k8s证书过期的解决方案
首先需要在linux中安装openssl,这点不多做赘述。
以下是命令,供各位参考:
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ’ Not ’
mv /etc/kubernetes/ssl/{apiserver.crt,apiserver-kubelet-client.crt,front-proxy-ca.crt,front-proxy-client.crt,front-proxy-client.key,front-proxy-ca.key,apiserver-kubelet-client.key,apiserver.key} /tmp
kubeadm init phase certs all --config /etc/kubernetes/kubeadm-config.yaml
cd /etc/kubernetes/
mv {admin.conf,controller-manager.conf,kubelet.conf,scheduler.conf} /tmp
kubeadm init phase kubeconfig all --config /etc/kubernetes/kubeadm-config.yaml
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
kubectl get apiservice
注意:证书更新后,需要重启master节点
注意:需要重启pod ,例如: kubectl delete po -n kube-system metrics-server-5d497bdd7d-tlzz7
然后再用openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate 和 openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ’ Not ’ 看下是否更新日期了。