版本

服务	版本
CentOS	7.8
Kubernetes	1.18.x

证书问题

可能很多人在一开始学习 k8s 的时候，没有注意过证书的问题，在使用 kubeadm 安装 k8s 单机/集群的过程中就是一路往下，如果是学习或者测试使用，使用完毕之后就把虚拟机或者临时云服务器删除了，那也不会发现证书问题。如果这个 k8s 环境要使用 1 年以上，就会碰到这个问题，因为默认证书有效期为 1 年，CA 根证书是 10 年：

# 查看证书截止时间，该命令显示 /etc/kubernetes/pki 文件夹中的客户端证书以及 kubeadm 使用的 KUBECONFIG 文件中嵌入的客户端证书的到期时间/剩余时间。新版本命令：kubeadm certs check-expiration
[root@kubernetes ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 26, 2022 10:47 UTC   364d                                    no
apiserver                  Aug 26, 2022 10:47 UTC   364d            ca                      no
apiserver-etcd-client      Aug 26, 2022 10:47 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Aug 26, 2022 10:47 UTC   364d            ca                      no
controller-manager.conf    Aug 26, 2022 10:47 UTC   364d                                    no
etcd-healthcheck-client    Aug 26, 2022 10:47 UTC   364d            etcd-ca                 no
etcd-peer                  Aug 26, 2022 10:47 UTC   364d            etcd-ca                 no
etcd-server                Aug 26, 2022 10:47 UTC   364d            etcd-ca                 no
front-proxy-client         Aug 26, 2022 10:47 UTC   364d            front-proxy-ca          no
scheduler.conf             Aug 26, 2022 10:47 UTC   364d                                    noCERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 23, 2030 07:00 UTC   8y              no
etcd-ca                 Aug 23, 2030 07:00 UTC   8y              no
front-proxy-ca          Aug 23, 2030 07:00 UTC   8y              no[root@kubernetes pki]# for i in $(ls *.crt); do echo "===== $i ====="; openssl x509 -in $i -text -noout | grep -A 3 'Validity' ; done
===== apiserver.crt =====ValidityNot Before: Aug 25 07:00:38 2020 GMTNot After : Aug 25 07:00:38 2021 GMTSubject: CN=kube-apiserver
===== apiserver-etcd-client.crt =====ValidityNot Before: Aug 25 07:00:39 2020 GMTNot After : Aug 25 07:00:40 2021 GMTSubject: O=system:masters, CN=kube-apiserver-etcd-client
===== apiserver-kubelet-client.crt =====ValidityNot Before: Aug 25 07:00:38 2020 GMTNot After : Aug 25 07:00:39 2021 GMTSubject: O=system:masters, CN=kube-apiserver-kubelet-client
===== ca.crt =====ValidityNot Before: Aug 25 07:00:38 2020 GMTNot After : Aug 23 07:00:38 2030 GMTSubject: CN=kubernetes
===== front-proxy-ca.crt =====ValidityNot Before: Aug 25 07:00:39 2020 GMTNot After : Aug 23 07:00:39 2030 GMTSubject: CN=front-proxy-ca
===== front-proxy-client.crt =====ValidityNot Before: Aug 25 07:00:39 2020 GMTNot After : Aug 25 07:00:39 2021 GMTSubject: CN=front-proxy-client

运行一年以后就会变成这样：

如果各个服务一直还都正常运行，那问题不大，也就是 kubectl 客户端连接连接不上了，比如：

而如果一些关键服务，比如 etcd，进行了重启，因为这时证书已经过期了，那证书就不好使了。就会导致 etcd 无法启动，进而导致 kube-apiserver，也启动不起来，最终就会崩盘，进而可能会导致业务服务也无法正常运行。

etcd 错误信息：

kube-apiserver 错误信息：

transport: authentication handshake failed: remote error: tls: bad certificate

error "tls: failed to verify client's certificate: x509: certificate has expired or is not yet valid", ServerName ""

error "remote error: tls: bad certificate", ServerName ""

