各个证书查看过期时间命令
openssl x509 -in apiserver.crt -text -noout | grep Not
生成集群的配置文件
kubeadm config view > /tmp/cluster.yaml
备份证书
cp -r /etc/kubernetes/pki /etc/kubernetes/pki.bak
更新证书(适用于1.14版本及以上)
在1.14版本中,kubeadm做了改进,直接使用renew命令即可更新证书
kubeadm alpha certs renew all --config=/tmp/cluster.yaml
更新操作会更新下面的证书
-- /etc/kubernetes/pki/apiserver.key
-- /etc/kubernetes/pki/apiserver.crt
-- /etc/kubernetes/pki/apiserver-etcd-client.key
-- /etc/kubernetes/pki/apiserver-etcd-client.crt
-- /etc/kubernetes/pki/apiserver-kubelet-client.key
-- /etc/kubernetes/pki/apiserver-kubelet-client.crt
-- /etc/kubernetes/pki/front-proxy-client.key
-- /etc/kubernetes/pki/front-proxy-client.crt
-- /etc/kubernetes/pki/etcd/healthcheck-client.key
-- /etc/kubernetes/pki/etcd/healthcheck-client.crt
-- /etc/kubernetes/pki/etcd/peer.key
-- /etc/kubernetes/pki/etcd/peer.crt
-- /etc/kubernetes/pki/etcd/server.key
-- /etc/kubernetes/pki/etcd/server.crt