Kubernetes v1.13.0 证书升级详解-白红宇的个人博客

发布日期：2021-05-09 04:23:14 浏览次数：16 分类：博客文章

本文共 7259 字，大约阅读时间需要 24 分钟。

查看证书有效期

# 查询api-server证书有效期openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout | grep Not # 查询所有证书有效期for tls in `find /etc/kubernetes/pki -maxdepth 2 -name "*.crt"`; \do echo ===============$tls===============; \openssl x509 -in $tls -text| grep Not; \done

===============/etc/kubernetes/pki/front-proxy-ca.crt===============            Not Before: Aug  7 06:10:58 2020 GMT            Not After : Aug  5 06:10:58 2030 GMT===============/etc/kubernetes/pki/etcd/server.crt===============            Not Before: Aug  7 06:10:57 2020 GMT            Not After : Mar 10 02:49:33 2022 GMT===============/etc/kubernetes/pki/etcd/healthcheck-client.crt===============            Not Before: Aug  7 06:10:57 2020 GMT            Not After : Mar 10 02:49:33 2022 GMT===============/etc/kubernetes/pki/etcd/ca.crt===============            Not Before: Aug  7 06:10:57 2020 GMT            Not After : Aug  5 06:10:57 2030 GMT===============/etc/kubernetes/pki/etcd/peer.crt===============            Not Before: Aug  7 06:10:57 2020 GMT            Not After : Mar 10 02:49:34 2022 GMT===============/etc/kubernetes/pki/apiserver-etcd-client.crt===============            Not Before: Aug  7 06:10:57 2020 GMT            Not After : Mar 10 02:49:34 2022 GMT===============/etc/kubernetes/pki/ca.crt===============            Not Before: Aug  7 06:10:58 2020 GMT            Not After : Aug  5 06:10:58 2030 GMT===============/etc/kubernetes/pki/apiserver-kubelet-client.crt===============            Not Before: Aug  7 06:10:58 2020 GMT            Not After : Mar 10 02:49:35 2022 GMT===============/etc/kubernetes/pki/front-proxy-client.crt===============            Not Before: Aug  7 06:10:58 2020 GMT            Not After : Mar 10 02:49:33 2022 GMT===============/etc/kubernetes/pki/apiserver.crt===============            Not Before: Aug  7 06:10:58 2020 GMT            Not After : Mar 10 02:49:34 2022 GMT

################# master ###################

1、备份已有配置

cp -r /etc/kubernetes  /etc/kubernetes_old

2、获取集配配置

# 证书即将过期（未过期），可以利用命令直接获取集群配置kubeadm config view > kubeadm.yaml# 证书已过期，需要手动编写集群配置vim kubeadm.yamlapiVersion: kubeadm.k8s.io/v1beta1imageRepository: k8s.gcr.iokind: ClusterConfigurationkubernetesVersion: v1.13.0

3、更新所有证书

# 根据配置文件，更新所有证书kubeadm alpha certs renew all --config kubeadm.yaml# 再次查看证书有效期openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '

4、更新集群配置

# 删除已有配置（已备份，无需担心）rm -rf /etc/kubernetes/*.conf# 根据配置文件，重新生成所有配置kubeadm init phase kubeconfig all --config kubeadm.yaml# 更新kubectl配置并赋予权限\cp /etc/kubernetes/admin.conf $HOME/.kube/configchown $(id -u):$(id -g) $HOME/.kube/config

5、重启核心组件容器

docker ps |grep -E 'kube-apiserver|kube-controller-manager|kube-scheduler|etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart# 查看所有服务是否正常kubectl get pod --all-namespaces

################# node ###################

1、备份kubelet配置

cp /etc/kubernetes/kubelet.conf  /etc/kubernetes/kubelet.conf_bak

2、更新kubelet配置

# 重新生成节点kubelet配置kubeadm init phase kubeconfig kubelet --node-name 
    <节点名称>
      --kubeconfig-dir /tmp/ --apiserver-advertise-address 
     <集群vip>
      # 更新节点kubelet配置scp /tmp/kubelet.conf root@192.168.73.130:/etc/kubernetes/# 重启节点kubeletsystemctl restart kubelet

