Problem Description
In Kubernetes Cluster, the certificate created when the cluster is initialized expires in one year. After the expiration, the various components of the cluster will be inaccessible.
Environment overview
Attributes | information |
---|---|
System environment | CentOS Linux release 7.4.1708 (Core) |
Software version | Governors v1.12.1 |
Solution
The problem can be solved by extending the certificate period... No need to regenerate the certificate.
The first step, backup configuration file (host node)
Ten million operations and maintenance tasks, the first data backup:
#! / bin / sh cp -drv / etc / kubernetes /etc/kubernetes.backup
The second step, extend the certificate period (host node)
#!/bin/sh kubeadm -v 10 alpha phase certs renew apiserver --config /etc/kubernetes/kubeadm-config.yaml kubeadm -v 10 alpha phase certs renew apiserver-etcd-client --config /etc/kubernetes/kubeadm-config.yaml kubeadm -v 10 alpha phase certs renew apiserver-kubelet-client --config /etc/kubernetes/kubeadm-config.yaml kubeadm -v 10 alpha phase certs renew etcd-healthcheck-client --config /etc/kubernetes/kubeadm-config.yaml kubeadm -v 10 alpha phase certs renew etcd-peer --config /etc/kubernetes/kubeadm-config.yaml kubeadm -v 10 alpha phase certs renew etcd-server --config /etc/kubernetes/kubeadm-config.yaml kubeadm -v 10 alpha phase certs renew front-proxy-client --config /etc/kubernetes/kubeadm-config.yaml # Actually you can execute the kubeadm -v 10 alpha phase certs renew all command # But under CentOS 7.4 and kubeadm 1.12.1, the above command produces a stack overflow error............
The third step, update the configuration file (host node)
#!/bin/sh # Remove the old configuration rm -rf /etc/kubernetes/admin.conf rm -rf /etc/kubernetes/kubelet.conf rm -rf /etc/kubernetes/controller-manager.conf rm -rf / etc/kubernetes/scheduler.conf # Generate a new configuration (but actually update the client certificate) kubeadm alpha phase kubeconfig all
The fourth step, restart the service (all nodes)
#!/bin/sh systemctl restart kubelet.service
Precautions
This article evolved from " Part of the existing bootstrap client certificate is expired ". Through exploration and experimentation, a solution was finally found.