Kuberneteskubeadm证书到期,更新证书
版本
服务版本
CentOS7.8
Kubernetes 1.18.x
证书问题
里约奥运会赛程表>皇室英语 可能很多⼈在⼀开始学习 k8s 的时候,没有注意过证书的问题,在使⽤ kubeadm 安装 k8s 单机/集群的过程中就是⼀路往下,如果是学习或者测试使⽤,使⽤完毕之后就把虚拟机或者临时云服务器删除了,那也不会发现证书问题。如果这个 k8s 环境要使⽤ 1 年以上,就会碰到这个问题,因为默认证书有效期为 1 年,CA 根证书是 10 年:
# 查看证书截⽌时间,该命令显⽰ /etc/kubernetes/pki ⽂件夹中的客户端证书以及 kubeadm 使⽤的 KUBECONFIG ⽂件中嵌⼊的客户端证书的到期时间/剩余时间。新版本命令:kubeadm certs check-expiration
[root@kubernetes ~]# kubeadm alpha certs check-expiration
我要购物[check-expiration] Reading configuration from
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
apirver Aug 26, 202210:47 UTC 364d ca no
apirver-etcd-client Aug 26, 202210:47 UTC 364d etcd-ca no
apirver-kubelet-client Aug 26, 202210:47 UTC 364d ca no
etcd-healthcheck-client Aug 26, 202210:47 UTC 364d etcd-ca no
etcd-peer Aug 26, 202210:47 UTC 364d etcd-ca no
etcd-rver Aug 26, 202210:47 UTC 364d etcd-ca no
front-proxy-client Aug 26, 202210:47 UTC 364d front-proxy-ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Aug 23, 2030 07:00 UTC 8y no
etcd-ca Aug 23, 2030 07:00 UTC 8y no
front-proxy-ca Aug 23, 2030 07:00 UTC 8y no
[root@kubernetes pki]# for i in $(ls *.crt); do echo "===== $i ====="; openssl x509 -in $i -text -noout | grep -A 3 'Validity' ; done
===== =====
Validity
Not Before: Aug 25 07:00:38 2020 GMT
Not After : Aug 25 07:00:38 2021 GMT
Subject: CN=kube-apirver
===== =====
Validity
Not Before: Aug 25 07:00:39 2020 GMT
Not After : Aug 25 07:00:40 2021 GMT
heartmanSubject: O=system:masters, CN=kube-apirver-etcd-client
===== =====
Validity
Not Before: Aug 25 07:00:38 2020 GMT
Not After : Aug 25 07:00:39 2021 GMT
Subject: O=system:masters, CN=kube-apirver-kubelet-client
===== ca.crt =====
Validity
Not Before: Aug 25 07:00:38 2020 GMT
Not After : Aug 23 07:00:38 2030 GMT
Subject: CN=kubernetes
===== =====
Validity
leather是什么意思
Not Before: Aug 25 07:00:39 2020 GMT
Not After : Aug 23 07:00:39 2030 GMT
Subject: CN=front-proxy-ca
===== =====
Validity
Not Before: Aug 25 07:00:39 2020 GMT
Not After : Aug 25 07:00:39 2021 GMT
Subject: CN=front-proxy-client
运⾏⼀年以后就会变成这样:
如果各个服务⼀直还都正常运⾏,那问题不⼤,也就是 kubectl 客户端连接连接不上了,⽐如:
⽽如果⼀些关键服务,⽐如 etcd,进⾏了重启,因为这时证书已经过期了,那证书就不好使了。就会导致 etcd ⽆法启动,进⽽导致kube-apirver,也启动不起来,最终就会崩盘,进⽽可能会导致业务服务也⽆法正常运⾏。
etcd 错误信息:
kube-apirver 错误信息:
1. transport: authentication handshake failed: remote error: tls: bad certificate
2. error "tls: failed to verify client's certificate: x509: certificate has expired or is not yet valid", ServerName ""
3. error "remote error: tls: bad certificate", ServerName ""
⽣成新的证书
kubeadm alpha certs renew:可以使⽤ all ⼦命令来续订所有 Kubernetes 证书,也可以选择性地续订部分证书。。更多的相关细节,可参见 。
# 查看证书命令下有哪些功能
[root@kubernetes ~]# kubeadm alpha certs -h
Commands related to handling kubernetes certificates
Usage:
kubeadm alpha certs [command]
Alias:rock of ages
certs, certificates
Available Commands:
certificate-key Generate certificate keys
check-expiration Check certificates expiration for a Kubernetes cluster
renew Renew certificates for a Kubernetes cluster
every moment of my lifeFlags:
-h, --help help for certs
Global Flags:
--add-dir-header If true, adds the file directory to the header
--log-file string If non-empty, u this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)shanghai american school
--rootfs string [EXPERIMENTAL] The path to the 'real'host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
U "kubeadm alpha certs [command] --help"for more information about a command.
renew:Renew certificates for a Kubernetes cluster(更新 Kubernetes 集群的证书,注:不涉及 CA 根证书)。
要使⽤的就是 renew 命令,来进⾏重新⽣成集群证书。
# 查看重新⽣成证书下有哪些命令
slim[root@kubernetes etc]# kubeadm alpha certs -h
Commands related to handling kubernetes certificates
Usage:
kubeadm alpha certs [command]
Alias:
certs, certificates
Available Commands:
certificate-key Generate certificate keys
check-expiration Check certificates expiration for a Kubernetes cluster
renew Renew certificates for a Kubernetes cluster
Flags:
-h, --help help for certs
Global Flags:
--add-dir-header If true, adds the file directory to the header
--log-file string If non-empty, u this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)invited
--rootfs string [EXPERIMENTAL] The path to the 'real'host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
U "kubeadm alpha certs [command] --help"for more information about a command.
[root@kubernetes etc]# kubeadm alpha certs renew -h
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha certs renew [flags]
kubeadm alpha certs renew [command]
Available Commands:
all Renew all available certificates
apirver Renew the certificate for rving the Kubernetes API
apirver-etcd-client Renew the certificate the apirver us to access etcd
apirver-kubelet-client Renew the certificate for the API rver to connect to kubelet
etcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcd
etcd-peer Renew the certificate for etcd nodes to communicate with each other
etcd-rver Renew the certificate for rving etcd
front-proxy-client Renew the certificate for the front proxy client
Flags:
-h, --help help for renew
Global Flags:
--add-dir-header If true, adds the file directory to the header
--log-file string If non-empty, u this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real'host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
U "kubeadm alpha certs renew [command] --help"for more information about a command.