实战日志（以下通过更改系统时间，模拟证书过期）

[root@192 k8s]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '            Not Before: Apr 12 07:01:12 2021 GMT            Not After : Apr 12 07:01:12 2022 GMT[root@192 k8s]#[root@192 k8s]# date -s "2022-3-12"Sat Mar 12 00:00:00 PST 2022[root@192 k8s]# kubectl get pod --all-namespacesNAMESPACE       NAME                                        READY   STATUS    RESTARTS   AGEingress-nginx   nginx-ingress-controller-77b474c665-lh8tt   1/1     Running   0          334dkube-system     coredns-86c58d9df4-7bq94                    1/1     Running   0          334dkube-system     coredns-86c58d9df4-dm6jb                    1/1     Running   0          334dkube-system     etcd-192.168.73.129                         1/1     Running   0          334dkube-system     heapster-7856548f99-2l8fp                   1/1     Running   0          334dkube-system     kube-apiserver-192.168.73.129               1/1     Running   0          334dkube-system     kube-controller-manager-192.168.73.129      1/1     Running   0          334dkube-system     kube-flannel-ds-amd64-qcmbq                 1/1     Running   0          334dkube-system     kube-proxy-kh7xn                            1/1     Running   0          334dkube-system     kube-scheduler-192.168.73.129               1/1     Running   0          334dkube-system     nvidia-device-plugin-daemonset-6xzxj        1/1     Running   0          334d[root@192 k8s]#[root@192 k8s]# cd /etc/kubernetes[root@192 kubernetes]# lsadmin.conf  controller-manager.conf  kubeadm.yaml  kubelet.conf  manifests  pki  scheduler.conf[root@192 kubernetes]# kubeadm config view > kubeadm.yaml[root@192 kubernetes]# kubeadm alpha certs renew all --config kubeadm.yaml[root@192 kubernetes]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '            Not Before: Apr 12 07:01:12 2021 GMT            Not After : Mar 12 08:00:22 2023 GMT[root@192 kubernetes]# rm -rf /etc/kubernetes/*.conf[root@192 kubernetes]# kubeadm init phase kubeconfig all --config kubeadm.yaml[kubeconfig] Using kubeconfig folder "/etc/kubernetes"[kubeconfig] Writing "admin.conf" kubeconfig file[kubeconfig] Writing "kubelet.conf" kubeconfig file[kubeconfig] Writing "controller-manager.conf" kubeconfig file[kubeconfig] Writing "scheduler.conf" kubeconfig file[root@192 kubernetes]# \cp /etc/kubernetes/admin.conf $HOME/.kube/config[root@192 kubernetes]# chown $(id -u):$(id -g) $HOME/.kube/config[root@192 kubernetes]# docker ps |grep -E 'kube-apiserver|kube-controller-manager|kube-scheduler|etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restartb53d7fb8e1dbc7b6ae222bc115707e4219d9110e23ea3b00d3f29c8e72be518d4399e1974793e86b83ad[root@192 kubernetes]# date -s "2023-2-12"Sun Feb 12 00:00:00 PST 2023[root@192 kubernetes]# kubectl get pod --all-namespacesNAMESPACE       NAME                                        READY   STATUS    RESTARTS   AGEingress-nginx   nginx-ingress-controller-77b474c665-lh8tt   1/1     Running   0          671dkube-system     coredns-86c58d9df4-7bq94                    1/1     Running   0          671dkube-system     coredns-86c58d9df4-dm6jb                    1/1     Running   0          671dkube-system     etcd-192.168.73.129                         1/1     Running   0          671dkube-system     heapster-7856548f99-2l8fp                   1/1     Running   0          671dkube-system     kube-apiserver-192.168.73.129               1/1     Running   0          671dkube-system     kube-controller-manager-192.168.73.129      1/1     Running   0          671dkube-system     kube-flannel-ds-amd64-qcmbq                 1/1     Running   0          671dkube-system     kube-proxy-kh7xn                            1/1     Running   0          671dkube-system     kube-scheduler-192.168.73.129               1/1     Running   0          671dkube-system     nvidia-device-plugin-daemonset-6xzxj        1/1     Running   0          671d

参考>>>

作者：

出处：

本文版权归作者和博客园共有，欢迎转载，但未经作者同意必须保留此段声明，且在文章页面明显位置给出原文连接，否则保留追究法律责任的权利。

上一篇：Python + Robot Framework 环境搭建

下一篇：ApiTesting全链路接口自动化测试框架 - 数据库校验【新增】（二）

发表评论

关于作者

喝酒易醉，品茶养心，人生如梦，品茶悟道，何以解忧？唯有杜康！

-- 愿君每日到此一游！

查看证书有效期

################# master ###################

1、备份已有配置

2、获取集配配置

3、更新所有证书

4、更新集群配置

5、重启核心组件容器

################# node ###################

1、备份kubelet配置

2、更新kubelet配置

实战日志（以下通过更改系统时间，模拟证书过期）

参考>>>

发表评论

最新留言

关于作者

推荐文章