Xk8s证书续期

Master节点

备份文件

cp -r  /etc/kubernetes/ /etc/kubernetes-20211021-bak
tar -cvzf kubernetes-20211021-bak.tar.gz /etc/kubernetes-20211021-bak/

cp -r ~/.kube/ ~/.kube-20211021-bak
tar -cvzf kube-20211021-bak.tar.gz  ~/.kube-20211021-bak

cp -r /var/lib/kubelet/ /var/lib/kubelet-20211021-bak
tar -cvzf kubelet-20211021-bak.tar.gz /var/lib/kubelet-20211021-bak

生成kubeadm配置文件

kubeadm config view > kubeadm.yaml

测试环境k8s生成的配置示例：

apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: 10.160.11.121:6443
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.18.18
networking:
  dnsDomain: cluster.local
  podSubnet: 10.244.0.0/16
  serviceSubnet: 10.96.0.0/12
scheduler: {}

生产环境k8s 集群已经无法访问，参考互联网资料，生产配置：

apiVersion: kubeadm.k8s.io/v1beta1
kind: ClusterConfiguration
kubernetesVersion: v1.16.0
controlPlaneEndpoint: 10.100.31.250:8443
apiServer:
  certSANs:
  - 10.100.31.110
  - 10.100.31.130
  - 10.100.31.133
  - 10.100.31.250
networking:
  # This CIDR is a Calico default. Substitute or remove for your CNI provider.
  podSubnet: 10.244.0.0/16
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: ipvs

注意生产环境 k8s版本与测试环境版本不一致。

开始更新证书

kubeadm alpha certs renew all --config=kubeadm.yaml

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep 'Not'

重新生成配置文件

kubeadm init phase kubeconfig all --config kubeadm.yaml

更新.kube配置文件

cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

chown $(id -u):$(id -g) $HOME/.kube/config

重启kube-apiserver,kube-controller,kube-scheduler,etcd这4个容器

docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash

重启kubelet

systemctl restart kubelet

多个master节点，需要重复以上步骤。

其他

查看证书过期时间

openssl x509 -in etcd/server.crt -noout -text |grep ' Not '