今天在操作k8s的时候执行以下命令
kubectl version
返回了如下信息
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.6", GitCommit:"d921bc6d1810da51177fbd0ed61dc811c5228097", GitTreeState:"clean", BuildDate:"2021-10-27T17:50:34Z", GoVersion:"go1.16.9", Compiler:"gc", Platform:"linux/amd64"}
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-09-28T15:24:20+08:00 is after 2023-09-28T07:01:59Z
说明我的证书,过期了,k8s官方提供了现成的更新方式,因为我的k8s是使用kubeadm部署的,操作如下:
参考文档地址
https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/
检查证书过期时间
kubeadm certs check-expiration
返回如下
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Sep 28, 2023 06:59 UTC <invalid> no
apiserver Sep 28, 2023 06:59 UTC <invalid> ca no
apiserver-etcd-client Sep 28, 2023 06:59 UTC <invalid> etcd-ca no
apiserver-kubelet-client Sep 28, 2023 06:59 UTC <invalid> ca no
controller-manager.conf Sep 28, 2023 06:59 UTC <invalid> no
etcd-healthcheck-client Sep 28, 2023 06:59 UTC <invalid> etcd-ca no
etcd-peer Sep 28, 2023 06:59 UTC <invalid> etcd-ca no
etcd-server Sep 28, 2023 06:59 UTC <invalid> etcd-ca no
front-proxy-client Sep 28, 2023 06:59 UTC <invalid> front-proxy-ca no
scheduler.conf Sep 28, 2023 06:59 UTC <invalid> no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Sep 26, 2031 03:48 UTC 7y no
etcd-ca Sep 26, 2031 03:48 UTC 7y no
front-proxy-ca Sep 26, 2031 03:48 UTC 7y no
从日期上来看的确是过期了
更新证书
kubeadm certs renew all
k8s就会自动更新master节点上的证书,在输出的最后是
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
意思更新完证书后,我们必须重启k8s的这些组件才生效
注意如果master节点是使用虚拟IP做通信转发的,需要每个master节点都要检查一下证书是否更改成功
重启组件
kubectl delete pod -n kube-system -l component=etcd
kubectl delete pod -n kube-system -l component=kube-scheduler
kubectl delete pod -n kube-system -l component=kube-controller-manager
kubectl delete pod -n kube-system -l component=kube-apiserver
检查证书
kubeadm certs check-expiration
查看已更新为最新的时间
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Sep 28, 2023 05:32 UTC <invalid> no
apiserver Jul 10, 2024 17:51 UTC 286d ca no
apiserver-etcd-client Jul 10, 2024 17:51 UTC 286d etcd-ca no
apiserver-kubelet-client Jul 10, 2024 17:51 UTC 286d ca no
controller-manager.conf Jul 10, 2024 17:51 UTC 286d no
etcd-healthcheck-client Jul 10, 2024 17:51 UTC 286d etcd-ca no
etcd-peer Jul 10, 2024 17:51 UTC 286d etcd-ca no
etcd-server Jul 10, 2024 17:51 UTC 286d etcd-ca no
front-proxy-client Jul 10, 2024 17:51 UTC 286d front-proxy-ca no
scheduler.conf Jul 10, 2024 17:51 UTC 286d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Sep 26, 2031 03:48 UTC 7y no
etcd-ca Sep 26, 2031 03:48 UTC 7y no
front-proxy-ca Sep 26, 2031 03:48 UTC 7y no
评论区