kubeadm更新证书(1.23.4版本)
1、查看证书到期时间
kubeadm certs check-expiration
1.1、输出如下内容
[root@master pki]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Mar 15, 2023 12:07 UTC 335d ca no
apiserver Mar 15, 2023 12:07 UTC 335d ca no
apiserver-etcd-client Mar 15, 2023 12:07 UTC 335d etcd-ca no
apiserver-kubelet-client Mar 15, 2023 12:07 UTC 335d ca no
controller-manager.conf Mar 15, 2023 12:07 UTC 335d ca no
etcd-healthcheck-client Mar 15, 2023 12:07 UTC 335d etcd-ca no
etcd-peer Mar 15, 2023 12:07 UTC 335d etcd-ca no
etcd-server Mar 15, 2023 12:07 UTC 335d etcd-ca no
front-proxy-client Mar 15, 2023 12:07 UTC 335d front-proxy-ca no
scheduler.conf Mar 15, 2023 12:07 UTC 335d ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Mar 12, 2032 12:07 UTC 9y no
etcd-ca Mar 12, 2032 12:07 UTC 9y no
front-proxy-ca Mar 12, 2032 12:07 UTC 9y no 该命令显示了 所有证书的到期/剩余时间,包括在etc/kubernetes/pki目录下的客户端证书及由kubeadm嵌入到KUBECONFIG文件中的客户端证书(admin.conf,controller-manager.conf和scheduler.conf)
2、手动续订证书
使用 kubeadm certs renew 命令 可以随时手动续订证书,该命令使用存储在/etc/kubernetes/pki中的 CA (or front-proxy-CA)证书和密钥来更新证书
2.1、查看 kubeadm certs renew 帮助信息
[root@master pki]# kubeadm certs renew -h
This command is not meant to be run on its own. See list of available subcommands.Usage:kubeadm certs renew [flags]kubeadm certs renew [command]Available Commands:admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itselfall Renew all available certificatesapiserver Renew the certificate for serving the Kubernetes APIapiserver-etcd-client Renew the certificate the apiserver uses to access etcdapiserver-kubelet-client Renew the certificate for the API server to connect to kubeletcontroller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to useetcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcdetcd-peer Renew the certificate for etcd nodes to communicate with each otheretcd-server Renew the certificate for serving etcdfront-proxy-client Renew the certificate for the front proxy clientscheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to useFlags:-h, --help help for renewGlobal Flags:--add-dir-header If true, adds the file directory to the header of the log messages--log-file string If non-empty, use this log file--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)--one-output If true, only write logs to their native severity level (vs also writing to each lower severity level)--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.--skip-headers If true, avoid header prefixes in the log messages--skip-log-headers If true, avoid headers when opening log files-v, --v Level number for the log level verbosityUse "kubeadm certs renew [command] --help" for more information about a command.
说明:如上所知,指定某个证书就能续订该证书,指定 all 则续订所有证书。
2.2、命令执行后,注意:
- 无论证书的到期时间如何,都会无条件地续订一年。
- 证书的SAN等信息基于原证书,无需再次提供。
- renew执行后,为使更改生效,需要重启各组件。
说明:kubeadm certs命令仅支持v1.15及其以上的版本
2.3、手动续订所有证书
2.3.1、备份源文件及执行证书更新命令
[root@master ~]# cp -r /etc/kubernetes /etc/kubernetes.bak
[root@master ~]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewedDone renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so tha
2.4、查看新证书文件
[root@master ~]# ll /etc/kubernetes
总用量 36
-rw-------. 1 root root 5639 4月 14 14:48 admin.conf
-rw-------. 1 root root 5671 4月 14 14:48 controller-manager.conf
-rw-------. 1 root root 1963 3月 15 20:07 kubelet.conf
drwxr-xr-x. 2 root root 113 3月 22 10:24 manifests
drwxr-xr-x. 3 root root 4096 3月 15 20:07 pki
drwxr-xr-x. 3 root root 4096 4月 14 14:37 pki.old
-rw-------. 1 root root 5619 4月 14 14:48 scheduler.conf
[root@master ~]# ll /etc/kubernetes/pki
总用量 56
-rw-r--r--. 1 root root 1281 4月 14 14:48 apiserver.crt
-rw-r--r--. 1 root root 1155 4月 14 14:48 apiserver-etcd-client.crt
-rw-------. 1 root root 1675 4月 14 14:48 apiserver-etcd-client.key
-rw-------. 1 root root 1675 4月 14 14:48 apiserver.key
-rw-r--r--. 1 root root 1164 4月 14 14:48 apiserver-kubelet-client.crt
