foreplay
Keep the following when logging in to the test environment to view pods
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-03-16T23:18:09+08:00 is after 2023-02-23T14:45:50Z
Check that the k8s master node certificate has expired
K8s solves the official document of certificate expiration: Click to view
Log in to the master server and enter /etc/kubernetes/ to view:
[root@k8s-master1 ~]# cd /etc/kubernetes
[root@k8s-master1 kubernetes]# ls
admin.conf controller-manager.conf kubelet.conf manifests pki scheduler.conf
[root@k8s-master1 kubernetes]# cd pki/
[root@k8s-master1 pki]# openssl x509 -in apiserver.crt -noout -text |grep ' Not ' # 查看是否过期
Not Before: Feb 23 14:45:50 2022 GMT
Not After : Feb 23 14:45:50 2023 GMT
[root@k8s-master1 pki]# kubeadm certs check-expiration # 检查证书是否过期
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Feb 23, 2023 14:45 UTC <invalid> no
apiserver Feb 23, 2023 14:45 UTC <invalid> ca no
!MISSING! apiserver-etcd-client
apiserver-kubelet-client Feb 23, 2023 14:45 UTC <invalid> ca no
controller-manager.conf Feb 23, 2023 14:45 UTC <invalid> no
!MISSING! etcd-healthcheck-client
!MISSING! etcd-peer
!MISSING! etcd-server
front-proxy-client Feb 23, 2023 14:45 UTC <invalid> front-proxy-ca no
scheduler.conf Feb 23, 2023 14:45 UTC <invalid> no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Feb 21, 2032 14:45 UTC 8y no
!MISSING! etcd-ca
front-proxy-ca Feb 21, 2032 14:45 UTC 8y no
[root@k8s-master1 pki]#After viewing the k8s master component certificate has expired
- Back up all the files in the /etc/kubernetes/pki directory
- To manually update all certificates, execute the command
kubeadm certs renew all- Check whether the validity period of the certificate is updated
[root@k8s-master1 pki]# openssl x509 -in apiserver.crt -noout -text |grep ' Not ' # 查看是否过期
Not Before: Feb 23 14:45:50 2022 GMT
Not After : Mar 15 15:37:05 2024 GMT- Back up all configuration files in the /etc/kubernetes directory on the master node
- Update user configuration: Execute the following commands
kubeadm kubeconfig user --client-name=admin
kubeadm kubeconfig user --org system:masters --client-name kubernetes-admin > /etc/kubernetes/admin.conf
kubeadm kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf
kubeadm kubeconfig user --org system:nodes --client-name system:node:$(hostname) > /etc/kubernetes/kubelet.conf
kubeadm kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf- Replace /root/.kube/config file with updated admin.conf
cp -i /etc/kubernetes/admin.conf /root/.kube/config- Restart the apiserver and scheduler system components on all master nodes. The k8s deployed by the normal tar package can be restarted with the following command:
systemctl restart kube-apiserver
systemctl restart kube-schedulerAt this point, the certificate update is complete