赞
踩
参考:使用 kubeadm 进行证书管理 | Kubernetes
我是整个/etc/kubernets拷贝覆盖其他主节点。先做好备份。
同时重启下服务kubelet和下面4个kube-apiserver|kube-controller-manager|kube-scheduler|etcd
都重启下。docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | xargs docker restart
cd /etc/kubernetes/pki && openssl x509 -in apiserver.crt -text -noout
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep Not
确认证书是否过期
docker 18.09.7
现象:
kubectl get ns
The connection to the server x.x.x.x:6443 was refused - did you specify the right host or port?
1.以为拷贝到家目录的config失效,又重新拷贝了一份cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
,没用
2. 查看tail -f /var/log/syslog
3. 查看kubelet日志journalctl -xeu kubelet
结果Part of the existing bootstrap client certificate is expired
处理:
- cd /etc/kubernetes/pki/
- mv {apiserver.crt,apiserver-etcd-client.key,apiserver-kubelet-client.crt,front-proxy-ca.crt,front-proxy-client.crt,front-proxy-client.key,front-proxy-ca.key,apiserver-kubelet-client.key,apiserver.key,apiserver-etcd-client.crt} ~/
- kubeadm init phase certs all ?????
- cd /etc/kubernetes/
- mv {admin.conf,controller-manager.conf,kubelet.conf,scheduler.conf} ~/
- kubeadm init phase kubeconfig all
- #重启kube-apiserver,kube-controller-manager ,kube-scheduler,etcd这4个容器
- docker ps | grep -v pause |grep -E 'kube-apiserver|kube-controller-manager|kube-scheduler'
- docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | xargs docker restart
- cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
使用 kubeadm 进行证书管理
使用 kubeadm 进行证书管理 | Kubernetes
kubeadm alpha certs check-expiration
检查证书是否过期kubeadm alpha certs renew
命令手动更新证书kubeadm alpha certs renew all
kubeadm certs check-expiration
检查证书是否过期kubeadm certs renew
未经验证kubeadm certs renew all
未经验证
做好备份,注意观察kubelet的状态(可以用docker restart kube-api等)
小坑:kubeadm alpha certs renew
并不会更新kubelet证书(kubelet.conf文件里面写的客户端证书),因为kubelet证书是默认开启自动更新的
但是在执行kubeadm init
的master节点的kubelet.conf文件里面的证书是以base64编码写死在conf文件的(和controller-manager.conf一样),在用kubeadm命令更新master证书时需要手动将kubelet.conf文件的client-certificate-data
和client-key-data
改为:
- client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem
- client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
v1.17
版得到了解决[https://github.com/kubernetes/kubeadm/issues/1753]kubectl get ns
如果原证书已过期,则此时会报错
[root@FAT-K8S-M1 kubernetes]# kubectl get poderror: You must be logged in to the server (Unauthorized)
使用新授权文件即可
cp /etc/kubernetes/admin.conf ~/.kube/config
- #重启kube-apiserver,kube-controller-manager ,kube-scheduler,etcd这4个容器
- docker ps | grep -v pause |grep -E 'kube-apiserver|kube-controller-manager|kube-scheduler|etcd'
- docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | xargs docker restart
- 查看`tail -f /var/log/syslog`
- 查看kubelet日志`journalctl -xeu kubelet`
在升级1.15的集群证书,查看kubelet状态,报错没有bootstrap-kubelet.conf,从从节点拷贝的,1.15集群在建立的时候主节点就没有这个文件(从其他1.15集群看的。)
这个命令用 CA (或者 front-proxy-CA )证书和存储在 /etc/kubernetes/pki 中的密钥执行更新。
如果您运行了一个 HA 集群,这个命令需要在所有控制面板节点上执行。
移动证书和配置【注意!必须移动,不然会使用现有的证书,不会重新生成】
- cd /etc/kubernetes
- mkdir ./pki_bak
- mkdir ./pki_bak/etcd
- mkdir ./conf_bak
- mv pki/apiserver* ./pki_bak/
- mv pki/front-proxy-client.* ./pki_bak/
- mv pki/etcd/healthcheck-client.* ./pki_bak/etcd/
- mv pki/etcd/peer.* ./pki_bak/etcd/
- mv pki/etcd/server.* ./pki_bak/etcd/
- mv ./admin.conf ./conf_bak/
- mv ./kubelet.conf ./conf_bak/
- mv ./controller-manager.conf ./conf_bak/
- mv ./scheduler.conf ./conf_bak/
创建证书kubeadm alpha phase certs all --apiserver-advertise-address=${MASTER_API_SERVER_IP} --apiserver-cert-extra-sans=主机内网ip,主机公网ip
运行如上命令会重新生成以下证书
- #-- /etc/kubernetes/pki/apiserver.key
- #-- /etc/kubernetes/pki/apiserver.crt
-
- #-- /etc/kubernetes/pki/apiserver-etcd-client.key
- #-- /etc/kubernetes/pki/apiserver-etcd-client.crt
-
- #-- /etc/kubernetes/pki/apiserver-kubelet-client.key
- #-- /etc/kubernetes/pki/apiserver-kubelet-client.crt
-
- #-- /etc/kubernetes/pki/front-proxy-client.key
- #-- /etc/kubernetes/pki/front-proxy-client.crt
-
- #-- /etc/kubernetes/pki/etcd/healthcheck-client.key
- #-- /etc/kubernetes/pki/etcd/healthcheck-client.crt
-
- #-- /etc/kubernetes/pki/etcd/peer.key
- #-- /etc/kubernetes/pki/etcd/peer.crt
-
- #-- /etc/kubernetes/pki/etcd/server.key
- #-- /etc/kubernetes/pki/etcd/server.crt
不移动证书会有如下提示
- #[certificates] Using the existing apiserver certificate and key.
- #[certificates] Using the existing apiserver-kubelet-client certificate and key.
- #[certificates] Using the existing front-proxy-client certificate and key.
- #[certificates] Using the existing etcd/server certificate and key.
- #[certificates] Using the existing etcd/peer certificate and key.
- #[certificates] Using the existing etcd/healthcheck-client certificate and key.
- #[certificates] Using the existing apiserver-etcd-client certificate and key.
- #[certificates] valid certificates and keys now exist in "/etc/kubernetes/pki"
- #[certificates] Using the existing sa key.
生成新配置文件kubeadm alpha phase kubeconfig all --apiserver-advertise-address=${MASTER_API_SERVER_IP}
将新生成的admin配置文件覆盖掉原本的admin文件
- mv $HOME/.kube/config $HOME/.kube/config.old
- cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
- chown $(id -u):$(id -g) $HOME/.kube/config
- sudo chmod 777 $HOME/.kube/config
完成后重启kube-apiserver,kube-controller,kube-scheduler,etcd这4个容器
如果有多台master,则将第一台生成的相关证书拷贝到其余master即可。
renew all
必须分别执行下面三个命令- kubeadm alpha phase certs renew apiserver
- kubeadm alpha phase certs renew apiserver-kubelet-client
- kubeadm alpha phase certs renew front-proxy-client
rm -rf admin.conf controller-manager.conf kubelet.conf scheduler.conf
kubeadm alpha phase kubeconfig all --apiserver-advertise-address=${MASTER_API_SERVER_IP}
cp -av /etc/kubernetes/admin.conf /root/.kube/config
docker ps | grep -E 'kube-apiserver|kube-controller-manager|kube-scheduler'
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。