1、查看证书到期时间

kubeadm certs check-expiration

1.1、输出如下内容

[root@master pki]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 15, 2023 12:07 UTC   335d            ca                      no
apiserver                  Mar 15, 2023 12:07 UTC   335d            ca                      no
apiserver-etcd-client      Mar 15, 2023 12:07 UTC   335d            etcd-ca                 no
apiserver-kubelet-client   Mar 15, 2023 12:07 UTC   335d            ca                      no
controller-manager.conf    Mar 15, 2023 12:07 UTC   335d            ca                      no
etcd-healthcheck-client    Mar 15, 2023 12:07 UTC   335d            etcd-ca                 no
etcd-peer                  Mar 15, 2023 12:07 UTC   335d            etcd-ca                 no
etcd-server                Mar 15, 2023 12:07 UTC   335d            etcd-ca                 no
front-proxy-client         Mar 15, 2023 12:07 UTC   335d            front-proxy-ca          no
scheduler.conf             Mar 15, 2023 12:07 UTC   335d            ca                      no      CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 12, 2032 12:07 UTC   9y              no
etcd-ca                 Mar 12, 2032 12:07 UTC   9y              no
front-proxy-ca          Mar 12, 2032 12:07 UTC   9y              no      该命令显示了 所有证书的到期/剩余时间,包括在etc/kubernetes/pki目录下的客户端证书及由kubeadm嵌入到KUBECONFIG文件中的客户端证书(admin.conf,controller-manager.conf和scheduler.conf)

2、手动续订证书
使用 kubeadm certs renew 命令 可以随时手动续订证书,该命令使用存储在/etc/kubernetes/pki中的 CA (or front-proxy-CA)证书和密钥来更新证书
2.1、查看 kubeadm certs renew 帮助信息

[root@master pki]# kubeadm certs renew -h
This command is not meant to be run on its own. See list of available subcommands.Usage:kubeadm certs renew [flags]kubeadm certs renew [command]Available Commands:admin.conf               Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itselfall                      Renew all available certificatesapiserver                Renew the certificate for serving the Kubernetes APIapiserver-etcd-client    Renew the certificate the apiserver uses to access etcdapiserver-kubelet-client Renew the certificate for the API server to connect to kubeletcontroller-manager.conf  Renew the certificate embedded in the kubeconfig file for the controller manager to useetcd-healthcheck-client  Renew the certificate for liveness probes to healthcheck etcdetcd-peer                Renew the certificate for etcd nodes to communicate with each otheretcd-server              Renew the certificate for serving etcdfront-proxy-client       Renew the certificate for the front proxy clientscheduler.conf           Renew the certificate embedded in the kubeconfig file for the scheduler manager to useFlags:-h, --help   help for renewGlobal Flags:--add-dir-header           If true, adds the file directory to the header of the log messages--log-file string          If non-empty, use this log file--log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)--one-output               If true, only write logs to their native severity level (vs also writing to each lower severity level)--rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.--skip-headers             If true, avoid header prefixes in the log messages--skip-log-headers         If true, avoid headers when opening log files-v, --v Level                  number for the log level verbosityUse "kubeadm certs renew [command] --help" for more information about a command.

说明:如上所知,指定某个证书就能续订该证书,指定 all 则续订所有证书。

2.2、命令执行后,注意:

  • 无论证书的到期时间如何,都会无条件地续订一年。
  • 证书的SAN等信息基于原证书,无需再次提供。
  • renew执行后,为使更改生效,需要重启各组件。

说明:kubeadm certs命令仅支持v1.15及其以上的版本
2.3、手动续订所有证书
2.3.1、备份源文件及执行证书更新命令

[root@master ~]# cp -r /etc/kubernetes /etc/kubernetes.bak
[root@master ~]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewedDone renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so tha

