使用 kubeadm 安裝 kubernetes 的證書有效期只有一年時(shí)間，所以我們需要在證書過(guò)過(guò)期之前對(duì)集群證書進(jìn)行更新，在操作之前一定要先對(duì)證書目錄進(jìn)行備份，防止操作錯(cuò)誤進(jìn)行回滾。

1. 檢查證書過(guò)期時(shí)間

首先，使用kubeadm certs check-expiration命令檢查集群中的證書過(guò)期時(shí)間。

~ # kubeadm certs check-expiration                                                                                                                     
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 16, 2023 09:55 UTC   90d             ca                      no      
apiserver                  Jul 16, 2023 09:54 UTC   90d             ca                      no      
apiserver-etcd-client      Jul 16, 2023 09:54 UTC   90d             etcd-ca                 no      
apiserver-kubelet-client   Jul 16, 2023 09:54 UTC   90d             ca                      no      
controller-manager.conf    Jul 16, 2023 09:55 UTC   90d             ca                      no      
etcd-healthcheck-client    Jul 16, 2023 09:53 UTC   90d             etcd-ca                 no      
etcd-peer                  Jul 16, 2023 09:53 UTC   90d             etcd-ca                 no      
etcd-server                Jul 16, 2023 09:53 UTC   90d             etcd-ca                 no      
front-proxy-client         Jul 16, 2023 09:54 UTC   90d             front-proxy-ca          no      
scheduler.conf             Jul 16, 2023 09:55 UTC   90d             ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 28, 2030 09:14 UTC   7y              no      
etcd-ca                 Dec 28, 2030 09:14 UTC   7y              no      
front-proxy-ca          Dec 28, 2030 09:14 UTC   7y              no   

有些低版本的使用的是kubeadm alpha certs check-expiratio

2. 備份舊證書和配置文件等

在升級(jí)證書之前，需要備份舊證書和密鑰以免更新證書的時(shí)候出錯(cuò)，kubeadm生成的證書一般在/etc/kubernetes/pki下

# 創(chuàng)建備份目錄
/home # mkdir /etc/kubernetes.bak
# 備份舊證書
/home # cp -r /etc/kubernetes/pki/ /etc/kubernetes.bak
# 備份配置文件
/home # cp /etc/kubernetes/*.conf /etc/kubernetes.bak
# 備份etcd數(shù)據(jù)
/home # cp -r /var/lib/etcd /var/lib/etcd.bak                                                                                                              
/home # cp -r /var/lib/etcd /var/lib/etcd.bak                                                                                                     

3. 執(zhí)行證書升級(jí)命令

/home # kubeadm certs renew all                                                                                                                             
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

再次檢查證書過(guò)期時(shí)間

/home # kubeadm certs check-expiration                                                                                                                       
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Apr 16, 2024 08:14 UTC   364d            ca                      no      
apiserver                  Apr 16, 2024 08:14 UTC   364d            ca                      no      
apiserver-etcd-client      Apr 16, 2024 08:14 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Apr 16, 2024 08:14 UTC   364d            ca                      no      
controller-manager.conf    Apr 16, 2024 08:14 UTC   364d            ca                      no      
etcd-healthcheck-client    Apr 16, 2024 08:14 UTC   364d            etcd-ca                 no      
etcd-peer                  Apr 16, 2024 08:14 UTC   364d            etcd-ca                 no      
etcd-server                Apr 16, 2024 08:14 UTC   364d            etcd-ca                 no      
front-proxy-client         Apr 16, 2024 08:14 UTC   364d            front-proxy-ca          no      
scheduler.conf             Apr 16, 2024 08:14 UTC   364d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 28, 2030 09:14 UTC   7y              no      
etcd-ca                 Dec 28, 2030 09:14 UTC   7y              no      
front-proxy-ca          Dec 28, 2030 09:14 UTC   7y              no      

證書過(guò)期時(shí)間已更新