生成新的证书

kubeadm alpha certs renew：可以使用 all 子命令来续订所有 Kubernetes 证书，也可以选择性地续订部分证书。详见参考。更多的相关细节，可参见手动续订证书。

# 查看证书命令下有哪些功能
[root@kubernetes ~]# kubeadm alpha certs -h
Commands related to handling kubernetes certificatesUsage:kubeadm alpha certs [command]Aliases:certs, certificatesAvailable Commands:certificate-key  Generate certificate keyscheck-expiration Check certificates expiration for a Kubernetes clusterrenew            Renew certificates for a Kubernetes clusterFlags:-h, --help   help for certsGlobal Flags:--add-dir-header           If true, adds the file directory to the header--log-file string          If non-empty, use this log file--log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)--rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.--skip-headers             If true, avoid header prefixes in the log messages--skip-log-headers         If true, avoid headers when opening log files-v, --v Level                  number for the log level verbosityUse "kubeadm alpha certs [command] --help" for more information about a command.

renew：Renew certificates for a Kubernetes cluster（更新 Kubernetes 集群的证书，注：不涉及 CA 根证书）。

要使用的就是 renew 命令，来进行重新生成集群证书。

# 查看重新生成证书下有哪些命令
[root@kubernetes etc]# kubeadm alpha certs -h
Commands related to handling kubernetes certificatesUsage:kubeadm alpha certs [command]Aliases:certs, certificatesAvailable Commands:certificate-key  Generate certificate keyscheck-expiration Check certificates expiration for a Kubernetes clusterrenew            Renew certificates for a Kubernetes clusterFlags:-h, --help   help for certsGlobal Flags:--add-dir-header           If true, adds the file directory to the header--log-file string          If non-empty, use this log file--log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)--rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.--skip-headers             If true, avoid header prefixes in the log messages--skip-log-headers         If true, avoid headers when opening log files-v, --v Level                  number for the log level verbosityUse "kubeadm alpha certs [command] --help" for more information about a command.
[root@kubernetes etc]# kubeadm alpha certs renew -h
This command is not meant to be run on its own. See list of available subcommands.Usage:kubeadm alpha certs renew [flags]kubeadm alpha certs renew [command]Available Commands:admin.conf               Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itselfall                      Renew all available certificatesapiserver                Renew the certificate for serving the Kubernetes APIapiserver-etcd-client    Renew the certificate the apiserver uses to access etcdapiserver-kubelet-client Renew the certificate for the API server to connect to kubeletcontroller-manager.conf  Renew the certificate embedded in the kubeconfig file for the controller manager to useetcd-healthcheck-client  Renew the certificate for liveness probes to healthcheck etcdetcd-peer                Renew the certificate for etcd nodes to communicate with each otheretcd-server              Renew the certificate for serving etcdfront-proxy-client       Renew the certificate for the front proxy clientscheduler.conf           Renew the certificate embedded in the kubeconfig file for the scheduler manager to useFlags:-h, --help   help for renewGlobal Flags:--add-dir-header           If true, adds the file directory to the header--log-file string          If non-empty, use this log file--log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)--rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.--skip-headers             If true, avoid header prefixes in the log messages--skip-log-headers         If true, avoid headers when opening log files-v, --v Level                  number for the log level verbosityUse "kubeadm alpha certs renew [command] --help" for more information about a command.

all：更新所有可用证书，一般可以直接使用这个更新所有。
apiserver：单独更新服务 Kubernetes API 的证书，相当于针对单个组件进行生成。
apiserver-etcd-client：更新 apiserver 用来访问 etcd 的证书。
其它都类似

生成新的证书之前最好备份一下数据：

[root@kubernetes etc]# cp -rp /etc/kubernetes /etc/kubernetes.bak
[root@kubernetes etc]# cp -rp /var/lib/etcd /var/lib/etcd.bak

生成新的证书：

[root@kubernetes etc]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

此时所有证书都已重新生成，在 /etc/kubernetes/pki 下。/etc/kubernetes/admin.conf、/etc/kubernetes/controller-manager.conf、/etc/kubernetes/scheduler.conf 也已经更新了。

