众所周知,使用 kubeadm 安装 kubernetes 集群非常方便,但是也有一个比较烦人的问题就是默认的证书有效期只有一年时间,所以需要考虑证书升级的问题。使用kubeadm安装的树莓派k8s集群同样也需要考虑。
手动更新证书
检查证书是否过期
由 kubeadm 生成的客户端证书默认只有一年有效期,我们可以通过 check-expiration 命令来检查证书是否过期:
# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Apr 14, 2022 00:18 UTC 165d no
apiserver Apr 14, 2022 00:18 UTC 165d ca no
apiserver-etcd-client Apr 14, 2022 00:18 UTC 165d etcd-ca no
apiserver-kubelet-client Apr 14, 2022 00:18 UTC 165d ca no
controller-manager.conf Apr 14, 2022 00:18 UTC 165d no
etcd-healthcheck-client Apr 14, 2022 00:18 UTC 165d etcd-ca no
etcd-peer Apr 14, 2022 00:18 UTC 165d etcd-ca no
etcd-server Apr 14, 2022 00:18 UTC 165d etcd-ca no
front-proxy-client Apr 14, 2022 00:18 UTC 165d front-proxy-ca no
scheduler.conf Apr 14, 2022 00:18 UTC 165d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Apr 12, 2031 00:18 UTC 9y no
etcd-ca Apr 12, 2031 00:18 UTC 9y no
front-proxy-ca Apr 12, 2031 00:18 UTC 9y no
该命令显示 /etc/kubernetes/pki 文件夹中的客户端证书以及 kubeadm 使用的 KUBECONFIG 文件中嵌入的客户端证书的到期时间/剩余时间。
手动更新证书
要手动更新证书也非常方便,我们只需要通过 kubeadm alpha certs renew 命令即可更新你的证书,这个命令用 CA(或者 front-proxy-CA )证书和存储在 /etc/kubernetes/pki 中的密钥执行更新。
接下来执行更新证书的命令:
# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
检查证书是否续期
通过上面的命令证书就一键更新完成了,这个时候查看上面的证书可以看到过期时间已经是一年后的时间了:
$ kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Oct 30, 2022 07:12 UTC 364d no
apiserver Oct 30, 2022 07:12 UTC 364d ca no
apiserver-etcd-client Oct 30, 2022 07:12 UTC 364d etcd-ca no
apiserver-kubelet-client Oct 30, 2022 07:12 UTC 364d ca no
controller-manager.conf Oct 30, 2022 07:12 UTC 364d no
etcd-healthcheck-client Oct 30, 2022 07:12 UTC 364d etcd-ca no
etcd-peer Oct 30, 2022 07:12 UTC 364d etcd-ca no
etcd-server Oct 30, 2022 07:12 UTC 364d etcd-ca no
front-proxy-client Oct 30, 2022 07:12 UTC 364d front-proxy-ca no
scheduler.conf Oct 30, 2022 07:12 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Apr 12, 2031 00:18 UTC 9y no
etcd-ca Apr 12, 2031 00:18 UTC 9y no
front-proxy-ca Apr 12, 2031 00:18 UTC 9y no
确认证书有效期
完成后重启 kube-apiserver、kube-controller、kube-scheduler、etcd 这4个容器即可,我们可以查看 apiserver 的证书的有效期来验证是否更新成功:
# echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate
notAfter=Oct 30 07:12:29 2022 GMT
可以看到现在的有效期是一年过后的,证明已经更新成功了。
评论区