kubeadm部署的集群更新证书有效期 集群基本信息 $ kubectl get node NAME STATUS ROLES AGE VERSION node Ready control-plane 69d v1.24.0 node1 Ready <none> 68d v1.24.0 node2 Ready <none> 69d v1.24.0 #证书信息 $ sudo kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Aug 20, 2023 05:20 UTC 295d ca no apiserver Aug 20, 2023 05:20 UTC 295d ca no apiserver-etcd-client Aug 20, 2023 05:20 UTC 295d etcd-ca no apiserver-kubelet-client Aug 20, 2023 05:20 UTC 295d ca no controller-manager.conf Aug 20, 2023 05:20 UTC 295d ca no etcd-healthcheck-client Aug 20, 2023 05:20 UTC 295d etcd-ca no etcd-peer Aug 20, 2023 05:20 UTC 295d etcd-ca no etcd-server Aug 20, 2023 05:20 UTC 295d etcd-ca no front-proxy-client Aug 20, 2023 05:20 UTC 295d front-proxy-ca no scheduler.conf Aug 20, 2023 05:20 UTC 295d ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Aug 17, 2032 05:20 UTC 9y no etcd-ca Aug 17, 2032 05:20 UTC 9y no front-proxy-ca Aug 17, 2032 05:20 UTC 9y no 使用官方提供的kubeadm命令更新证书使用官方提供的命令更新集群证书 $ sudo kubeadm certs renew all [renew] Reading configuration from the cluster... [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healthcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates. # 重启master节点的etcd kube-apiserver kube-controller-manager kube-scheduler $ ls /etc/kubernetes/manifests/ etcd.yaml kube-apiserver.yaml kube-controller-manager.yaml kube-scheduler.yaml $ sudo mv /etc/kubernetes/manifests/ /etc/kubernetes/manifests.bak # 等待集群信息无法获取,再恢复静态pod的yaml文件 $ kubectl get pod -A The connection to the server 192.168.3.20:6443 was refused - did you specify the right host or port? # 恢复静态pod的yaml文件,重启管理组件pod $ sudo mv /etc/kubernetes/manifests.bak /etc/kubernetes/manifests/ $ kubectl get node NAME STATUS ROLES AGE VERSION node Ready control-plane 69d v1.24.0 node1 Ready <none> 68d v1.24.0 node2 Ready <none> 69d v1.24.0 # 查看集群证书 $ sudo kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Oct 28, 2023 07:35 UTC 364d ca no apiserver Oct 28, 2023 07:35 UTC 364d ca no apiserver-etcd-client Oct 28, 2023 07:35 UTC 364d etcd-ca no apiserver-kubelet-client Oct 28, 2023 07:35 UTC 364d ca no controller-manager.conf Oct 28, 2023 07:35 UTC 364d ca no etcd-healthcheck-client Oct 28, 2023 07:35 UTC 364d etcd-ca no etcd-peer Oct 28, 2023 07:35 UTC 364d etcd-ca no etcd-server Oct 28, 2023 07:35 UTC 364d etcd-ca no front-proxy-client Oct 28, 2023 07:35 UTC 364d front-proxy-ca no scheduler.conf Oct 28, 2023 07:35 UTC 364d ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Aug 17, 2032 05:20 UTC 9y no etcd-ca Aug 17, 2032 05:20 UTC 9y no front-proxy-ca Aug 17, 2032 05:20 UTC 9y no 说明: 大于等于 v1.15.x 的版本可直接使用 kubeadm alpha certs renew <cert_name> 来更新证书有效期,执行命令后证书有效期延长 1 年 使用脚本更新集群证书到10年项目地址: https://github.com/yuyicai/update-kube-cert 使用说明该脚本仅需要在 master 节点执行,无需在 worker node 节点执行 若没有 etcd 相关证书,只需要更新 master 证书即可,见这里(小于等于 v1.9.x 版本,etcd 默认不使用 TLS 连接) 默认情况按照下面步骤进行证书更新 更新证书# 在root账号下进行更新 $ git clone https://github.com/yuyicai/update-kube-cert.git $ cd update-kubeadm-cert $ chmod 755 update-kubeadm-cert.sh $ ./update-kubeadm-cert.sh all CERTIFICATE EXPIRES /etc/kubernetes/controller-manager.config Aug 20 05:20:21 2023 GMT /etc/kubernetes/scheduler.config Aug 20 05:20:21 2023 GMT /etc/kubernetes/admin.config Aug 20 05:20:20 2023 GMT /etc/kubernetes/pki/ca.crt Aug 17 05:20:18 2032 GMT /etc/kubernetes/pki/apiserver.crt Aug 20 05:20:18 2023 GMT /etc/kubernetes/pki/apiserver-kubelet-client.crt Aug 20 05:20:18 2023 GMT /etc/kubernetes/pki/front-proxy-ca.crt Aug 17 05:20:19 2032 GMT /etc/kubernetes/pki/front-proxy-client.crt Aug 20 05:20:19 2023 GMT /etc/kubernetes/pki/etcd/ca.crt Aug 17 05:20:19 2032 GMT /etc/kubernetes/pki/etcd/server.crt Aug 20 