k8s之kubelet证书时间过期升级

2024-06-14 02:04

本文主要是介绍k8s之kubelet证书时间过期升级,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

1.查看当前证书时间

# kubeadm alpha certs renew kubelet
Kubeadm experimental sub-commands

kubeadm是一个用于引导Kubernetes集群的工具,它提供了许多命令和子命令来管理集群的一生周期。过去,某些功能被标记为实验性的,并通过kubeadm alpha子命令进行访问。然而,从Kubernetes 1.15版本开始,kubeadm将这些功能从alpha子命令迁移到了稳定的命令中。

在新版本中,使用kubeadm certs renew kubelet即可

 检查

# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 26, 2025 08:52 UTC   286d            ca                      no      
apiserver                  Mar 26, 2025 08:52 UTC   286d            ca                      no      
apiserver-etcd-client      Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
apiserver-kubelet-client   Mar 26, 2025 08:52 UTC   286d            ca                      no      
controller-manager.conf    Mar 26, 2025 08:52 UTC   286d            ca                      no      
etcd-healthcheck-client    Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
etcd-peer                  Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
etcd-server                Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
front-proxy-client         Mar 26, 2025 08:52 UTC   286d            front-proxy-ca          no      
scheduler.conf             Mar 26, 2025 08:52 UTC   286d            ca                      no      CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 24, 2034 08:52 UTC   9y              no      
etcd-ca                 Mar 24, 2034 08:52 UTC   9y              no      
front-proxy-ca          Mar 24, 2034 08:52 UTC   9y              no 

kubelet证书时间只有1年有效期。 

# openssl x509 -in kubelet.crt -noout -text | grep "Not"Not Before: Mar 26 07:52:16 2024 GMTNot After : Mar 26 07:52:16 2025 GMT

备份原证书

# mkdir backup_certs
# cd backup_certs/# cp /usr/bin/kube* .
# ll
total 211260
-rwxr-x--- 1 root root  45210392 Jun 13 15:15 kubeadm
-rwxr-x--- 1 root root  46592216 Jun 13 15:15 kubectl
-rwxr-x--- 1 root root 124521288 Jun 13 15:15 kubelet# cp -r /etc/kubernetes/pki .
]# ll
total 211264
-rwxr-x--- 1 root root  45210392 Jun 13 15:15 kubeadm
-rwxr-x--- 1 root root  46592216 Jun 13 15:15 kubectl
-rwxr-x--- 1 root root 124521288 Jun 13 15:15 kubelet
drwxr-x--- 3 root root      4096 Jun 13 15:18 pki

删除旧证书

# rm -rf /etc/kubernetes/pki/*

生成新证书

# kubeadm certs renew -h
This command is not meant to be run on its own. See list of available subcommands.Usage:kubeadm certs renew [flags]kubeadm certs renew [command]Available Commands:admin.conf               Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itselfall                      Renew all available certificatesapiserver                Renew the certificate for serving the Kubernetes APIapiserver-etcd-client    Renew the certificate the apiserver uses to access etcdapiserver-kubelet-client Renew the certificate for the API server to connect to kubeletcontroller-manager.conf  Renew the certificate embedded in the kubeconfig file for the controller manager to useetcd-healthcheck-client  Renew the certificate for liveness probes to healthcheck etcdetcd-peer                Renew the certificate for etcd nodes to communicate with each otheretcd-server              Renew the certificate for serving etcdfront-proxy-client       Renew the certificate for the front proxy clientscheduler.conf           Renew the certificate embedded in the kubeconfig file for the scheduler manager to useFlags:-h, --help   help for renewGlobal Flags:--add-dir-header           If true, adds the file directory to the header of the log messages--log-file string          If non-empty, use this log file--log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)--one-output               If true, only write logs to their native severity level (vs also writing to each lower severity level)--rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.--skip-headers             If true, avoid header prefixes in the log messages--skip-log-headers         If true, avoid headers when opening log files-v, --v Level                  number for the log level verbosityUse "kubeadm certs renew [command] --help" for more information about a command.

