.conf
kubectl config use-context system:node:node1@kubernetes --kubeconfig=/etc/kubernetes/kubelet.conf

• 重启docker和kubelet

    systemctl restart docker
    systemctl restart kubelet

• 将node1节点生成的证书及配置文件直接拷贝到其他master节点对应位置，修改配置文件里的ip和节点名称为当前节点的信息，重启该节点docker和kubelet。

node节点证书更新

• 停止docker和kubelet

    systemctl stop docker
    systemctl stop kubelet

• 删除kubelet.conf文件，文件一般在/etc/kubernetes目录下。

• 编辑bootstrap-kubelet.conf文件（文件一般在/etc/kubernetes目录下），修改certificate-authority-data内容，与master节点中的admin.conf文件的该区域内容相同。

• 备份后删除该目录下的文件rm -rf /var/lib/kubelet/pki

• 启动docker和kubelet

    systemctl start docker
    systemctl start kubelet

重启服务

• 将全部kube-proxy重启
• 将全部网络插件重启（比如：flannel）

---

作者：weixin_34007879
来源：CSDN
原文：https://blog.csdn.net/weixin_34007879/article/details/88173174
版权声明：本文为博主原创文章，转载请附上博文链接！