证书的有效期为一年,每年进行k8s集群升级版本,以保证集群的安全性。当证书过期,也可以自行续期。
官方参考链接: “https://kubernetes.io/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/”
单节点操作如下:
环境: Centos7
k8s版本: k8sV1.15.3
单节点证书升级
一 查看证书的有效期:
kubeadm alpha certs check-expiration
[root@k8s-10 pki]# kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Oct 11, 2020 15:58 UTC 66d no
apiserver Oct 11, 2020 15:58 UTC 66d no
apiserver-etcd-client Oct 11, 2020 15:58 UTC 66d no
apiserver-kubelet-client Oct 11, 2020 15:58 UTC 66d no
controller-manager.conf Oct 11, 2020 15:58 UTC 66d no
etcd-healthcheck-client Oct 11, 2020 15:58 UTC 66d no
etcd-peer Oct 11, 2020 15:58 UTC 66d no
etcd-server Oct 11, 2020 15:58 UTC 66d no
front-proxy-client Oct 11, 2020 15:58 UTC 66d no
scheduler.conf Oct 11, 2020 15:58 UTC 66d no
[root@k8s-10 pki]# kubectl cluster-info
该命令显示 /etc/kubernetes/pki 文件夹中的客户端证书以及 kubeadm 使用的 KUBECONFIG 文件中嵌入的客户端证书的到期时间/剩余时间。
说明: 上面的列表中没有包含kubelet.conf因为 kubeadm 将 kubelet 配置为自动更新证书
备份好原始证书:
cp -r /etc/kubernetes{,_bak}
二 更新/etc/kubernetes/pki 下的所有证书:
kubeadm alpha certs renew all
[root@k8s-10 pki]# kubeadm alpha certs renew all
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healtcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
警告: 如果您运行了一个 HA 集群,这个命令需要在所有控制面板节点上执行。
多主节点的方式:
备份:每个主节点进行备份,每个主节点进行证书创建,清理前次的kubectl权限信息,并重新配置kubectl权限信息:
cp -r /etc/kubernetes{,_bak}
kubeadm alpha certs renew all
rm -rf $HOME/.kube
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
kubeadmin参数如下:
[root@k8s-10 ~]# kubeadm alpha certs renew --help
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha certs renew [flags]
kubeadm alpha certs renew [command]
Available Commands:
admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
all Renew all available certificates
apiserver Renew the certificate for serving the Kubernetes API
apiserver-etcd-client Renew the certificate the apiserver uses to access etcd
apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use
etcd-healthcheck-client Renew the certificate for liveness probes to healtcheck etcd
etcd-peer Renew the certificate for etcd nodes to communicate with each other
etcd-server Renew the certificate for serving etcd
front-proxy-client Renew the certificate for the front proxy client
scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
如果只需要更新admin.conf证书,命令如下:
kubeadm alpha certs renew admin.conf
再次查看结果:
[root@k8s-10 pki]# kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Aug 06, 2021 07:30 UTC 364d no
apiserver Aug 06, 2021 07:30 UTC 364d no
apiserver-etcd-client Aug 06, 2021 07:30 UTC 364d no
apiserver-kubelet-client Aug 06, 2021 07:30 UTC 364d no
controller-manager.conf Aug 06, 2021 07:30 UTC 364d no
etcd-healthcheck-client Aug 06, 2021 07:30 UTC 364d no
etcd-peer Aug 06, 2021 07:30 UTC 364d no
etcd-server Aug 06, 2021 07:30 UTC 364d no
front-proxy-client Aug 06, 2021 07:30 UTC 364d no
scheduler.conf Aug 06, 2021 07:30 UTC 364d no
网友评论