kubeadm 默认证书为一年,一年过期后,会导致api service不可用,使用过程中会出现:x509: certificate has expired or is not yet valid.
证书默认存放目录:/etc/kubernetes/pki
1,查询当前证书过期时间
kubeadm alpha certs check-expiration
也可以直接查看证书 for i in `ll /etc/kubernetes/pki | grep crt | awk '{print $9}'`;do echo $i && openssl x509 -in $i -noout -text |grep Not;done
2,备份
cp -R /etc/kubernetes/pki /etc/kubernetes/pki_bakup
3,生成集群当前配置文件
#kubeadm alpha phase kubeconfig all --config cluster.yaml (后面用这个文件来续期证书)
apiServer:
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: apiserver.shiji:6443
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.17.0
networking:
dnsDomain: cluster.local
podSubnet: 10.100.0.1/16
serviceSubnet: 10.96.0.0/16
scheduler: {}
4,续期证书
kubeadm alpha certs renew all --config=/root/cluster.yaml
也可以单个更新
5,再次查看证书有效期
参考文档
https://www.cnblogs.com/skymyyang/p/11093686.html
https://www.cnblogs.com/dolphintwo/p/11388644.html