kubesphere证书更新

原创

品鉴初心 2023-10-12 11:23:23 博主文章分类：K8s ©著作权

文章标签 docker k8s kubesphere 文章分类 运维 私藏项目实操分享

©著作权归作者所有：来自51CTO博客作者品鉴初心的原创作品，请联系作者获取转载授权，否则将追究法律责任

版本信息

kubesphere   3.3.0
k8s          v1.22.10

证书更新流程

（1）查看证书到期时间

任意一个master节点即可。

kubeadm certs check-expiration

打印出的信息如下：

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W1012 10:12:15.800666   26665 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.x.0.10]; the provided value is: [169.x.x.10]

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 13, 2023 04:45 UTC   1d              ca                      no      
apiserver                  Oct 13, 2023 04:45 UTC   1d              ca                      no      
apiserver-kubelet-client   Oct 13, 2023 04:45 UTC   1d              ca                      no      
controller-manager.conf    Oct 13, 2023 04:45 UTC   1d              ca                      no      
front-proxy-client         Oct 13, 2023 04:45 UTC   1d              front-proxy-ca          no      
scheduler.conf             Oct 13, 2023 04:45 UTC   1d              ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 10, 2032 04:44 UTC   9y              no      
front-proxy-ca          Oct 10, 2032 04:44 UTC   9y              no

（2）备份关键信息

所有master节点依次进行操作。

## 创建备份目录
mkdir /root/tools
## 备份原有证书
cp -rp /etc/kubernetes /root/tools/kubernetes.bak
## 备份etcd数据目录
cp -r /var/lib/etcd /root/tools/etcd.bak

（3）更新证书

所有master节点依次进行操作。

kubeadm certs renew all

打印出的信息如下：

[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W1012 10:12:57.537896    2427 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.x.0.10]; the provided value is: [169.x.x.10]

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

再次使用kubeadm certs check-expiration查看已更新证书的信息。

也可以使用如下命令进行验证：

for item in $(find /etc/kubernetes/pki -maxdepth 2 -name "*.crt");do openssl x509 -in $item -text -noout| grep Not;echo ======================$item===============;done

（4）重启相关服务

所有master节点依次进行操作。

kube-apiserver, kube-controller-manager, kube-scheduler, etcd及kubelet。

## 重启 kube-apiserver, kube-controller-manager, kube-scheduler
docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler' | awk -F ' ' '{print $1}' |xargs docker restart
## 查看服务状态
docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler'

## 重启etcd
systemctl restart etcd
## 查看服务状态
systemctl status etcd

## 重启kubelet
systemctl restart kubelet
## 查看服务状态
systemctl status kubelet

（5）更新身份认证证书

执行kubectl get node提示如下报错：error: You must be logged in to the server (Unauthorized)。

原因：

配置身份认证的文件为/etc/kubernetes/admin.conf，颁发证书时/etc/kubernetes/admin.conf文件重新生成，但是$HOME/.kube/config并没有得到替换。所以需要用新证书替换旧证书。

cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

（6）验证集群功能

kubectl get node

参考文档

kubesphere证书更新

上一篇：RocketMQ集群部署

下一篇：使用Supervisor监控和启动MongoDB集群服务

提问和评论都可以，用心的回复会被更多人看到评论

发布评论

相关文章

官方博客	全部文章	热门标签	班级博客
了解我们	网站地图	意见反馈

鸿蒙开发者社区	51CTO学堂
51CTO	软考资讯