▲ 点击上方"DevOps和k8s全栈技术"关注公众号
在k8s集群执行kubectl命令无法访问集群了——错误大概为:“certificate has expired or is not yet valid”
注意:下面实验未加说明的话,操作默认都是在k8s控制节点上。
查看证书过期时间
[root@ ~]# kubeadm certs check-expiration
显示如下:
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jan 04, 2024 13:49 UTC 363d ca no
apiserver Jan 04, 2024 13:48 UTC 363d ca no
apiserver-etcd-client Jan 04, 2024 13:49 UTC 363d etcd-ca no
apiserver-kubelet-client Jan 04, 2024 13:48 UTC 363d ca no
controller-manager.conf Jan 04, 2024 13:49 UTC 363d ca no
etcd-healthcheck-client Jan 04, 2024 13:49 UTC 363d etcd-ca no
etcd-peer Jan 04, 2024 13:49 UTC 363d etcd-ca no
etcd-server Jan 04, 2024 13:49 UTC 363d etcd-ca no
front-proxy-client Jan 04, 2024 13:49 UTC 363d front-proxy-ca no
scheduler.conf Jan 04, 2024 13:49 UTC 363d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 01, 2033 13:48 UTC 9y no
etcd-ca Jan 01, 2033 13:49 UTC 9y no
front-proxy-ca Jan 01, 2033 13:49 UTC 9y no续订所有证书
使用kubeadm certs renew all命令:
[root@xianchaomaster1~]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.查看证书是否获得更新
还是使用kubeadm certs check-expiration来查看证书过期时间是否更新:
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jan 06, 2024 14:16 UTC 364d ca no
apiserver Jan 06, 2024 14:16 UTC 364d ca no
apiserver-etcd-client Jan 06, 2024 14:16 UTC 364d etcd-ca no
apiserver-kubelet-client Jan 06, 2024 14:16 UTC 364d ca no
controller-manager.conf Jan 06, 2024 14:16 UTC 364d ca no
etcd-healthcheck-client Jan 06, 2024 14:16 UTC 364d etcd-ca no
etcd-peer Jan 06, 2024 14:16 UTC 364d etcd-ca no
etcd-server Jan 06, 2024 14:16 UTC 364d etcd-ca no
front-proxy-client Jan 06, 2024 14:16 UTC 364d front-proxy-ca no
scheduler.conf Jan 06, 2024 14:16 UTC 364d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 01, 2033 13:48 UTC 9y no
etcd-ca Jan 01, 2033 13:49 UTC 9y no
front-proxy-ca Jan 01, 2033 13:49 UTC 9y no你可以看到,CA的证书还有9年(初始为10年),表明该k8s集群已经部署了1年;服务的证书还有364天,说明刚renew过。
精彩文章推荐
Kubernetes常见的日常故障处理指南|干货分享|适合各类基础人员学习
线上问题解决-socket: too many open files(打开的文件过多)
无法从另一个容器访问Docker容器中的MySQL数据库|解决方案
CentOS 8/7宣布停用后,有哪些最佳替代方案?|个人推荐rocky linux
作者微信:luckylucky421302
点亮收藏,服务器10年不宕机
