kubeadm部署的集群更新证书有效期
集群基本信息
$ kubectl get node
NAME STATUS ROLES AGE VERSION
node Ready control-plane 69d v1.24.0
node1 Ready <none> 68d v1.24.0
node2 Ready <none> 69d v1.24.0
#证书信息
$ sudo kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Aug 20, 2023 05:20 UTC 295d ca no
apiserver Aug 20, 2023 05:20 UTC 295d ca no
apiserver-etcd-client Aug 20, 2023 05:20 UTC 295d etcd-ca no
apiserver-kubelet-client Aug 20, 2023 05:20 UTC 295d ca no
controller-manager.conf Aug 20, 2023 05:20 UTC 295d ca no
etcd-healthcheck-client Aug 20, 2023 05:20 UTC 295d etcd-ca no
etcd-peer Aug 20, 2023 05:20 UTC 295d etcd-ca no
etcd-server Aug 20, 2023 05:20 UTC 295d etcd-ca no
front-proxy-client Aug 20, 2023 05:20 UTC 295d front-proxy-ca no
scheduler.conf Aug 20, 2023 05:20 UTC 295d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Aug 17, 2032 05:20 UTC 9y no
etcd-ca Aug 17, 2032 05:20 UTC 9y no
front-proxy-ca Aug 17, 2032 05:20 UTC 9y no 使用官方提供的kubeadm命令更新证书
使用官方提供的命令更新集群证书
$ sudo kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
# 重启master节点的etcd kube-apiserver kube-controller-manager kube-scheduler
$ ls /etc/kubernetes/manifests/
etcd.yaml kube-apiserver.yaml kube-controller-manager.yaml kube-scheduler.yaml
$ sudo mv /etc/kubernetes/manifests/ /etc/kubernetes/manifests.bak
# 等待集群信息无法获取,再恢复静态pod的yaml文件
$ kubectl get pod -A
The connection to the server 192.168.3.20:6443 was refused - did you specify the right host or port?
# 恢复静态pod的yaml文件,重启管理组件pod
$ sudo mv /etc/kubernetes/manifests.bak /etc/kubernetes/manifests/
$ kubectl get node
NAME STATUS ROLES AGE VERSION
node Ready control-plane 69d v1.24.0
node1 Ready <none> 68d v1.24.0
node2 Ready <none> 69d v1.24.0
# 查看集群证书
$ sudo kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Oct 28, 2023 07:35 UTC 364d ca no
apiserver Oct 28, 2023 07:35 UTC 364d ca no
apiserver-etcd-client Oct 28, 2023 07:35 UTC 364d etcd-ca no
apiserver-kubelet-client Oct 28, 2023 07:35 UTC 364d ca no
controller-manager.conf Oct 28, 2023 07:35 UTC 364d ca no
etcd-healthcheck-client Oct 28, 2023 07:35 UTC 364d etcd-ca no
etcd-peer Oct 28, 2023 07:35 UTC 364d etcd-ca no
etcd-server Oct 28, 2023 07:35 UTC 364d etcd-ca no
front-proxy-client Oct 28, 2023 07:35 UTC 364d front-proxy-ca no
scheduler.conf Oct 28, 2023 07:35 UTC 364d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Aug 17, 2032 05:20 UTC 9y no
etcd-ca Aug 17, 2032 05:20 UTC 9y no
front-proxy-ca Aug 17, 2032 05:20 UTC 9y no说明: 大于等于 v1.15.x 的版本可直接使用 kubeadm alpha certs renew <cert_name> 来更新证书有效期,执行命令后证书有效期延长 1 年
使用脚本更新集群证书到10年
项目地址: https://github.com/yuyicai/update-kube-cert
使用说明
该脚本仅需要在 master 节点执行,无需在 worker node 节点执行
若没有 etcd 相关证书,只需要更新 master 证书即可,见这里(小于等于
v1.9.x版本,etcd 默认不使用 TLS 连接)默认情况按照下面步骤进行证书更新
更新证书
# 在root账号下进行更新
$ git clone https://github.com/yuyicai/update-kube-cert.git
$ cd update-kubeadm-cert
$ chmod 755 update-kubeadm-cert.sh
$ ./update-kubeadm-cert.sh all
CERTIFICATE EXPIRES
/etc/kubernetes/controller-manager.config Aug 20 05:20:21 2023 GMT
/etc/kubernetes/scheduler.config Aug 20 05:20:21 2023 GMT
/etc/kubernetes/admin.config Aug 20 05:20:20 2023 GMT
/etc/kubernetes/pki/ca.crt Aug 17 05:20:18 2032 GMT
/etc/kubernetes/pki/apiserver.crt Aug 20 05:20:18 2023 GMT
/etc/kubernetes/pki/apiserver-kubelet-client.crt Aug 20 05:20:18 2023 GMT
/etc/kubernetes/pki/front-proxy-ca.crt Aug 17 05:20:19 2032 GMT
/etc/kubernetes/pki/front-proxy-client.crt Aug 20 05:20:19 2023 GMT
/etc/kubernetes/pki/etcd/ca.crt Aug 17 05:20:19 2032 GMT
/etc/kubernetes/pki/etcd/server.crt Aug 20 05:20:19 2023 GMT
/etc/kubernetes/pki/etcd/peer.crt Aug 20 05:20:20 2023 GMT
/etc/kubernetes/pki/etcd/healthcheck-client.crt Aug 20 05:20:20 2023 GMT
/etc/kubernetes/pki/apiserver-etcd-client.crt Aug 20 05:20:20 2023 GMT
[2022-10-28T16:03:30.65+0800][INFO] backup /etc/kubernetes to /etc/kubernetes.old-20221028
[2022-10-28T16:03:30.65+0800][INFO] updating...
