Preface
kubeadm initializes the k8s cluster. The default validity period of the issued CA certificate is 10 years, and the default validity period of the issued apiserver certificate is 1 year. After the expiration, the request to the apiserver will report an error. Use the openssl command to query whether the relevant certificate has expired.
The following method to extend the certificate expiration is suitable for kubernetes version 1.14, 1.15, 1.16, 1.17, 1.18
Check the validity time of the certificate
openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text |grep Not
As shown below, you can see that the CA certificate is valid for 10 years, from 2020 to 2030:
Not Before: Apr 22 04:09:07 2020 GMTNot After : Apr 20 04:09:07 2030 GMT
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep Not
As shown below, you can see from the following that the validity period of the apiserver certificate is 1 year, from 2020 to 2021:
Not Before: Apr 22 04:09:07 2020 GMTNot After : Apr 22 04:09:07 2021 GMT
Extend certificate expiration time
1. Upload the update-kubeadm-cert.sh file to the master1, master2, and master3 nodes
The github address where the update-kubeadm-cert.sh file is located is as follows:
https://github.com/luckylucky421/kubernetes1.17.3
Clone and download the update-kubeadm-cert.sh file, and copy it to the master1, master2, and master3 nodes
2. Execute the following commands on each node
1) Grant executable permissions to update-kubeadm-cert.sh certificate
chmod +x update-kubeadm-cert.sh
2) Execute the following command to modify the expiration time of the certificate and extend the time to 10 years
./update-kubeadm-cert.sh all
3) Check whether the Pod is normal on the master1 node, and the data can be queried, indicating that the certificate issuance is complete
kubectl get pods -n kube-system
As shown below, you can see the pod information, indicating that the certificate issuance is normal:
......calico-node-b5ks5 1/1 Running 0 157mcalico-node-r6bfr 1/1 Running 0 155mcalico-node-r8qzv 1/1 Running 0 7h1mcoredns-66bff467f8-5vk2q 1/1 Running 0 7h30m......
Verify that the validity period of the certificate is extended to 10 years
openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text |grep Not
As shown below, you can see that the CA certificate is valid for 10 years, from 2020 to 2030:
Not Before: Apr 22 04:09:07 2020 GMTNot After : Apr 20 04:09:07 2030 GMT
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep Not
The display is as follows. From the following you can see that the validity period of the apiserver certificate is 10 years, from 2020 to 2030:
Not Before: Apr 22 11:15:53 2020 GMTNot After : Apr 20 11:15:53 2030 GMT
openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt -noout -text |grep Not
The display is as follows, through the following you can see that the validity period of etcd certificate is 10 years, from 2020 to 2030:
Not Before: Apr 22 11:32:24 2020 GMTNot After : Apr 20 11:32:24 2030 GMT
openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt -noout -text |grep Not
The display is as follows, through the following you can see that the fron-proxy certificate is valid for 10 years, from 2020 to 2030:
Not Before: Apr 22 04:09:08 2020 GMTNot After : Apr 20 04:09:08 2030 GMT