▲ Click on the "DevOps and k8s full-stack technology" above to follow the official account
Executing the kubectl command in the k8s cluster cannot access the cluster—the error is probably: "certificate has expired or is not yet valid"
Note: If the following experiment is not explained, the default operation is on the k8s control node.
View certificate expiration time
[root@ ~]# kubeadm certs check-expiration
Displayed as follows:
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jan 04, 2024 13:49 UTC 363d ca no
apiserver Jan 04, 2024 13:48 UTC 363d ca no
apiserver-etcd-client Jan 04, 2024 13:49 UTC 363d etcd-ca no
apiserver-kubelet-client Jan 04, 2024 13:48 UTC 363d ca no
controller-manager.conf Jan 04, 2024 13:49 UTC 363d ca no
etcd-healthcheck-client Jan 04, 2024 13:49 UTC 363d etcd-ca no
etcd-peer Jan 04, 2024 13:49 UTC 363d etcd-ca no
etcd-server Jan 04, 2024 13:49 UTC 363d etcd-ca no
front-proxy-client Jan 04, 2024 13:49 UTC 363d front-proxy-ca no
scheduler.conf Jan 04, 2024 13:49 UTC 363d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 01, 2033 13:48 UTC 9y no
etcd-ca Jan 01, 2033 13:49 UTC 9y no
front-proxy-ca Jan 01, 2033 13:49 UTC 9y no
Renew all certificates
Use the kubeadm certs renew all command:
[root@xianchaomaster1~]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
Check to see if the certificate has been renewed
Or use kubeadm certs check-expiration to check whether the certificate expiration time is updated:
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jan 06, 2024 14:16 UTC 364d ca no
apiserver Jan 06, 2024 14:16 UTC 364d ca no
apiserver-etcd-client Jan 06, 2024 14:16 UTC 364d etcd-ca no
apiserver-kubelet-client Jan 06, 2024 14:16 UTC 364d ca no
controller-manager.conf Jan 06, 2024 14:16 UTC 364d ca no
etcd-healthcheck-client Jan 06, 2024 14:16 UTC 364d etcd-ca no
etcd-peer Jan 06, 2024 14:16 UTC 364d etcd-ca no
etcd-server Jan 06, 2024 14:16 UTC 364d etcd-ca no
front-proxy-client Jan 06, 2024 14:16 UTC 364d front-proxy-ca no
scheduler.conf Jan 06, 2024 14:16 UTC 364d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 01, 2033 13:48 UTC 9y no
etcd-ca Jan 01, 2033 13:49 UTC 9y no
front-proxy-ca Jan 01, 2033 13:49 UTC 9y no
You can see that the CA certificate still has 9 years (initially 10 years), indicating that the k8s cluster has been deployed for 1 year; the service certificate has 364 days, indicating that it has just been renewed.
Wonderful article recommendation
It's the end of the year, sum up this year, full of harvest
Check out these 11 stats for kubernetes in 2022
GitOps Best Practices on Kuberentes
Series of articles on K8S large-scale cluster optimization solution - the first article
Online problem solving-socket: too many open files (too many open files)
Jenkins pulls code from git repository using ssh
Cannot access MySQL database in Docker container from another container | Solution
Author WeChat: luckylucky421302
Light up the collection, the server will not be down for 10 years