警告：如果你运行了一个 HA 集群，这个命令需要在所有控制面板节点上执行。

说明： certs renew 使用现有的证书作为属性 (Common Name、Organization、SAN 等) 的权威来源，而不是 kubeadm-config ConfigMap 。强烈建议使它们保持同步。

再次查看证书时间就延续了一年：

[root@kubernetes pki]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 27, 2022 03:11 UTC   364d                                    no
apiserver                  Aug 27, 2022 01:44 UTC   364d            ca                      no
apiserver-etcd-client      Aug 27, 2022 01:44 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Aug 27, 2022 01:44 UTC   364d            ca                      no
controller-manager.conf    Aug 27, 2022 03:11 UTC   364d                                    no
etcd-healthcheck-client    Aug 27, 2022 01:44 UTC   364d            etcd-ca                 no
etcd-peer                  Aug 27, 2022 01:44 UTC   364d            etcd-ca                 no
etcd-server                Aug 27, 2022 01:44 UTC   364d            etcd-ca                 no
front-proxy-client         Aug 27, 2022 01:44 UTC   364d            front-proxy-ca          no
scheduler.conf             Aug 27, 2022 03:11 UTC   364d                                    noCERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 23, 2030 07:00 UTC   8y              no
etcd-ca                 Aug 23, 2030 07:00 UTC   8y              no
front-proxy-ca          Aug 23, 2030 07:00 UTC   8y              no

如果容器服务使用的是 Docker，为了让证书生效，可以使用以下命令对涉及到证书使用的几个服务进行重启：

docker ps | grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' | xargs docker restart

没有更新的文件就只有 /etc/kubernetes/kubelet.conf 了，因为 kubeadm 将 kubelet 配置为自动更新证书。轮换的证书位于目录 /var/lib/kubelet/pki。要修复过期的 kubelet 客户端证书，请参阅 kubelet 客户端证书轮换失败。当签署的证书即将到期时，kubelet 会使用 Kubernetes API，自动发起新的证书签名请求。该请求会发生在证书的有效时间剩下 30% 到 10% 之间的任意时间点。同样地，控制器管理器会自动批准证书请求，并将签署的证书附加到证书签名请求中。 Kubelet 会从 Kubernetes API 取回签署的证书，并将其写入磁盘。然后它会更新与 Kubernetes API 的连接，使用新的证书重新连接到 Kubernetes API。

警告：

在通过 kubeadm init 创建的节点上，在 kubeadm 1.17 版本之前有一个缺陷，该缺陷使得你必须手动修改 /etc/kubernetes/kubelet.conf 文件的内容。 kubeadm init 操作结束之后，你必须更新 kubelet.conf 文件将 client-certificate-data 和 client-key-data 改为如下所示的内容以便使用轮换后的 kubelet 客户端证书：
client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem
client-key: /var/lib/kubelet/pki/kubelet-client-current.pem

当然，如果是 1.17 以前的版本，也可以手动调用 kubeadm init phase kubeconfig kubelet 进行证书轮换。需要先把 /etc/kubernetes/kubelet.conf 删掉，使用 kubeadm init phase kubeconfig kubelet 进行重新生成。之后在 systemctl restart kubelet 进行重启。

kubeadm init phase kubeconfig：可以通过调用 all 子命令来创建所有必需的 kubeconfig 文件，或者分别调用它们。详见参考。

延长证书到 99 年

无论是最开始初始化或者后续进行证书轮换都是使用的 kubeadm 工具。只需把源码拉下来，修改证书年限，再打包成 kubeadm 即可。源码地址，Github 访问太慢了，所以在 Gitee 上复制了一份。

修改源码

获取源码

本身环境是 1.18.x，所以下载的源码也是 1.18 的。

[root@kubernetes ~]# git clone https://gitee.com/lynchj-kubernetes/kubernetes.git
[root@kubernetes ~]# cd kubernetes
[root@kubernetes kubernetes]# git checkout -b release-1.18 origin/release-1.18

