kubernetes master 更换ip（单节点）

 

问题分析

master ip地址变更以后，我们首先应该检查以下内容：

1. /etc/kubernetes/manifests下面的config配置文件，替换里面对应的ip

2. 相关的证书文件

3. 客户端文件

解决步骤

准备config文件

如果环境能出国网则不用进行该步骤,此文件为kubeadm.config
使用该文件时候注意替换相关的API地址和端口等信息

apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
  - system:bootstrappers:kubeadm:default-node-token
  token: abcdef.0123456789abcdef
  ttl: 24h0m0s
  usages:
  - signing
  - authentication
kind: InitConfiguration
localAPIEndpoint:
  advertiseAddress: 100.64.139.62
  bindPort: 6443
nodeRegistration:
  criSocket: /var/run/dockershim.sock
  name: k8s-master-2
  taints:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
---
apiServer:
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
kind: ClusterConfiguration
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
kubernetesVersion: v1.16.0
networking:
  dnsDomain: cluster.local
  serviceSubnet: 10.96.0.0/12
scheduler: {}

修改配置文件

[root@k8s-master-2 kubernetes]# cd /etc/kubernetes
[root@k8s-master-2 kubernetes]# find . -type f |xargs grep 100.64.139.60 |awk '{print $1}' |sort |uniq
./admin.conf:
./controller-manager.conf:
./kubelet.conf:
./manifests/etcd.yaml:
./manifests/kube-apiserver.yaml:
./scheduler.conf:

其中几个conf文件为kubeadm自动生成的带证书的客户端配置文件，需要修改的为etcd.yaml,kube-apiserver.yaml两个配置文件。将里面对应的ip地址修改为新的ip地址。

生成新证书

方法一：部分删除生成证书

备份原始证书，根据find命令的输出，以下相关的服务证书需要更换kubelt api proxy

# 备份原始证书

mv /etc/kubernetes/pki/apiserver.key /etc/kubernetes/pki/apiserver.key.old
mv /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.crt.old
mv /etc/kubernetes/pki/apiserver-kubelet-client.crt /etc/kubernetes/pki/apiserver-kubelet-client.crt.old
mv /etc/kubernetes/pki/apiserver-kubelet-client.key /etc/kubernetes/pki/apiserver-kubelet-client.key.old
mv /etc/kubernetes/pki/front-proxy-client.crt /etc/kubernetes/pki/front-proxy-client.crt.old
mv /etc/kubernetes/pki/front-proxy-client.key /etc/kubernetes/pki/front-proxy-client.key.old

 

# 生成新证书

kubeadm init  phase certs apiserver --config kubeadm.config
kubeadm init  phase certs apiserver-kubelet-client --config kubeadm.config
kubeadm init  phase certs front-proxy-client --config kubeadm.config

kubeadm init  phase certs apiserver --config kubeadm.config
kubeadm init  phase certs apiserver-kubelet-client --config kubeadm.config
kubeadm init  phase certs front-proxy-client --config kubeadm.config

方法二：全部删除生成证书

# 全部删除证书

mv /etc/kubernetes/pki  /etc/kubernetes/pki.old

# 生成新证书

kubeadm init  phase certs all --config kubeadm.config

生成新的客户端文件

方法一：分步骤生成

kubeadm  init phase kubeconfig admin --config kubeadm.config
kubeadm  init phase kubeconfig controller-manager --config kubeadm.config
kubeadm  init phase kubeconfig kubelet --config kubeadm.config
kubeadm  init phase kubeconfig scheduler --config kubeadm.config

方法二：一次全部生成

mv /etc/kubernetes/*.conf /tmp
kubeadm  init phase kubeconfig all --config kubeadm.config

查看证书过期时间

[root@k8s-master-2 pki]# kubeadm  alpha  certs check-expiration
CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
admin.conf                 Dec 10, 2020 05:31 UTC   364d            no
apiserver                  Dec 10, 2020 05:30 UTC   364d            no
apiserver-etcd-client      Dec 10, 2020 05:31 UTC   364d            no
apiserver-kubelet-client   Dec 10, 2020 05:30 UTC   364d            no
controller-manager.conf    Dec 10, 2020 05:31 UTC   364d            no
etcd-healthcheck-client    Dec 10, 2020 05:31 UTC   364d            no
etcd-peer                  Dec 10, 2020 05:31 UTC   364d            no
etcd-server                Dec 10, 2020 05:30 UTC   364d            no
front-proxy-client         Dec 10, 2020 05:30 UTC   364d            no
scheduler.conf             Dec 10, 2020 05:31 UTC   364d            no

重启服务

service docker restart 
service kubelet restart