2.4、查看新证书文件

[root@master ~]# ll /etc/kubernetes
总用量 36
-rw-------. 1 root root 5639 4月  14 14:48 admin.conf
-rw-------. 1 root root 5671 4月  14 14:48 controller-manager.conf
-rw-------. 1 root root 1963 3月  15 20:07 kubelet.conf
drwxr-xr-x. 2 root root  113 3月  22 10:24 manifests
drwxr-xr-x. 3 root root 4096 3月  15 20:07 pki
drwxr-xr-x. 3 root root 4096 4月  14 14:37 pki.old
-rw-------. 1 root root 5619 4月  14 14:48 scheduler.conf
[root@master ~]# ll /etc/kubernetes/pki
总用量 56
-rw-r--r--. 1 root root 1281 4月  14 14:48 apiserver.crt
-rw-r--r--. 1 root root 1155 4月  14 14:48 apiserver-etcd-client.crt
-rw-------. 1 root root 1675 4月  14 14:48 apiserver-etcd-client.key
-rw-------. 1 root root 1675 4月  14 14:48 apiserver.key
-rw-r--r--. 1 root root 1164 4月  14 14:48 apiserver-kubelet-client.crt
-rw-------. 1 root root 1679 4月  14 14:48 apiserver-kubelet-client.key
-rw-r--r--. 1 root root 1099 3月  15 20:07 ca.crt
-rw-------. 1 root root 1679 3月  15 20:07 ca.key
drwxr-xr-x. 2 root root  162 3月  15 20:07 etcd
-rw-r--r--. 1 root root 1115 3月  15 20:07 front-proxy-ca.crt
-rw-------. 1 root root 1679 3月  15 20:07 front-proxy-ca.key
-rw-r--r--. 1 root root 1119 4月  14 14:48 front-proxy-client.crt
-rw-------. 1 root root 1675 4月  14 14:48 front-proxy-client.key
-rw-------. 1 root root 1675 3月  15 20:07 sa.key
-rw-------. 1 root root  451 3月  15 20:07 sa.pub

2.5、再次查看证书有效期

[root@master ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Apr 14, 2023 06:48 UTC   364d            ca                      no
apiserver                  Apr 14, 2023 06:48 UTC   364d            ca                      no
apiserver-etcd-client      Apr 14, 2023 06:48 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Apr 14, 2023 06:48 UTC   364d            ca                      no
controller-manager.conf    Apr 14, 2023 06:48 UTC   364d            ca                      no
etcd-healthcheck-client    Apr 14, 2023 06:48 UTC   364d            etcd-ca                 no
etcd-peer                  Apr 14, 2023 06:48 UTC   364d            etcd-ca                 no
etcd-server                Apr 14, 2023 06:48 UTC   364d            etcd-ca                 no
front-proxy-client         Apr 14, 2023 06:48 UTC   364d            front-proxy-ca          no
scheduler.conf             Apr 14, 2023 06:48 UTC   364d            ca                      no      CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 12, 2032 12:07 UTC   9y              no
etcd-ca                 Mar 12, 2032 12:07 UTC   9y              no
front-proxy-ca          Mar 12, 2032 12:07 UTC   9y              no

3、重启 kube-apiserver、kube-controller-manager、kube-scheduler、etcd 组件后生效
3.1、重启方法1:

[root@master ~]# mv /etc/kubernetes/manifests/* /tmp/
//约等30秒后 kube-apiserver、kube-controller-manager、kube-scheduler、etcd 容器会停止,然后,再将清单文件移过来:
[root@master ~]# mv /tmp/kube-* /etc/kubernetes/manifests/
[root@master ~]# mv /tmp/etcd.yaml /etc/kubernetes/manifests/

3.2、重启方法2:

[root@master ~]# kubectl delete pod etcd-master -n kube-system
[root@master ~]# kubectl delete pod kube-apiserver-master -n kube-system
[root@master ~]# kubectl delete pod kube-controller-manager-master -n kube-system
[root@master ~]# kubectl delete pod kube-scheduler-master -n kube-system

4、修改config文件

[root@master ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@master ~]# chown $(id -u):$(id -g) $HOME/.kube/config

kubeadm更新证书(1.23.4版本)相关推荐

  1. Kubernetes kubeadm 证书到期,更新证书

    版本 服务 版本 CentOS 7.8 Kubernetes 1.18.x 证书问题   可能很多人在一开始学习 k8s 的时候,没有注意过证书的问题,在使用 kubeadm 安装 k8s 单机/集群 ...