-rw-------. 1 root root 1679 4月 14 14:48 apiserver-kubelet-client.key
-rw-r--r--. 1 root root 1099 3月 15 20:07 ca.crt
-rw-------. 1 root root 1679 3月 15 20:07 ca.key
drwxr-xr-x. 2 root root 162 3月 15 20:07 etcd
-rw-r--r--. 1 root root 1115 3月 15 20:07 front-proxy-ca.crt
-rw-------. 1 root root 1679 3月 15 20:07 front-proxy-ca.key
-rw-r--r--. 1 root root 1119 4月 14 14:48 front-proxy-client.crt
-rw-------. 1 root root 1675 4月 14 14:48 front-proxy-client.key
-rw-------. 1 root root 1675 3月 15 20:07 sa.key
-rw-------. 1 root root 451 3月 15 20:07 sa.pub
2.5、再次查看证书有效期
[root@master ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Apr 14, 2023 06:48 UTC 364d ca no
apiserver Apr 14, 2023 06:48 UTC 364d ca no
apiserver-etcd-client Apr 14, 2023 06:48 UTC 364d etcd-ca no
apiserver-kubelet-client Apr 14, 2023 06:48 UTC 364d ca no
controller-manager.conf Apr 14, 2023 06:48 UTC 364d ca no
etcd-healthcheck-client Apr 14, 2023 06:48 UTC 364d etcd-ca no
etcd-peer Apr 14, 2023 06:48 UTC 364d etcd-ca no
etcd-server Apr 14, 2023 06:48 UTC 364d etcd-ca no
front-proxy-client Apr 14, 2023 06:48 UTC 364d front-proxy-ca no
scheduler.conf Apr 14, 2023 06:48 UTC 364d ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Mar 12, 2032 12:07 UTC 9y no
etcd-ca Mar 12, 2032 12:07 UTC 9y no
front-proxy-ca Mar 12, 2032 12:07 UTC 9y no
3、重启 kube-apiserver、kube-controller-manager、kube-scheduler、etcd 组件后生效
3.1、重启方法1:
[root@master ~]# mv /etc/kubernetes/manifests/* /tmp/
//约等30秒后 kube-apiserver、kube-controller-manager、kube-scheduler、etcd 容器会停止,然后,再将清单文件移过来:
[root@master ~]# mv /tmp/kube-* /etc/kubernetes/manifests/
[root@master ~]# mv /tmp/etcd.yaml /etc/kubernetes/manifests/
3.2、重启方法2:
[root@master ~]# kubectl delete pod etcd-master -n kube-system
[root@master ~]# kubectl delete pod kube-apiserver-master -n kube-system
[root@master ~]# kubectl delete pod kube-controller-manager-master -n kube-system
[root@master ~]# kubectl delete pod kube-scheduler-master -n kube-system
4、修改config文件
[root@master ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@master ~]# chown $(id -u):$(id -g) $HOME/.kube/config
kubeadm更新证书(1.23.4版本)相关推荐
- Kubernetes kubeadm 证书到期,更新证书
版本 服务 版本 CentOS 7.8 Kubernetes 1.18.x 证书问题 可能很多人在一开始学习 k8s 的时候,没有注意过证书的问题,在使用 kubeadm 安装 k8s 单机/集群 ...
- Kubeadm手动更新证书
kubeadm certs 提供管理证书的工具 官网地址 kubeadm certs check-expiration 查看证书到期时间 kubeadm certs renew 手动续订证书 该命令使 ...
- kubernetes-1.23.6版本部署
k8s-1.23.6高可用部署 转载于:https://blog.csdn.net/liao__ran/article/details/124703425?spm=1001.2014.3001.550 ...
- 使用kubeadm安装部署1.21.3版本Kubernetes
使用 kubeadm 安装部署 1.21.3 版本 Kubernetes 文章目录 1 说明 2 环境准备 2.1 硬件信息 2.2 软件信息 2.3 保证环境正确性 2.4 确保端口开放正常 2.5 ...
- k8s kubeadm 部署证书续期
k8s 证书分为2套,一套是apiserver 和etcd 管理节点:如果是kubeadm 部署则自动生成,二进制一般由cfssl 或者openssl 工作节点: 工作节点主要指kubelet 连接a ...
- kubeadm修改证书有效期
如果更新k8s版本会默认更新证书 检查证书有效期(一部分10年一部分1年) openssl x509 -in apiserver.crt -text -noout 1.go 环境部署 https:// ...
- kubeadm 安装 k8s 1.14.1版本(HA)
参考官网: https://kubernetes.io/docs/setup/independent/install-kubeadm/#verify-the-mac-address-and-produ ...
- 通过 kubeadm 安装 k8s 1.14.1版本(master 单节点版)
参考官网: https://kubernetes.io/docs/setup/independent/install-kubeadm/#verify-the-mac-address-and-produ ...
- Kubernetes集群更换证书(正常更新方法、和更新证书为99年)
目录 1. 前言 1.2检查证书是否过期 2. !!!备份原有集群配置文件 3. 官方更新方式,更新证书(有效期一年) 3.2测试集群是否正常 4. 使用开源组件将证书有效期设置为99年(建议初始化集 ...
最新文章
- LSMW批处理使用方法(13)_步骤18
- boost::hana::back用法的测试程序
- linux的xmgrace无法运行,科学网—安装xmgrace - 林绪波的博文
- 十一、PHP框架Laravel学习笔记——构造器的查询.分块.聚合
- Ubuntu 10.04 Beta 1发布
- Linux系统盘爆满根目录100%,又找不到占空间的大文件 原因与解决方法
- 苹果手机夜间模式怎么设置_微信怎么设置夜间模式?iPhone夜间模式设置教程 省电又护眼!...
- 莫烦python学习笔记之numpy.array,dtype,empty,zeros,ones,arrange,linspace
- springboot配置错误页面
- phpspider 简单使用
- html div调用js,在div中调用javascript函数
- 盘点 4 个开源小游戏
- Redis订阅与发布原理
- pads layout查看管脚连接
- Python 抓取数据并可视化
- 三个基本的布尔逻辑算符是_什么是布尔逻辑运算符?布尔逻辑运算符一共有哪几种?...
- 如何搭建一个集群项目
- 浅析SSL/TLS的会话流程和源码实现
- 【爬虫技能书】分享自用爬虫书籍,快进来看看!
- 如果你只知道开心网,那你就OUT了。。。。。