k8s证书更新
1.故障現象
k8s安裝一年后證書顯示過期。證書未自動續期。
2.更新過程
一下操作需到所有master節點操作
下載kubeadm
一般情況下,k8s創建的集群節點上的/usr/bin/文件夾下會存在kubeadm二進制文件,如果發現master節點上沒有kubeadm,可以從官方下載。以amd64架構1.16.9版本的kubeadm為例子,可以通過curl -L --remote-name-all https://storage.googleapis.com/kubernetes-release/release/v1.16.9/bin/linux/amd64/kubeadm下載到本地,如果需要其他版本請將URL中的版本號修改為其他版本號即可。使用chmod +x kubeadm命令為二進制加權限后,將kubeadm發送到集群master節點
備份文件
~]# cp -r /etc/kubernetes /etc/kubernetes.bak && cp -r /var/lib/etcd /var/lib/etcd.bak ## 將k8s和tecd相關文件做備份執行證書更新
~]# kubeadm alpha certs renew all # 如果使用的1.16.x版本,其打印內容如下 certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healthcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed ? ## 如果是1.18.x版本,打印內容會多一些提示: [renew] Reading configuration from the cluster... [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healthcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed更新kubeconfig
執行kubeadm init phase kubeconfig all可使用新證書生成新的kubeconfig文件。執行cp -r /root/.kube /root/.kube.bak備份后,可以執行cp -f /etc/kubernetes/admin.conf /root/.kube/config覆蓋掉原本的kubeconfig文件。
# 執行kubeadm init phase kubeconfig all時可能報錯,需要把/etc/kubernetes/下的一些文件刪除或移走 I0221 14:28:32.309687 ? 23977 version.go:248] remote version is much newer: v1.23.4; falling back to: stable-1.15 [kubeconfig] Using kubeconfig folder "/etc/kubernetes" error execution phase kubeconfig/admin: a kubeconfig file "/etc/kubernetes/admin.conf" exists already but has got the wrong API Server URL ~]# mv /etc/kubernetes/admin.conf /root/ # 此時可能還又其他文件如果有就都移走然后再執行kubeadm init phase kubeconfig all驗證與組件重啟,執行完上述更新證書操作后可以通過
~]# echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate驗證apiserver證書有效期是否更新,會發現證書有效期沒有更新。此原因是k8s組件如果沒有重啟就不會使用新證書導致的。 執行
~]# docker rm -f $(docker ps -q -f label=io.kubernetes.container.name=kube-apiserver) ~]# docker rm -f $(docker ps -q -f label=io.kubernetes.container.name=kube-controller-manager) ~]# docker rm -f $(docker ps -q -f label=io.kubernetes.container.name=kube-scheduler) ~]# docker rm -f $(docker ps -q -f label=io.kubernetes.container.name=etcd) # 以重啟k8s及etcd相關組件后,再次執行可以觀察到證書有效期已經發生變化。 ~]# echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate notAfter=Feb 21 06:27:04 2023 GMT ? # 注,建議重啟一下kubelet docker ~]# systemctl restart kubelet docker總結
- 上一篇: k8s 资源文件基础练习
- 下一篇: Hadoop集群高可用及zookeepe