本文主要是介绍Kubernetes kubeadm 证书到期,更新证书,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
1.环境说明
lient Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.6", GitCommit:"fbf646b339dc52336b55d8ec85c181981b86331a", GitTreeState:"clean", BuildDate:"2020-12-18T12:09:30Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.6", GitCommit:"fbf646b339dc52336b55d8ec85c181981b86331a", GitTreeState:"clean", BuildDate:"2020-12-18T12:01:36Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}[root@k8s-master ~]# docker --version
Docker version 23.0.1, build a5ee5b1k8s 单机版
2.问题复现
2024年春节回来时,发现家里服务器挂了,平时重启完docker和k8s都能正常启动,可是这次不行了,重启完,用docker ps,如下查看,发现k8s apiserver没有启动,
接着用 docker ps -a |grep api 查到apiserver的 容器id
再用docker logs 容器id 查找日志,发现k8s 证书过期了!
验证证书是否过期:
#查询api证书过期时间
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep 'Not'
#查询etcd证书过期时间
openssl x509 -in /etc/kubernetes/pki/etcd/healthcheck-client.crt -noout -text |grep ' Not '
通过以上命令发现都过期了,所以它们启动不了的原因是因为证书过期了。
3.问题处理
#续证书
kubeadm alpha certs renew all#可以用如下命令查看证书是否续成功
kubeadm alpha certs check-expiration
[root@k8s-master ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Feb 18, 2025 15:07 UTC 364d no
apiserver Feb 18, 2025 15:07 UTC 364d ca no
apiserver-etcd-client Feb 18, 2025 15:07 UTC 364d etcd-ca no
apiserver-kubelet-client Feb 18, 2025 15:07 UTC 364d ca no
controller-manager.conf Feb 18, 2025 15:07 UTC 364d no
etcd-healthcheck-client Feb 18, 2025 15:07 UTC 364d etcd-ca no
etcd-peer Feb 18, 2025 15:07 UTC 364d etcd-ca no
etcd-server Feb 18, 2025 15:07 UTC 364d etcd-ca no
front-proxy-client Feb 18, 2025 15:07 UTC 364d front-proxy-ca no
scheduler.conf Feb 18, 2025 15:07 UTC 364d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Feb 09, 2033 11:29 UTC 8y no
etcd-ca Feb 09, 2033 11:29 UTC 8y no
front-proxy-ca Feb 09, 2033 11:29 UTC 8y no
重启各组件(重启机器 reboot,我这边因为apiserver组件没有启动成功所发采用重启机器的方式)
更新之后还出现如下问题:
[root@k8s-master ~]# kubectl get pods
error: You must be logged in to the server (Unauthorized)
解决:
$ cd ~/.kube# Archive the old config file containing the out of date certificates
$ mv config conf.archive.2021# Copy the new configuration file created using kubeadm
$ cp /etc/kubernetes/admin.conf config# apply permissions to your current admin user and group
$ sudo chown $(id -u):$(id -g) config
4.参考
Kubernetes kubeadm 证书到期,更新证书
这篇关于Kubernetes kubeadm 证书到期,更新证书的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