[2022-10-28T16:03:30.72+0800][INFO] updated /etc/kubernetes/pki/etcd/server.conf
[2022-10-28T16:03:30.75+0800][INFO] updated /etc/kubernetes/pki/etcd/peer.conf
[2022-10-28T16:03:30.79+0800][INFO] updated /etc/kubernetes/pki/etcd/healthcheck-client.conf
[2022-10-28T16:03:30.82+0800][INFO] updated /etc/kubernetes/pki/apiserver-etcd-client.conf
./update-kubeadm-cert.sh: line 250: docker: command not found
[2022-10-28T16:03:30.83+0800][INFO] restarted etcd
[2022-10-28T16:03:30.86+0800][INFO] updated /etc/kubernetes/pki/apiserver.crt
[2022-10-28T16:03:30.89+0800][INFO] updated /etc/kubernetes/pki/apiserver-kubelet-client.crt
[2022-10-28T16:03:30.92+0800][INFO] updated /etc/kubernetes/controller-manager.conf
[2022-10-28T16:03:30.99+0800][INFO] updated /etc/kubernetes/scheduler.conf
[2022-10-28T16:03:31.04+0800][INFO] updated /etc/kubernetes/admin.conf
[2022-10-28T16:03:31.04+0800][INFO] copy the admin.conf to /root/.kube/config
[2022-10-28T16:03:31.05+0800][INFO] does not need to update kubelet.conf
[2022-10-28T16:03:31.07+0800][INFO] updated /etc/kubernetes/pki/front-proxy-client.crt
./update-kubeadm-cert.sh: line 314: docker: command not found
[2022-10-28T16:03:31.08+0800][INFO] restarted apiserver
./update-kubeadm-cert.sh: line 314: docker: command not found
[2022-10-28T16:03:31.08+0800][INFO] restarted controller-manager
./update-kubeadm-cert.sh: line 314: docker: command not found
[2022-10-28T16:03:31.09+0800][INFO] restarted scheduler
[2022-10-28T16:03:31.17+0800][INFO] restarted kubelet
[2022-10-28T16:03:31.18+0800][INFO] done!!!
CERTIFICATE EXPIRES
/etc/kubernetes/controller-manager.config Oct 25 08:03:30 2032 GMT
/etc/kubernetes/scheduler.config Oct 25 08:03:30 2032 GMT
/etc/kubernetes/admin.config Oct 25 08:03:31 2032 GMT
/etc/kubernetes/pki/ca.crt Aug 17 05:20:18 2032 GMT
/etc/kubernetes/pki/apiserver.crt Oct 25 08:03:30 2032 GMT
/etc/kubernetes/pki/apiserver-kubelet-client.crt Oct 25 08:03:30 2032 GMT
/etc/kubernetes/pki/front-proxy-ca.crt Aug 17 05:20:19 2032 GMT
/etc/kubernetes/pki/front-proxy-client.crt Oct 25 08:03:31 2032 GMT
/etc/kubernetes/pki/etcd/ca.crt Aug 17 05:20:19 2032 GMT
/etc/kubernetes/pki/etcd/server.crt Oct 25 08:03:30 2032 GMT
/etc/kubernetes/pki/etcd/peer.crt Oct 25 08:03:30 2032 GMT
/etc/kubernetes/pki/etcd/healthcheck-client.crt Oct 25 08:03:30 2032 GMT
/etc/kubernetes/pki/apiserver-etcd-client.crt Oct 25 08:03:30 2032 GMT
# 检查证书有效期
$ kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Oct 25, 2032 08:03 UTC 9y ca no
apiserver Oct 25, 2032 08:03 UTC 9y ca no
apiserver-etcd-client Oct 25, 2032 08:03 UTC 9y etcd-ca no
apiserver-kubelet-client Oct 25, 2032 08:03 UTC 9y ca no
controller-manager.conf Oct 25, 2032 08:03 UTC 9y ca no
etcd-healthcheck-client Oct 25, 2032 08:03 UTC 9y etcd-ca no
etcd-peer Oct 25, 2032 08:03 UTC 9y etcd-ca no
etcd-server Oct 25, 2032 08:03 UTC 9y etcd-ca no
front-proxy-client Oct 25, 2032 08:03 UTC 9y front-proxy-ca no
scheduler.conf Oct 25, 2032 08:03 UTC 9y ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Aug 17, 2032 05:20 UTC 9y no
etcd-ca Aug 17, 2032 05:20 UTC 9y no
front-proxy-ca Aug 17, 2032 05:20 UTC 9y no kubeadm部署的集群更新证书有效期
http://www.qiqios.cn/2022/10/28/kubeadm部署的集群更新证书有效期/