使用 kubekey 更新 K8S 证书
最编程
2024-05-05 22:45:31
...
获取安装程序可执行文件
- 下载 KubeKey 可执行文件发布页面 下载解压后可直接使用。
- 从源代码生成二进制文件
git clone https://github.com/kubesphere/kubekey.git
cd kubekey
./build.sh
检查证书有效期
./kk certs check-expiration [(-f | --file) path]
-f to specify the configuration file which was generated for cluster creation. This parameter is not required if it is single node.
./kk certs check-expiration
INFO[08:06:54 CST] Listing cluster certs ...
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY NODE
apiserver.crt Nov 07, 2021 02:56 UTC <invalid> ca k8s-master1
apiserver-kubelet-client.crt Nov 07, 2021 02:56 UTC <invalid> ca k8s-master1
front-proxy-client.crt Nov 07, 2021 02:56 UTC <invalid> front-proxy-ca k8s-master1
admin.conf Nov 07, 2021 02:57 UTC <invalid> k8s-master1
controller-manager.conf Nov 07, 2021 02:57 UTC <invalid> k8s-master1
scheduler.conf Nov 07, 2021 02:57 UTC <invalid> k8s-master1
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME NODE
ca.crt Nov 05, 2030 02:56 UTC 8y k8s-master1
front-proxy-ca.crt Nov 05, 2030 02:56 UTC 8y k8s-master1
INFO[08:06:54 CST] Successful.
更新K8S证书
./kk certs renew [(-f | --file) path]
-f to specify the configuration file which was generated for cluster creation. This parameter is not required if it is single node.
./kk certs renew
INFO[08:07:23 CST] Renewing cluster certs ...
[k8s-master1 10.213.118.10] MSG:
v1.18.6
INFO[08:07:28 CST] Syncing cluster kubeConfig ...
INFO[08:07:28 CST] Listing cluster certs ...
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY NODE
apiserver.crt Nov 19, 2022 00:07 UTC 364d ca k8s-master1
apiserver-kubelet-client.crt Nov 19, 2022 00:07 UTC 364d ca k8s-master1
front-proxy-client.crt Nov 19, 2022 00:07 UTC 364d front-proxy-ca k8s-master1
admin.conf Nov 19, 2022 00:07 UTC 364d k8s-master1
controller-manager.conf Nov 19, 2022 00:07 UTC 364d k8s-master1
scheduler.conf Nov 19, 2022 00:07 UTC 364d k8s-master1
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME NODE
ca.crt Nov 05, 2030 02:56 UTC 8y k8s-master1
front-proxy-ca.crt Nov 05, 2030 02:56 UTC 8y k8s-master1
INFO[08:07:28 CST] Successful.
kubernetes v1.15以上更新证书的方法
更新/etc/kubernetes/pki目录下的所有证书(不包含ca证书)
注意:需要在每一个节点上都更新
# 查看现有证书到期时间
$ kubeadm alpha certs check-expiration
# 使用二进制更新证书
$ kubeadm alpha certs renew all
# 每月的最后1天
crontab -e
* * 1 * * /usr/bin/kubeadm alpha certs renew all
上一篇: 软件设计师(中级)详细审查流程摘要
下一篇: Linux 解压文件