05:20:19 2023 GMT /etc/kubernetes/pki/etcd/peer.crt Aug 20 05:20:20 2023 GMT /etc/kubernetes/pki/etcd/healthcheck-client.crt Aug 20 05:20:20 2023 GMT /etc/kubernetes/pki/apiserver-etcd-client.crt Aug 20 05:20:20 2023 GMT [2022-10-28T16:03:30.65+0800][INFO] backup /etc/kubernetes to /etc/kubernetes.old-20221028 [2022-10-28T16:03:30.65+0800][INFO] updating... [2022-10-28T16:03:30.72+0800][INFO] updated /etc/kubernetes/pki/etcd/server.conf [2022-10-28T16:03:30.75+0800][INFO] updated /etc/kubernetes/pki/etcd/peer.conf [2022-10-28T16:03:30.79+0800][INFO] updated /etc/kubernetes/pki/etcd/healthcheck-client.conf [2022-10-28T16:03:30.82+0800][INFO] updated /etc/kubernetes/pki/apiserver-etcd-client.conf ./update-kubeadm-cert.sh: line 250: docker: command not found [2022-10-28T16:03:30.83+0800][INFO] restarted etcd [2022-10-28T16:03:30.86+0800][INFO] updated /etc/kubernetes/pki/apiserver.crt [2022-10-28T16:03:30.89+0800][INFO] updated /etc/kubernetes/pki/apiserver-kubelet-client.crt [2022-10-28T16:03:30.92+0800][INFO] updated /etc/kubernetes/controller-manager.conf [2022-10-28T16:03:30.99+0800][INFO] updated /etc/kubernetes/scheduler.conf [2022-10-28T16:03:31.04+0800][INFO] updated /etc/kubernetes/admin.conf [2022-10-28T16:03:31.04+0800][INFO] copy the admin.conf to /root/.kube/config [2022-10-28T16:03:31.05+0800][INFO] does not need to update kubelet.conf [2022-10-28T16:03:31.07+0800][INFO] updated /etc/kubernetes/pki/front-proxy-client.crt ./update-kubeadm-cert.sh: line 314: docker: command not found [2022-10-28T16:03:31.08+0800][INFO] restarted apiserver ./update-kubeadm-cert.sh: line 314: docker: command not found [2022-10-28T16:03:31.08+0800][INFO] restarted controller-manager ./update-kubeadm-cert.sh: line 314: docker: command not found [2022-10-28T16:03:31.09+0800][INFO] restarted scheduler [2022-10-28T16:03:31.17+0800][INFO] restarted kubelet [2022-10-28T16:03:31.18+0800][INFO] done!!! CERTIFICATE EXPIRES /etc/kubernetes/controller-manager.config Oct 25 08:03:30 2032 GMT /etc/kubernetes/scheduler.config Oct 25 08:03:30 2032 GMT /etc/kubernetes/admin.config Oct 25 08:03:31 2032 GMT /etc/kubernetes/pki/ca.crt Aug 17 05:20:18 2032 GMT /etc/kubernetes/pki/apiserver.crt Oct 25 08:03:30 2032 GMT /etc/kubernetes/pki/apiserver-kubelet-client.crt Oct 25 08:03:30 2032 GMT /etc/kubernetes/pki/front-proxy-ca.crt Aug 17 05:20:19 2032 GMT /etc/kubernetes/pki/front-proxy-client.crt Oct 25 08:03:31 2032 GMT /etc/kubernetes/pki/etcd/ca.crt Aug 17 05:20:19 2032 GMT /etc/kubernetes/pki/etcd/server.crt Oct 25 08:03:30 2032 GMT /etc/kubernetes/pki/etcd/peer.crt Oct 25 08:03:30 2032 GMT /etc/kubernetes/pki/etcd/healthcheck-client.crt Oct 25 08:03:30 2032 GMT /etc/kubernetes/pki/apiserver-etcd-client.crt Oct 25 08:03:30 2032 GMT # 检查证书有效期 $ kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Oct 25, 2032 08:03 UTC 9y ca no apiserver Oct 25, 2032 08:03 UTC 9y ca no apiserver-etcd-client Oct 25, 2032 08:03 UTC 9y etcd-ca no apiserver-kubelet-client Oct 25, 2032 08:03 UTC 9y ca no controller-manager.conf Oct 25, 2032 08:03 UTC 9y ca no etcd-healthcheck-client Oct 25, 2032 08:03 UTC 9y etcd-ca no etcd-peer Oct 25, 2032 08:03 UTC 9y etcd-ca no etcd-server Oct 25, 2032 08:03 UTC 9y etcd-ca no front-proxy-client Oct 25, 2032 08:03 UTC 9y front-proxy-ca no scheduler.conf Oct 25, 2032 08:03 UTC 9y ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Aug 17, 2032 05:20 UTC 9y no etcd-ca Aug 17, 2032 05:20 UTC 9y no front-proxy-ca Aug 17, 2032 05:20 UTC 9y no Kubernetes kubeadm部署的集群更新证书有效期 http://www.qiqios.cn/2022/10/28/kubeadm部署的集群更新证书有效期/ 作者 一亩三分地 发布于 2022年10月28日 许可协议 容器运行时概览 上一篇 Kubeadm 查看创建K8S集群指定版本需要的镜像群版本 下一篇