How to automatically renew the certificate after the k8s certificate expires

▲ Click on the "DevOps and k8s full-stack technology" above to follow the official account

Executing the kubectl command in the k8s cluster cannot access the cluster—the error is probably: "certificate has expired or is not yet valid"

Note: If the following experiment is not explained, the default operation is on the k8s control node.

View certificate expiration time

[root@ ~]# kubeadm certs check-expiration

Displayed as follows:

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jan 04, 2024 13:49 UTC   363d            ca                      no    
apiserver                  Jan 04, 2024 13:48 UTC   363d            ca                      no      
apiserver-etcd-client      Jan 04, 2024 13:49 UTC   363d            etcd-ca                 no      
apiserver-kubelet-client   Jan 04, 2024 13:48 UTC   363d            ca                      no      
controller-manager.conf    Jan 04, 2024 13:49 UTC   363d            ca                      no      
etcd-healthcheck-client    Jan 04, 2024 13:49 UTC   363d            etcd-ca                 no      
etcd-peer                  Jan 04, 2024 13:49 UTC   363d            etcd-ca                 no  
etcd-server                Jan 04, 2024 13:49 UTC   363d            etcd-ca                 no  
front-proxy-client         Jan 04, 2024 13:49 UTC   363d            front-proxy-ca          no      
scheduler.conf             Jan 04, 2024 13:49 UTC   363d            ca                      no   
CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jan 01, 2033 13:48 UTC   9y              no      
etcd-ca                 Jan 01, 2033 13:49 UTC   9y              no      
front-proxy-ca          Jan 01, 2033 13:49 UTC   9y              no

Renew all certificates

Use the kubeadm certs renew all command:

[root@xianchaomaster1~]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

Check to see if the certificate has been renewed

Or use kubeadm certs check-expiration to check whether the certificate expiration time is updated:

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jan 06, 2024 14:16 UTC   364d            ca                      no      
apiserver                  Jan 06, 2024 14:16 UTC   364d            ca                      no      
apiserver-etcd-client      Jan 06, 2024 14:16 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Jan 06, 2024 14:16 UTC   364d            ca                      no      
controller-manager.conf    Jan 06, 2024 14:16 UTC   364d            ca                      no      
etcd-healthcheck-client    Jan 06, 2024 14:16 UTC   364d            etcd-ca                 no      
etcd-peer                  Jan 06, 2024 14:16 UTC   364d            etcd-ca                 no      
etcd-server                Jan 06, 2024 14:16 UTC   364d            etcd-ca                 no      
front-proxy-client         Jan 06, 2024 14:16 UTC   364d            front-proxy-ca          no      
scheduler.conf             Jan 06, 2024 14:16 UTC   364d            ca                      no      




CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jan 01, 2033 13:48 UTC   9y              no      
etcd-ca                 Jan 01, 2033 13:49 UTC   9y              no      
front-proxy-ca          Jan 01, 2033 13:49 UTC   9y              no

You can see that the CA certificate still has 9 years (initially 10 years), indicating that the k8s cluster has been deployed for 1 year; the service certificate has 364 days, indicating that it has just been renewed.

Wonderful article recommendation

It's the end of the year, sum up this year, full of harvest

Check out these 11 stats for kubernetes in 2022

GitOps Best Practices on Kuberentes

Common daily troubleshooting guide for Kubernetes|dry goods sharing|suitable for all kinds of basic personnel to learn

Series of articles on K8S large-scale cluster optimization solution - the first article

Online problem solving-socket: too many open files (too many open files)

Jenkins pulls code from git repository using ssh

Cannot access MySQL database in Docker container from another container | Solution

What are the best alternatives for CentOS 8/7 after the announcement of retirement? |Personally recommend rocky linux

Author WeChat: luckylucky421302

             Light up the collection, the server will not be down for 10 years