简介
大家都知道k8s为了鼓励大家区升级集群,证书会有个1年的时间限制,但是因为是生产环境,应该没人会无聊去升级集群吧,所以就需要手动去更新证书
官方详细文档
要看官方的可以看下面
https://kubernetes.io/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/
操作
首先确定你的kube-controller-manager有下面几个参数,没有的添加上
vim /etc/kubernetes/manifests/kube-controller-manager.yaml
--cluster-signing-cert-file
--cluster-signing-key-file
因为我是使用kubespray搭建的集群,所以是可以使用kubeadm的,首先登陆一个控制平面去看他的证书时间
[root@node2 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
W0827 17:15:02.872064 97443 utils.go:26] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Aug 21, 2021 10:08 UTC 359d no
apiserver Aug 21, 2021 10:06 UTC 359d ca no
apiserver-kubelet-client Aug 21, 2021 10:06 UTC 359d ca no
controller-manager.conf Aug 21, 2021 10:08 UTC 359d no
front-proxy-client Aug 21, 2021 10:06 UTC 359d front-proxy-ca no
scheduler.conf Aug 21, 2021 10:08 UTC 359d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Aug 19, 2030 10:06 UTC 9y no
front-proxy-ca Aug 19, 2030 10:06 UTC 9y no
可以看到RESIDUAL TIME是359d,之后我们用 Kubernetes 证书 API 更新证书
创建签名请求
kubeadm alpha certs renew admin.conf --use-api &
kubeadm alpha certs renew apiserver --use-api &
kubeadm alpha certs renew apiserver-kubelet-client --use-api &
kubeadm alpha certs renew controller-manager.conf --use-api &
kubeadm alpha certs renew front-proxy-client --use-api &
kubeadm alpha certs renew scheduler.conf --use-api &
查看签名请求
kubectl get csr |grep Pending
批准签名请求
kubectl certificate approve kubeadm-cert-front-proxy-client-qd52x
kubectl certificate approve kubeadm-cert-kube-apiserver-d6t2l
kubectl certificate approve kubeadm-cert-kube-apiserver-kubelet-client-nq7dp
kubectl certificate approve kubeadm-cert-kubernetes-admin-tjpc6
kubectl certificate approve kubeadm-cert-system:kube-controller-manager-s6pk4
kubectl certificate approve kubeadm-cert-system:kube-scheduler-2t5xs
之后查看证书时间
[root@node2 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
W0827 17:21:22.300640 100767 utils.go:26] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Aug 27, 2021 09:15 UTC 364d no
apiserver Aug 27, 2021 09:15 UTC 364d ca no
apiserver-kubelet-client Aug 27, 2021 09:15 UTC 364d ca no
controller-manager.conf Aug 27, 2021 09:15 UTC 364d no
front-proxy-client Aug 27, 2021 09:15 UTC 364d front-proxy-ca no
scheduler.conf Aug 27, 2021 09:15 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Aug 19, 2030 10:06 UTC 9y no
front-proxy-ca Aug 19, 2030 10:06 UTC 9y no
之后去每个控制平面用相同的方法升级证书就好了
欢迎关注我的博客www.bboy.app
Have Fun