生成某个证书

升级哪个证书,就生成哪个组件的证书,保险,就生成所有证书

# kubeadm certs renew apiserver-kubelet-client
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'certificate for the API server to connect to kubelet renewed

生成所有证书

# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewedDone renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

查看配置已经更新

# ll /etc/kubernetes/
total 32
-rwxrwxrwx 1 root root 5640 Jun 13 15:26 admin.conf
-rw------- 1 root root 5668 Jun 13 15:26 controller-manager.conf
-rw------- 1 root root 2004 Mar 26 16:52 kubelet.conf
drwxr-xr-x 2 root root  113 May 29 17:12 manifests
drwxr-x--- 3 root root 4096 Mar 26 16:52 pki
-rw------- 1 root root 5620 Jun 13 15:26 scheduler.conf

生成新配置

查看帮助

# kubeadm init phase kubeconfig -h
This command is not meant to be run on its own. See list of available subcommands.Usage:kubeadm init phase kubeconfig [flags]kubeadm init phase kubeconfig [command]Available Commands:admin              Generate a kubeconfig file for the admin to use and for kubeadm itselfall                Generate all kubeconfig filescontroller-manager Generate a kubeconfig file for the controller manager to usekubelet            Generate a kubeconfig file for the kubelet to use *only* for cluster bootstrapping purposesscheduler          Generate a kubeconfig file for the scheduler to useFlags:-h, --help   help for kubeconfigGlobal Flags:--add-dir-header           If true, adds the file directory to the header of the log messages--log-file string          If non-empty, use this log file--log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)--one-output               If true, only write logs to their native severity level (vs also writing to each lower severity level)--rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.--skip-headers             If true, avoid header prefixes in the log messages--skip-log-headers         If true, avoid headers when opening log files-v, --v Level                  number for the log level verbosityUse "kubeadm init phase kubeconfig [command] --help" for more information about a command.

生成某个配置

失败是正常,版本垮裤较大,而且也只更新证书有效期

# kubeadm init phase kubeconfig admin
I0613 15:31:07.518079   30859 version.go:255] remote version is much newer: v1.30.2; falling back to: stable-1.23
W0613 15:31:17.521449   30859 version.go:103] could not fetch a Kubernetes version from the internet: unable to get URL "https://dl.k8s.io/release/stable-1.23.txt": Get "https://cdn.dl.k8s.io/release/stable-1.23.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
W0613 15:31:17.521573   30859 version.go:104] falling back to the local client version: v1.23.4

生成所有配置

# kubeadm init phase kubeconfig all
W0613 15:45:39.731181    7842 version.go:103] could not fetch a Kubernetes version from the internet: unable to get URL "https://dl.k8s.io/release/stable-1.txt": Get "https://cdn.dl.k8s.io/release/stable-1.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
W0613 15:45:39.731479    7842 version.go:104] falling back to the local client version: v1.23.4
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/admin.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/scheduler.conf"

重启kubelet

# systemctl status kubelet.service  | grep ActiveActive: active (running) since Tue 2024-03-26 16:52:52 CST; 2 months 18 days ago# systemctl restart kubelet.service # systemctl status kubelet.service  | grep ActiveActive: active (running) since Thu 2024-06-13 15:47:19 CST; 3s ago

更新admin.conf文件

# cp /etc/kubernetes/admin.conf  ~/.kube/config 
cp: overwrite ‘/root/.kube/config’? y

2.检查证书有效期

# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jun 13, 2025 07:26 UTC   364d            ca                      no      
apiserver                  Jun 13, 2025 07:26 UTC   364d            ca                      no      
apiserver-etcd-client      Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Jun 13, 2025 07:26 UTC   364d            ca                      no      
controller-manager.conf    Jun 13, 2025 07:26 UTC   364d            ca                      no      
etcd-healthcheck-client    Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
etcd-peer                  Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
etcd-server                Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
front-proxy-client         Jun 13, 2025 07:26 UTC   364d            front-proxy-ca          no      
scheduler.conf             Jun 13, 2025 07:26 UTC   364d            ca                      no      CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 24, 2034 08:52 UTC   9y              no      
etcd-ca                 Mar 24, 2034 08:52 UTC   9y              no      
front-proxy-ca          Mar 24, 2034 08:52 UTC   9y              no   

查看各证书时间

# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -textNot Before: Mar 26 08:52:10 2024 GMTNot After : Jun 13 07:26:54 2025 GMT
# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt -noout -textNot Before: Mar 26 08:52:11 2024 GMTNot After : Jun 13 07:26:55 2025 GMT
# openssl x509 -in /etc/kubernetes/pki/apiserver-kubelet-client.crt -noout -textNot Before: Mar 26 08:52:10 2024 GMTNot After : Jun 13 07:26:55 2025 GMT
# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -textNot Before: Mar 26 08:52:10 2024 GMTNot After : Mar 24 08:52:10 2034 GMT
# openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt -noout -textNot Before: Mar 26 08:52:10 2024 GMTNot After : Mar 24 08:52:10 2034 GMT
# openssl x509 -in /etc/kubernetes/pki/front-proxy-client.crt -noout -textNot Before: Mar 26 08:52:10 2024 GMTNot After : Jun 13 07:26:57 2025 GMT