  2. Kubeadm手动更新证书

    kubeadm certs 提供管理证书的工具 官网地址 kubeadm certs check-expiration 查看证书到期时间 kubeadm certs renew 手动续订证书 该命令使 ...

  3. kubernetes-1.23.6版本部署

    k8s-1.23.6高可用部署 转载于:https://blog.csdn.net/liao__ran/article/details/124703425?spm=1001.2014.3001.550 ...

  4. 使用kubeadm安装部署1.21.3版本Kubernetes

    使用 kubeadm 安装部署 1.21.3 版本 Kubernetes 文章目录 1 说明 2 环境准备 2.1 硬件信息 2.2 软件信息 2.3 保证环境正确性 2.4 确保端口开放正常 2.5 ...

  5. k8s kubeadm 部署证书续期

    k8s 证书分为2套,一套是apiserver 和etcd 管理节点:如果是kubeadm 部署则自动生成,二进制一般由cfssl 或者openssl 工作节点: 工作节点主要指kubelet 连接a ...

  6. kubeadm修改证书有效期

    如果更新k8s版本会默认更新证书 检查证书有效期(一部分10年一部分1年) openssl x509 -in apiserver.crt -text -noout 1.go 环境部署 https:// ...

  7. kubeadm 安装 k8s 1.14.1版本(HA)

    参考官网: https://kubernetes.io/docs/setup/independent/install-kubeadm/#verify-the-mac-address-and-produ ...

  8. 通过 kubeadm 安装 k8s 1.14.1版本(master 单节点版)

    参考官网: https://kubernetes.io/docs/setup/independent/install-kubeadm/#verify-the-mac-address-and-produ ...

  9. Kubernetes集群更换证书(正常更新方法、和更新证书为99年)

    目录 1. 前言 1.2检查证书是否过期 2. !!!备份原有集群配置文件 3. 官方更新方式,更新证书(有效期一年) 3.2测试集群是否正常 4. 使用开源组件将证书有效期设置为99年(建议初始化集 ...

最新文章

  1. LSMW批处理使用方法(13)_步骤18
  2. boost::hana::back用法的测试程序
  3. linux的xmgrace无法运行,科学网—安装xmgrace - 林绪波的博文
  4. 十一、PHP框架Laravel学习笔记——构造器的查询.分块.聚合
  5. Ubuntu 10.04 Beta 1发布
  6. Linux系统盘爆满根目录100%,又找不到占空间的大文件 原因与解决方法
  7. 苹果手机夜间模式怎么设置_微信怎么设置夜间模式?iPhone夜间模式设置教程 省电又护眼!...
  8. 莫烦python学习笔记之numpy.array,dtype,empty,zeros,ones,arrange,linspace
  9. springboot配置错误页面
  10. phpspider 简单使用
  11. html div调用js,在div中调用javascript函数
  12. 盘点 4 个开源小游戏
  13. Redis订阅与发布原理
  14. pads layout查看管脚连接
  15. Python 抓取数据并可视化
  16. 三个基本的布尔逻辑算符是_什么是布尔逻辑运算符?布尔逻辑运算符一共有哪几种?...
  17. 如何搭建一个集群项目
  18. 浅析SSL/TLS的会话流程和源码实现
  19. 【爬虫技能书】分享自用爬虫书籍,快进来看看!
  20. 如果你只知道开心网,那你就OUT了。。。。。

热门文章

  1. AspCms 2.0 标签大全
  2. Acro Multi-Language Suite for Win32发布6.0.4版本
  3. JavaScript书店项目
  4. 网址之家【转载自百度百科】
  5. OSI网络七层模型详解
  6. 运营跨境电商平台可以用手机热点/连宽带网/用移动网卡吗?
  7. 华云数据张华林:投身数字蓝海 绘就云上强国
  8. 八大安防设备成高考防作弊神器
  9. CSS实现文件夹效果
  10. Build Cookbook