k8s集群升级证书文件

发表于 | 分类于 | 评论数: | 阅读次数:
本文字数: 5.3k | 阅读时长 ≈ 5 分钟

摘要

文章内容是本人基于官方文档以及源码的学习,在学习过程中记录整理。

查看证书有效期

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 23, 2024 09:38 UTC   3d                                      no
apiserver                  Dec 23, 2024 09:38 UTC   3d              ca                      no
apiserver-kubelet-client   Dec 23, 2024 09:38 UTC   3d              ca                      no
controller-manager.conf    Dec 23, 2024 09:38 UTC   3d                                      no
front-proxy-client         Dec 23, 2024 09:38 UTC   3d              front-proxy-ca          no
scheduler.conf             Dec 23, 2024 09:38 UTC   3d                                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 21, 2033 09:38 UTC   9y              no
front-proxy-ca          Dec 21, 2033 09:38 UTC   9y              no



$ openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem  -noout -text | grep Not
            Not Before: Dec 24 09:38:35 2023 GMT
            Not After : Dec 23 09:38:37 2024 GM

备份配置

防止升级失败后集群无法使用

1
2
3
mkdir backup
cp -r /etc/kubernetes/ backup/
cp -r /var/lib/kubelet/pki/ backup/

生产新证书

1
2
3
4
5
6
7
8
9
10
$ kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

重新生产配置文件

1
2
3
4
5
6
7
8
9
10
11
12
rm /etc/kubernetes/kubelet.conf

$ kubeadm init --kubernetes-version=v1.19.16 phase kubeconfig kubelet
W1220 00:09:01.694538  152146 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/admin.conf"
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/scheduler.conf"


cp /etc/kubernetes/admin.conf ~/.kube/config

重启kubelet轮换证书

1
2
3
4
5
6
systemctl restart kubelet


$ openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem  -noout -text | grep Not
            Not Before: Dec 20 00:06:42 2024 GMT
            Not After : Dec 20 00:06:42 2025 GMT

master查看证书更新请求

1
2
3
4
5
6
7
8
$ kubectl get csr
NAME        AGE    SIGNERNAME                                    REQUESTOR                 CONDITION
csr-hs2jh   101s   kubernetes.io/kube-apiserver-client-kubelet   system:node:kube1         Approved,Issued
csr-jxqpb   361d   kubernetes.io/kube-apiserver-client-kubelet   system:bootstrap:9037x2   Approved,Issued


$ kubectl certificate approve csr-hs2jh
certificatesigningrequest.certificates.k8s.io/csr-hs2jh approved

node轮换证书

1
2
3
4
5
6
7
8
9
10
11
# 在master机器上生产node配置文件
kubeadm init --kubernetes-version=v19.16.0 phase kubeconfig kubelet --node-name node1 --kubeconfig-dir /root/node/

scp kubelet.conf 192.168.50.156:/etc/kubernetes/

# 重启node上kubelet
systemctl restart kubelet

$ openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem  -noout -text | grep Not
            Not Before: Dec 20 00:16:38 2024 GMT
            Not After : Dec 20 00:16:38 2025 GMT

如果证书已经过期

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem  -noout -text | grep Not
            Not Before: Dec 24 09:38:35 2023 GMT
            Not After : Dec 20 00:20:01 2025 GMT
            
$ kubectl get node
NAME    STATUS     ROLES    AGE    VERSION
kube1   Ready      master   404d   v1.19.16
kube2   Ready      master   404d   v1.19.16
kube3   Ready      master   404d   v1.19.16
node1   Ready      <none>   404d   v1.19.16
node2   NotReady   <none>   404d   v1.19.16


$ kubectl get csr
NAME        AGE    SIGNERNAME                                    REQUESTOR           CONDITION
csr-4swxq   42d    kubernetes.io/kube-apiserver-client-kubelet   system:node:kube2   Approved,Issued
csr-brdtj   2m7s   kubernetes.io/kube-apiserver-client-kubelet   system:node:kube3   Approved,Issued
csr-hs2jh   42d    kubernetes.io/kube-apiserver-client-kubelet   system:node:kube1   Approved,Issued
csr-lhbzs   42d    kubernetes.io/kube-apiserver-client-kubelet   system:node:node1   Approved,Issued
csr-m2gsl   57s    kubernetes.io/kube-apiserver-client-kubelet   system:node:node1   Pending


$ kubectl certificate approve csr-m2gsl
certificatesigningrequest.certificates.k8s.io/csr-m2gsl approved


$ openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem  -noout -text | grep Not
            Not Before: Dec 20 00:16:38 2024 GMT
            Not After : Dec 20 00:16:38 2025 GMT