The modified cluster time, 10 years, is enough for the cluster to run smoothly for a period of time.
When the k8s master cluster is just deployed, check the validity period of the certificate, which is 1 year. One year, whether it is long or not, is not short. Looking at the currently running applications, they have all been running for more than 2 years, so there will be problems with the 1-year validity period.
premise
Make sure that the monitoring information of the resource pool is normal. If any application is running, ensure that the application can be accessed normally, and the monitoring information can also be monitored normally.
change expiration date
Roughly divided into two steps.
1. You can replace all the kubelet service files first, and then restart the kubelets one by one
2. The controller-manager must first restart the standby node, and then restart the master node
Specific steps for kubelet certificate update (requires root authority)
When no applications are running in the cluster
a. Add parameters
- Invoke the following command line modification
kube-
controller-manager
组件配置
【所有kube master节点都要修改】
All just modify the configuration file, systemctl daemon-reload, and do not restart for the time being.
# sed -i '/v=2/i\ --experimental-cluster-signing-duration=87600h0m0s \\' /usr/lib/systemd/system/kube-controller-manager.service
# sed -i '/v=2/i\ --feature-gates=RotateKubeletServerCertificate=true \\' /usr/lib/systemd/system/kube-controller-manager.service
# systemctl daemon-reload
View the modified kube-controller-manager.service file
2. Modify the kubelet component configuration [all kube-master and kube-node nodes must be modified]
# sed -i '/v=2/i\ --feature-gates=RotateKubeletServerCertificate=true \\' /usr/lib/systemd/system/kubelet.service
# sed -i '/v=2/i\ --feature-gates=RotateKubeletClientCertificate=true \\' /usr/lib/systemd/system/kubelet.service
# sed -i '/v=2/i\ --rotate-certificates \\’ /usr/lib/systemd/system/kubelet.service
# systemctl daemon-reload
View kubelet.service content
There are applications running in the cluster
First restart the standby kube-controller-manager node, and finally restart the main kube-controller-manager node service.
# systemctl restart kube-controller-manager
View the current master kube-controller-manager,
# kubectl get endpoints kube-controller-manager --namespace=kube-system -o yaml
Back up and delete the kubelet certificate, restart the kubelet service
# cd /etc/kubernetes/ssl/
# mkdir /home/k8app/ssl.bak
# mv kubelet* /home/k8app/ssl.bak
# systemctl restart kubelet
# systemctl status kubelet.service
Confirm that kubelet starts successfully, under the master host k8app user
$ kubectl get csr
csr whose Approve status is pending
# kubectl get csr | grep -i pending | awk '{print $1}' | grep -vi name | xargs kubectl certificate approve
#执行完后,再检查下
# kubectl get csr
Confirm csr is Approved, Issued status
Check the certificate validity period
It's valid for 10 years