CA 证书有效时间修改（默认10年）

[root@kubernetes kubernetes]# vim ./staging/src/k8s.io/client-go/util/cert/cert.go......
// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {now := time.Now()tmpl := x509.Certificate{SerialNumber: new(big.Int).SetInt64(0),Subject: pkix.Name{CommonName:   cfg.CommonName,Organization: cfg.Organization,},NotBefore:             now.UTC(),// CA 证书有效期// NotAfter:              now.Add(duration365d * 10).UTC(),NotAfter:              now.Add(duration365d * 100).UTC(),KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,BasicConstraintsValid: true,IsCA:                  true,}certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)if err != nil {return nil, err}return x509.ParseCertificate(certDERBytes)
}
......

证书有效期为 99 年（默认为 1 年）

[root@kubernetes kubernetes]# vim ./cmd/kubeadm/app/constants/constants.go......// CertificateValidity defines the validity for all the signed certificates generated by kubeadm// CertificateValidity = time.Hour * 24 * 365CertificateValidity = time.Hour * 24 * 365 * 99
......

源码已经修改完毕，剩下就是打包成 kubeadm 可执行文件了，有两种方式：

使用官方提供的 Docker 镜像进行打包（推荐）。
自己把环境准备好，进行打包。

Docker 形式打包（推荐）

官方文档

官方提供的镜像打包工具：gcr.io/google-containers/kube-cross，源码中也有记录使用的镜像版本：

[root@kubernetes kubernetes]# cat ./build/build-image/cross/VERSION
v1.13.15-1

1.18 版本里面标识镜像打包工具 cross 的版本为 v1.13.15-1，但是在官方仓库中没有找到，最新也就是 v1.13.6-1：

这里就先使用 v1.13.6-1，由于不科学上网可能无法拉取镜像，这里通过一通周转，最终放到阿里云仓库，地址：registry.cn-hangzhou.aliyuncs.com/lynchj-google/kube-cross:v1.13.6-1。

[root@kubernetes kubernetes]# docker pull registry.cn-hangzhou.aliyuncs.com/lynchj-google/kube-cross:v1.13.6-1
[root@kubernetes kubernetes]# docker run -it --rm --name kube-cross -v /root/kubernetes:/go/src/k8s registry.cn-hangzhou.aliyuncs.com/lynchj-google/kube-cross:v1.13.6-1 bashroot@620e1e176e9e:/go# cd /go/src/k8s/
root@620e1e176e9e:/go/src/k8s# ls -l
total 184
lrwxrwxrwx.  1 root root    21 Aug 27 07:07 BUILD.bazel -> build/root/BUILD.root
drwxr-xr-x.  2 root root    62 Jun 16 13:49 CHANGELOG
lrwxrwxrwx.  1 root root    19 Aug 27 07:07 CHANGELOG.md -> CHANGELOG/README.md
-rw-r--r--.  1 root root   493 Jun 16 13:49 CONTRIBUTING.md
drwxr-xr-x.  2 root root    36 Jun 16 13:49 Godeps
-rw-r--r--.  1 root root 11358 Jun 16 13:49 LICENSE
lrwxrwxrwx.  1 root root    19 Aug 27 07:07 Makefile -> build/root/Makefile
lrwxrwxrwx.  1 root root    35 Aug 27 07:07 Makefile.generated_files -> build/root/Makefile.generated_files
-rw-r--r--.  1 root root   783 Jun 16 13:49 OWNERS
-rw-r--r--.  1 root root 10058 Jun 16 13:49 OWNERS_ALIASES
-rw-r--r--.  1 root root  3468 Jun 16 13:49 README.md
-rw-r--r--.  1 root root   563 Jun 16 13:49 SECURITY_CONTACTS
-rw-r--r--.  1 root root  1110 Jun 16 13:49 SUPPORT.md
lrwxrwxrwx.  1 root root    20 Aug 27 07:07 WORKSPACE -> build/root/WORKSPACE
drwxr-xr-x.  4 root root    57 Jun 16 13:49 api
drwxr-xr-x.  8 root root  4096 Jun 16 13:49 build
drwxr-xr-x. 11 root root  4096 Jun 16 13:49 cluster
drwxr-xr-x. 23 root root  4096 Jun 16 13:49 cmd
-rw-r--r--.  1 root root   148 Jun 16 13:49 code-of-conduct.md
drwxr-xr-x.  2 root root    51 Jun 16 13:49 docs
-rw-r--r--.  1 root root 39834 Jun 16 13:49 go.mod
-rw-r--r--.  1 root root 62140 Jun 16 13:49 go.sum
drwxr-xr-x. 11 root root  4096 Jun 16 13:49 hack
drwxr-xr-x.  2 root root  4096 Jun 16 13:49 logo
drwxr-xr-x. 33 root root  4096 Jun 16 13:49 pkg
drwxr-xr-x.  3 root root    44 Jun 16 13:49 plugin
drwxr-xr-x.  4 root root   106 Jun 16 13:49 staging
drwxr-xr-x. 17 root root   263 Jun 16 13:49 test
drwxr-xr-x.  7 root root   134 Jun 16 13:49 third_party
drwxr-xr-x.  4 root root    95 Jun 16 13:49 translations
drwxr-xr-x. 18 root root  4096 Jun 16 13:49 vendorroot@620e1e176e9e:/go/src/k8s# make all WHAT=cmd/kubeadm GOFLAGS=-v# 编译 kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v# 编译 kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v

