基于kubetentes v1.18.6,kubeadm方式搭建的集群。
今天机房断电导致kubernetes重启。
由于集群没有开启证书自动轮换功能,重启后发现证书过期了
记录下重新生成证书的流程(kubernetes主节点操作)
kubeadm alpha certs renew all
docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
附证书过期时间查看方式
[root@node3 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
W1224 14:32:48.975115 327139 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Dec 21, 2021 06:57 UTC <invalid> no
apiserver Dec 21, 2021 06:57 UTC <invalid> ca no
!MISSING! apiserver-etcd-client
apiserver-kubelet-client Dec 21, 2021 06:57 UTC <invalid> ca no
controller-manager.conf Dec 21, 2021 06:57 UTC <invalid> no
!MISSING! etcd-healthcheck-client
!MISSING! etcd-peer
!MISSING! etcd-server
front-proxy-client Dec 21, 2021 06:57 UTC <invalid> front-proxy-ca no
scheduler.conf Dec 21, 2021 06:57 UTC <invalid> no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Dec 19, 2030 06:56 UTC 8y no
!MISSING! etcd-ca
front-proxy-ca Dec 19, 2030 06:56 UTC 8y no
或者通过以下方式查看
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '
话说这断电时间也够巧的,正好赶上证书过期时间。
网友评论