k8s证书过期替换

kubeadm version kubeadm version: &version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.8", GitCommit:"4a3b558c52eb6995b3c5c1db5e54111bd0645a64", GitTreeState:"clean", BuildDate:"2021-12-15T14:50:58Z", GoVersion:"go1.16.12", Compiler:"gc", Platform:"linux/amd64"}

# 查看证书是否过期

# openssl 查看
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '

# kubeadm 查看
root@k8s-master-147:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                         EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                          Jan 14, 2023 08:48 UTC   <invalid>       ca                      no
apiserver                           Jan 14, 2023 08:48 UTC   <invalid>       ca                      no
!MISSING! apiserver-etcd-client
apiserver-kubelet-client            Jan 14, 2023 08:48 UTC   <invalid>       ca                      no
controller-manager.conf             Jan 14, 2023 08:48 UTC   <invalid>       ca                      no
!MISSING! etcd-healthcheck-client
!MISSING! etcd-peer
!MISSING! etcd-server
front-proxy-client                  Jan 14, 2023 08:48 UTC   <invalid>       front-proxy-ca          no
scheduler.conf                      Jan 14, 2023 08:48 UTC   <invalid>       ca                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jan 12, 2032 08:48 UTC   8y              no
!MISSING! etcd-ca
front-proxy-ca          Jan 12, 2032 08:48 UTC   8y              no


# k3s 查看 替换可参考 k3s 官方： https://docs.k3s.io/zh/cli/certificate#%E4%BD%BF%E7%94%A8%E8%87%AA%E5%AE%9A%E4%B9%89-ca-%E8%AF%81%E4%B9%A6
kubectl get secret -n kube-system k3s-serving -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text | grep Not

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

# 备份

# 备份文件
cp -rp /etc/kubernetes /etc/kubernetes.bak
# 清除配置文件重新生成
mv /etc/kubernetes/*.conf /tmp/

1
2
3
4
5

# 重新生成

# 重新生成证书和配置文件
kubeadm certs renew all
kubeadm init phase kubeconfig all

1
2
3

# 重启master kubelet

systemctl restart kubelet
cp /etc/kubernetes/admin.conf ~/.kube/config

1
2

# 官方文档参考

上次更新: 2023/04/04, 18:43:11

← k8s 集群维护和下线节点 Docker常见问题记录→