注意：如果是在 Windows 环境下使用 Docker 运行， -v 参数可以挂在目录进容器，但是会导致目录中的 Makefile 软连接失效，进而导致打包报错：
Makefile:1: *** missing separator.  Stop.
可以启动容器的时候先别挂载，进入容器之后在容器里面进行 clone。

打包完毕之后会多出一个 _output 目录，把新的 kubeadm 替换掉：

root@aefcb94d4fb3:/go/src/k8s# ls _output/local/bin/linux/amd64/
conversion-gen  deepcopy-gen  defaulter-gen  go2make  go-bindata  kubeadm  openapi-gen# 退出容器
root@aefcb94d4fb3:/go/src/k8s# exit
exit# 替换原有的 kubeadm
[root@kubernetes kubernetes]# mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
[root@kubernetes kubernetes]# cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm

本地打包

官方文档

[root@kubernetes kubernetes]# yum -y install gcc make rsync jq

安装并配置好对应的 Golang：

[root@kubernetes ~]# wget https://dl.google.com/go/go1.13.15.linux-amd64.tar.gz
[root@kubernetes ~]# tar -xzvf go1.13.15.linux-amd64.tar.gz -C /usr/local[root@kubernetes ~]# vim /etc/profile
......
# 文件最后增加
# Golang
export GOROOT=/usr/local/go# Path
export PATH=$PATH:$GOROOT/bin
......[root@kubernetes ~]# source /etc/profile
[root@kubernetes ~]# go version
go version go1.13.15 linux/amd64# 进行编译打包
[root@kubernetes ~]# cd kubernetes
[root@kubernetes kubernetes]# make all WHAT=cmd/kubeadm GOFLAGS=-v# 替换原有的 kubeadm 与 Docker 方式打包一样

