kubeadm 部署方式续签
1.1 备份原有的证书
cp –r etc/kubernetes/pki etc/kubernetes/pki.bak
1.2 备份原有的文件
cp -r /etc/kubernetes/*conf /etc/kubernetes/*conf-old
1.3 先看 下kubeadm 客户端证书过期时间
kubeadm alpha certs check-expiration
1.4 更新集群证书:
kubeadm alpha certs renew all --config=/root/kubeadm.conf
或是
kubeadm alpha certs renew all --config /root/kubeadm.conf
1.5 替换老的config文件
cp -f /etc/kubernetes/admin.conf ~/.kube/config
1.6 配置kube-controller-manager自动颁发证书
vim /etc/kubernetes/manifests/kube-controller-manager.yaml
[root@k8s-master ~]# vim /etc/kubernetes/manifests/kube-controller-manager.yaml
- command:
- kube-controller-manager
- --experimental-cluster-signing-duration=87600h0m0s #10年
- --feature-gates=RotateKubeletServerCertificate=true
1.7 重启kube-controller-manager Pod和api-server Pod
1.8 启用kubelet自动轮换证书
默认kubelet证书轮转已启用:
一台node 节点测试,先查看现有客户端证书有效期
重启kubelet 组件,他会验证当前证书有效期,并自动从kube-controller-manager 上 进行续签