使用 kubeadm 安装 kubernetes 的证书有效期只有一年时间,所以我们需要在证书过过期之前对集群证书进行更新,在操作之前一定要先对证书目录进行备份,防止操作错误进行回滚。
1. 检查证书过期时间
首先,使用kubeadm certs check-expiration命令检查集群中的证书过期时间。
~ # kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jul 16, 2023 09:55 UTC 90d ca no
apiserver Jul 16, 2023 09:54 UTC 90d ca no
apiserver-etcd-client Jul 16, 2023 09:54 UTC 90d etcd-ca no
apiserver-kubelet-client Jul 16, 2023 09:54 UTC 90d ca no
controller-manager.conf Jul 16, 2023 09:55 UTC 90d ca no
etcd-healthcheck-client Jul 16, 2023 09:53 UTC 90d etcd-ca no
etcd-peer Jul 16, 2023 09:53 UTC 90d etcd-ca no
etcd-server Jul 16, 2023 09:53 UTC 90d etcd-ca no
front-proxy-client Jul 16, 2023 09:54 UTC 90d front-proxy-ca no
scheduler.conf Jul 16, 2023 09:55 UTC 90d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Dec 28, 2030 09:14 UTC 7y no
etcd-ca Dec 28, 2030 09:14 UTC 7y no
front-proxy-ca Dec 28, 2030 09:14 UTC 7y no
有些低版本的使用的是
kubeadm alpha certs check-expiratio
2. 备份旧证书和配置文件等
在升级证书之前,需要备份旧证书和密钥以免更新证书的时候出错,kubeadm生成的证书一般在/etc/kubernetes/pki下
# 创建备份目录
/home # mkdir /etc/kubernetes.bak
# 备份旧证书
/home # cp -r /etc/kubernetes/pki/ /etc/kubernetes.bak
# 备份配置文件
/home # cp /etc/kubernetes/*.conf /etc/kubernetes.bak
# 备份etcd数据
/home # cp -r /var/lib/etcd /var/lib/etcd.bak
/home # cp -r /var/lib/etcd /var/lib/etcd.bak
3. 执行证书升级命令
/home # kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
再次检查证书过期时间
/home # kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Apr 16, 2024 08:14 UTC 364d ca no
apiserver Apr 16, 2024 08:14 UTC 364d ca no
apiserver-etcd-client Apr 16, 2024 08:14 UTC 364d etcd-ca no
apiserver-kubelet-client Apr 16, 2024 08:14 UTC 364d ca no
controller-manager.conf Apr 16, 2024 08:14 UTC 364d ca no
etcd-healthcheck-client Apr 16, 2024 08:14 UTC 364d etcd-ca no
etcd-peer Apr 16, 2024 08:14 UTC 364d etcd-ca no
etcd-server Apr 16, 2024 08:14 UTC 364d etcd-ca no
front-proxy-client Apr 16, 2024 08:14 UTC 364d front-proxy-ca no
scheduler.conf Apr 16, 2024 08:14 UTC 364d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Dec 28, 2030 09:14 UTC 7y no
etcd-ca Dec 28, 2030 09:14 UTC 7y no
front-proxy-ca Dec 28, 2030 09:14 UTC 7y no
证书过期时间已更新