续订证书到 99 年

# 事先查看
[root@kubernetes kubernetes]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 27, 2022 03:11 UTC   364d                                    no
apiserver                  Aug 27, 2022 01:44 UTC   364d            ca                      no
apiserver-etcd-client      Aug 27, 2022 01:44 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Aug 27, 2022 01:44 UTC   364d            ca                      no
controller-manager.conf    Aug 27, 2022 03:11 UTC   364d                                    no
etcd-healthcheck-client    Aug 27, 2022 01:44 UTC   364d            etcd-ca                 no
etcd-peer                  Aug 27, 2022 01:44 UTC   364d            etcd-ca                 no
etcd-server                Aug 27, 2022 01:44 UTC   364d            etcd-ca                 no
front-proxy-client         Aug 27, 2022 01:44 UTC   364d            front-proxy-ca          no
scheduler.conf             Aug 27, 2022 03:11 UTC   364d                                    noCERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 23, 2030 07:00 UTC   8y              no
etcd-ca                 Aug 23, 2030 07:00 UTC   8y              no
front-proxy-ca          Aug 23, 2030 07:00 UTC   8y              no# 更新 99 年
[root@kubernetes kubernetes]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed# 再看
[root@kubernetes kubernetes]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 03, 2120 08:20 UTC   98y                                     no
apiserver                  Aug 03, 2120 08:20 UTC   98y             ca                      no
apiserver-etcd-client      Aug 03, 2120 08:20 UTC   98y             etcd-ca                 no
apiserver-kubelet-client   Aug 03, 2120 08:20 UTC   98y             ca                      no
controller-manager.conf    Aug 03, 2120 08:20 UTC   98y                                     no
etcd-healthcheck-client    Aug 03, 2120 08:20 UTC   98y             etcd-ca                 no
etcd-peer                  Aug 03, 2120 08:20 UTC   98y             etcd-ca                 no
etcd-server                Aug 03, 2120 08:20 UTC   98y             etcd-ca                 no
front-proxy-client         Aug 03, 2120 08:20 UTC   98y             front-proxy-ca          no
scheduler.conf             Aug 03, 2120 08:20 UTC   98y                                     noCERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 23, 2030 07:00 UTC   8y              no
etcd-ca                 Aug 23, 2030 07:00 UTC   8y              no
front-proxy-ca          Aug 23, 2030 07:00 UTC   8y              no

最后别忘了重启 kube-apiserver、kube-controller、kube-scheduler、etcd 这4个容器。

Kubernetes kubeadm 证书到期，更新证书相关推荐

【阿里云】ssl证书到期更新
证书文件由于安全性需求,所以一般都是一年一换,也有几个月一换,甚至时间更短,即使有续费选项,续费后的证书文件也和续费前的不一样,这样仍然会需要你重新配置证书 1.在阿里云找到数字证书管理服务 ==&g ...
Kubeadm手动更新证书
kubeadm certs 提供管理证书的工具官网地址 kubeadm certs check-expiration 查看证书到期时间 kubeadm certs renew 手动续订证书该命令使 ...
Kubernetes Kubeadm Kubelet 证书自动续签
Kubelet 证书自动续签 K8s证书一般分为两套:K8s组件(apiserver)和Etcd,假如按角色来分,证书分为管理节点和工作节点. • 管理节点:如果是kubeadm部署则自动生成,如果是 ...
kubeadm更新证书（1.23.4版本）
1.查看证书到期时间 kubeadm certs check-expiration 1.1.输出如下内容 [root@master pki]# kubeadm certs check-expirati ...
云原生|kubernetes|kubeadm部署的集群的100年证书
前言: 首先,先看看minikube这样的开发或者测试使用的kubernetes集群的证书时间: [root@node3 ~]# kubeadm certs check-expiration [che ...
Kubernetes集群更换证书（正常更新方法、和更新证书为99年）
目录 1. 前言 1.2检查证书是否过期 2. !!!备份原有集群配置文件 3. 官方更新方式,更新证书(有效期一年) 3.2测试集群是否正常 4. 使用开源组件将证书有效期设置为99年(建议初始化集 ...
Kubernetes证书热更新期限至100年【HA高可用集群】
一.问题与环境 1.为什么更新证书?局域网如何保障服务稳定性? 众所周知k8s(Kubernetes)有一个默认证书期限为一年不成文的规定,官方的解释是"最佳的做法是经常升级集群以确保安 ...
kubernetes 证书到期续期
kubernetes 证书续期好久没用过以前搭建的集群了,今天想用的时候发现证书到期了 kubeadm 管理集群证书通过命令kubeadm alpha certs check-expiration ...
如何在阿里云免费 SSL 证书到期后更新证书操作步骤
今天早上我发现我的网站不能正常的通过 https 访问了,被谷歌浏览器拦截,提示隐私设置错误.然后我们 Safari 浏览器进行访问,提示此链接非私人连接,同样的被拦截了.然后我根据谷歌浏览器的提示信 ...

Kubernetes kubeadm 证书到期，更新证书

版本