查看k8s环境

这篇关于k8s之kubelet证书时间过期升级的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/1059062

相关文章

C++统计函数执行时间的最佳实践

《C++统计函数执行时间的最佳实践》在软件开发过程中,性能分析是优化程序的重要环节,了解函数的执行时间分布对于识别性能瓶颈至关重要,本文将分享一个C++函数执行时间统计工具,希望对大家有所帮助... 目录前言工具特性核心设计1. 数据结构设计2. 单例模式管理器3. RAII自动计时使用方法基本用法高级用法

Debian 13升级后网络转发等功能异常怎么办? 并非错误而是管理机制变更

《Debian13升级后网络转发等功能异常怎么办?并非错误而是管理机制变更》很多朋友反馈,更新到Debian13后网络转发等功能异常,这并非BUG而是Debian13Trixie调整... 日前 Debian 13 Trixie 发布后已经有众多网友升级到新版本,只不过升级后发现某些功能存在异常,例如网络转

Ubuntu如何升级Python版本

《Ubuntu如何升级Python版本》Ubuntu22.04Docker中,安装Python3.11后,使用update-alternatives设置为默认版本,最后用python3-V验证... 目China编程录问题描述前提环境解决方法总结问题描述Ubuntu22.04系统自带python3.10,想升级

解决升级JDK报错:module java.base does not“opens java.lang.reflect“to unnamed module问题

《解决升级JDK报错:modulejava.basedoesnot“opensjava.lang.reflect“tounnamedmodule问题》SpringBoot启动错误源于Jav... 目录问题描述原因分析解决方案总结问题描述启动sprintboot时报以下错误原因分析编程异js常是由Ja

C# LiteDB处理时间序列数据的高性能解决方案

《C#LiteDB处理时间序列数据的高性能解决方案》LiteDB作为.NET生态下的轻量级嵌入式NoSQL数据库,一直是时间序列处理的优选方案,本文将为大家大家简单介绍一下LiteDB处理时间序列数... 目录为什么选择LiteDB处理时间序列数据第一章:LiteDB时间序列数据模型设计1.1 核心设计原则

基于Redis自动过期的流处理暂停机制

《基于Redis自动过期的流处理暂停机制》基于Redis自动过期的流处理暂停机制是一种高效、可靠且易于实现的解决方案,防止延时过大的数据影响实时处理自动恢复处理,以避免积压的数据影响实时性,下面就来详... 目录核心思路代码实现1. 初始化Redis连接和键前缀2. 接收数据时检查暂停状态3. 检测到延时过

MySQL按时间维度对亿级数据表进行平滑分表

《MySQL按时间维度对亿级数据表进行平滑分表》本文将以一个真实的4亿数据表分表案例为基础,详细介绍如何在不影响线上业务的情况下,完成按时间维度分表的完整过程,感兴趣的小伙伴可以了解一下... 目录引言一、为什么我们需要分表1.1 单表数据量过大的问题1.2 分表方案选型二、分表前的准备工作2.1 数据评估

Linux升级或者切换python版本实现方式

《Linux升级或者切换python版本实现方式》本文介绍在Ubuntu/Debian系统升级Python至3.11或更高版本的方法,通过查看版本列表并选择新版本进行全局修改,需注意自动与手动模式的选... 目录升级系统python版本 (适用于全局修改)对于Ubuntu/Debian系统安装后,验证Pyt

MySQL中DATE_FORMAT时间函数的使用小结

《MySQL中DATE_FORMAT时间函数的使用小结》本文主要介绍了MySQL中DATE_FORMAT时间函数的使用小结,用于格式化日期/时间字段,可提取年月、统计月份数据、精确到天,对大家的学习或... 目录前言DATE_FORMAT时间函数总结前言mysql可以使用DATE_FORMAT获取日期字段

MySQL 升级到8.4版本的完整流程及操作方法

《MySQL升级到8.4版本的完整流程及操作方法》本文详细说明了MySQL升级至8.4的完整流程,涵盖升级前准备(备份、兼容性检查)、支持路径(原地、逻辑导出、复制)、关键变更(空间索引、保留关键字... 目录一、升级前准备 (3.1 Before You Begin)二、升级路径 (3.2 Upgrade