zoukankan      html  css  js  c++  java
  • k8s 证书过期处理

    k8s dashboard无法登录,从dashboard查到apiserver 再查到etcd 最后是发现是master证书问题,自签证书有效1期年,服务初始由kubeadm搭建

    2020-07-16 09:31:21.660802 I | raft: aa548f97cfe05a3f is starting a new election at term 7829
    2020-07-16 09:31:21.660842 I | raft: aa548f97cfe05a3f became candidate at term 7830
    2020-07-16 09:31:21.660855 I | raft: aa548f97cfe05a3f received MsgVoteResp from aa548f97cfe05a3f at term 7830
    2020-07-16 09:31:21.660877 I | raft: aa548f97cfe05a3f [logterm: 7109, index: 66329229] sent MsgVote request to 9585571875104827 at term 7830
    2020-07-16 09:31:21.660890 I | raft: aa548f97cfe05a3f [logterm: 7109, index: 66329229] sent MsgVote request to f800f3113703eccb at term 7830
    2020-07-16 09:31:21.664434 I | embed: rejected connection from "" (error "tls: failed to verify client's certificate: x509: certificate has expired or is not yet valid", ServerName "")

    查看节点

    NAME           STATUS   ROLES    AGE    VERSION
    bj-github-1   Ready    master   365d   v1.15.0
    bj-github-2   Ready    master   365d   v1.15.0
    bj-github-3    Ready    master   349d   v1.15.0
    bj-github-4    Ready    master   349d   v1.15.0
    bj-github-5    Ready    master   349d   v1.15.0
    bj-github-6    Ready    master   365d   v1.15.0
    bj-github-7    Ready    master   365d   v1.15.0
    bj-github-8    Ready    master   365d   v1.15.0
    bj-github-9    Ready    master   365d   v1.15.0
    

    查看旧证书,果然过期了

    https://github.com/kubernetes/kubeadm/issues/581 官方也有类似的issue

    openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '
                Not Before: Jul 17 08:49:08 2019 GMT
                Not After : Jul 16 08:49:08 2020 GMT
    

    按操作流程,备份原证书,创建新证书,但,kubeadm alpha phase certs apiserver命令不存在

    kubeadm alpha phase certs apiserver --apiserver-advertise-address ${MASTER_API_SERVER_IP}
    

    猜测是kubeadm的版本不一致,一级一级查看命令说明,存在certs子命令

    kubeadm alpha --help
    kubeadm alpha --help
    Kubeadm experimental sub-commands
    Usage:
      kubeadm alpha [command]
    
    Available Commands:
      certs       Commands related to handling kubernetes certificates
      kubeconfig  Kubeconfig file utilities
      kubelet     Commands related to handling the kubelet
      selfhosting Make a kubeadm cluster self-hosted
    
    kubeadm alpha certs --help
    kubeadm alpha certs --help
    Commands related to handling kubernetes certificates
    
    Usage:
      kubeadm alpha certs [command]
    
    Aliases:
      certs, certificates
    
    Available Commands:
      certificate-key  Generate certificate keys
      check-expiration Check certificates expiration for a Kubernetes cluster
      renew            Renew certificates for a Kubernetes cluster
    
    kubeadm alpha certs renew --help
    This command is not meant to be run on its own. See list of available subcommands.
    Usage:
      kubeadm alpha certs renew [flags]
      kubeadm alpha certs renew [command]
    Available Commands:
      admin.conf               Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
      all                      Renew all available certificates
      apiserver                Renew the certificate for serving the Kubernetes API
      apiserver-etcd-client    Renew the certificate the apiserver uses to access etcd
      apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
      controller-manager.conf  Renew the certificate embedded in the kubeconfig file for the controller manager to use
      etcd-healthcheck-client  Renew the certificate for liveness probes to healthcheck etcd
      etcd-peer                Renew the certificate for etcd nodes to communicate with each other
      etcd-server              Renew the certificate for serving etcd
      front-proxy-client       Renew the certificate for the front proxy client
      scheduler.conf           Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
    

    执行kubeadm alpha certs renew all 即可

    验证新证书

    openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '
                Not Before: Jul 17 08:49:08 2019 GMT
                Not After : Jul 16 10:05:36 2021 GMT
    

    end

  • 相关阅读:
    美容:盐水按摩 靓肤不花钱 健康程序员,至尚生活!
    关于黑眼圈形成和应对方法! 健康程序员,至尚生活!
    女人必知25个养颜排毒美容锦囊 健康程序员,至尚生活!
    让你睡眠更香甜的九种食物 健康程序员,至尚生活!
    几款美容瘦身的花茶配方 健康程序员,至尚生活!
    吃出来的美白方法 健康程序员,至尚生活!
    达人DIY护肤经验分享 健康程序员,至尚生活!
    【男士必看】男士护肤必备攻略 健康程序员,至尚生活!
    一起学习手撕包菜如何做 健康程序员,至尚生活!
    抵制美食诱惑 春节美食瘦身建议 健康程序员,至尚生活!
  • 原文地址:https://www.cnblogs.com/zihunqingxin/p/14460107.html
Copyright © 2011-2022 走看看