配置

kube-controller

启用server证书颁发配置完成后，启用证书的轮转，证书过期的话，可以自动的续签。在每个master节点上添加一条配置：- --feature-gates=RotateKubeletServerCertificate=true
vim /etc/kubernetes/manifests/kube-controller-manager.yaml

……
spec:
  containers:
  - command:
    - kube-controller-manager
    - --feature-gates=RotateKubeletServerCertificate=true
    - --cluster-signing-duration=87600h0m0s
……

修改可kube-controller-manager.yaml后需要重启kube-controller pod

mv /etc/kubernetes/manifests/kube-controller-manager.yaml \
/etc/kubernetes/manifests/kube-controller-manager.yaml.bk && \
sleep 30 && mv /etc/kubernetes/manifests/kube-controller-manager.yaml.bk \
/etc/kubernetes/manifests/kube-controller-manager.yaml

kubelet

检查每个节点的kubelet配置是否开启了kubelet 证书轮转rotateCertificates（默认都是开启的）
vim /var/lib/kubelet/config.yaml

rotateCertificates: true

如果修改了kubelet配置，重启重启kubelet服务

systemctl restart kubelet

检查证书过期时间

由 kubeadm 生成的客户端证书有效期为1年，所以我们需要在证书过过期之前对集群证书进行更新，在操作之前一定要先对证书目录进行备份，防止操作错误进行回滚。
首先，使用kubeadm certs check-expiration命令检查集群中的证书过期时间。

~ # kubeadm certs check-expiration                                                                                                                     
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 16, 2023 09:55 UTC   90d             ca                      no      
apiserver                  Jul 16, 2023 09:54 UTC   90d             ca                      no      
apiserver-etcd-client      Jul 16, 2023 09:54 UTC   90d             etcd-ca                 no      
apiserver-kubelet-client   Jul 16, 2023 09:54 UTC   90d             ca                      no      
controller-manager.conf    Jul 16, 2023 09:55 UTC   90d             ca                      no      
etcd-healthcheck-client    Jul 16, 2023 09:53 UTC   90d             etcd-ca                 no      
etcd-peer                  Jul 16, 2023 09:53 UTC   90d             etcd-ca                 no      
etcd-server                Jul 16, 2023 09:53 UTC   90d             etcd-ca                 no      
front-proxy-client         Jul 16, 2023 09:54 UTC   90d             front-proxy-ca          no      
scheduler.conf             Jul 16, 2023 09:55 UTC   90d             ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 28, 2030 09:14 UTC   7y              no      
etcd-ca                 Dec 28, 2030 09:14 UTC   7y              no      
front-proxy-ca          Dec 28, 2030 09:14 UTC   7y              no   

有些低版本的k8s使用的是kubeadm alpha certs check-expiratio

备份旧证书和配置文件等

在升级证书之前，需要备份旧证书和密钥以免更新证书的时候出错，kubeadm生成的证书一般在/etc/kubernetes/pki下

# 创建备份目录
/home # mkdir /etc/kubernetes.bak
# 备份旧证书
/home # cp -r /etc/kubernetes/pki/ /etc/kubernetes.bak
# 备份配置文件
/home # cp /etc/kubernetes/*.conf /etc/kubernetes.bak
# 备份etcd数据
/home # cp -r /var/lib/etcd /var/lib/etcd.bak

执行证书升级命令

/home # kubeadm certs renew all                                                                                                                             
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

上面的列表中没有包含 kubelet.conf，因为 kubeadm 将 kubelet 配置为自动更新证书。 轮换的证书位于目录 /var/lib/kubelet/pki。 要修复过期的 kubelet 客户端证书，请参阅 kubelet 客户端证书轮换失败。

再次检查证书过期时间

/home # kubeadm certs check-expiration                                                                                                                       
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Apr 16, 2024 08:14 UTC   364d            ca                      no      
apiserver                  Apr 16, 2024 08:14 UTC   364d            ca                      no      
apiserver-etcd-client      Apr 16, 2024 08:14 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Apr 16, 2024 08:14 UTC   364d            ca                      no      
controller-manager.conf    Apr 16, 2024 08:14 UTC   364d            ca                      no      
etcd-healthcheck-client    Apr 16, 2024 08:14 UTC   364d            etcd-ca                 no      
etcd-peer                  Apr 16, 2024 08:14 UTC   364d            etcd-ca                 no      
etcd-server                Apr 16, 2024 08:14 UTC   364d            etcd-ca                 no      
front-proxy-client         Apr 16, 2024 08:14 UTC   364d            front-proxy-ca          no      
scheduler.conf             Apr 16, 2024 08:14 UTC   364d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 28, 2030 09:14 UTC   7y              no      
etcd-ca                 Dec 28, 2030 09:14 UTC   7y              no      
front-proxy-ca          Dec 28, 2030 09:14 UTC   7y              no      

证书过期时间已更新

重启组件

更新完证书后需要重启kube-apiserver, kube-controller-manager, kube-scheduler和etcd组件

mkdir -p /etc/kubernetes.bak/manifests/
mv /etc/kubernetes/manifests/kube-scheduler.yaml /etc/kubernetes.bak/manifests/
mv /etc/kubernetes/manifests/kube-controller-manager.yaml /etc/kubernetes.bak/manifests/
mv /etc/kubernetes/manifests/kube-apiserver.yaml /etc/kubernetes.bak/manifests/
mv /etc/kubernetes/manifests/etcd.yaml /etc/kubernetes.bak/manifests/
sleep 30
mv /etc/kubernetes.bak/manifests/kube-scheduler.yaml /etc/kubernetes/manifests/
mv /etc/kubernetes.bak/manifests/kube-controller-manager.yaml /etc/kubernetes/manifests/
mv /etc/kubernetes.bak/manifests/kube-apiserver.yaml /etc/kubernetes/manifests/
mv /etc/kubernetes.bak/manifests/etcd.yaml /etc/kubernetes/manifests/ 

docker runtime 可使用docker ps |egrep "k8s_kube-apiserver|k8s_kube-scheduler|k8s_kube-controller|k8s_etcd"|awk '{print $1}'|xargs docker restart进行重启

更新 ~/.kube/config 文件

sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

参考

• https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/
• https://kubernetes.io/zh-cn/docs/tasks/tls/certificate-rotation/
• https://kubernetes.io/zh-cn/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/#kubelet-client-cert