k8s集群--证书延期
注意:通过kubeadm 搭建的k8s集群,其证书有效期为1年,如下图所示。
今天,介绍通过脚本进行证书延期,具体步骤如下
1 下载脚本
自动更新证书脚本https://github.com/yuyicai/update-kube-cert
也可以通过git方式,进行。
git clone https://github.com/yuyicai/update-kube-cert.git
cd update-kube-cert
2 进入到cd update-kube-cert目录中,将 update-kubeadm-cert.sh 上传到控制节点(如,103.org)
3 赋予执行权限
chmod +x update-kubeadm-cert.sh
4 执行
[root@103 ~]# ./update-kubeadm-cert.sh all
/usr/bin/env: “bash\r”: No such file or directory
报错了,需要调整下此脚本文件的格式
vim update-kubeadm-cert.sh
:set ff=unix
:wq 保存退出后
5 再次执行 ./update-kubeadm-cert.sh all
操作前备份目录:/etc/kubernetes
和 /var/lib/kubelet/pki
[root@103 ~]# ./update-kubeadm-cert.sh all
[2025-07-10T15:56:52.83+0800] [INFO] checking if all certificate files are existed...
[2025-07-10T15:56:52.83+0800] [INFO] found file: /etc/kubernetes/pki/etcd/ca.crt
[2025-07-10T15:56:52.83+0800] [INFO] found file: /etc/kubernetes/pki/etcd/ca.key
[2025-07-10T15:56:52.84+0800] [INFO] found file: /etc/kubernetes/pki/etcd/server.crt
[2025-07-10T15:56:52.84+0800] [INFO] found file: /etc/kubernetes/pki/etcd/server.key
[2025-07-10T15:56:52.85+0800] [INFO] found file: /etc/kubernetes/pki/etcd/peer.crt
[2025-07-10T15:56:52.85+0800] [INFO] found file: /etc/kubernetes/pki/etcd/peer.key
[2025-07-10T15:56:52.85+0800] [INFO] found file: /etc/kubernetes/pki/etcd/healthcheck-client.crt
[2025-07-10T15:56:52.86+0800] [INFO] found file: /etc/kubernetes/pki/etcd/healthcheck-client.key
[2025-07-10T15:56:52.86+0800] [INFO] found file: /etc/kubernetes/pki/apiserver-etcd-client.crt
[2025-07-10T15:56:52.86+0800] [INFO] found file: /etc/kubernetes/pki/apiserver-etcd-client.key
[2025-07-10T15:56:52.87+0800] [INFO] found file: /etc/kubernetes/controller-manager.conf
[2025-07-10T15:56:52.87+0800] [INFO] found file: /etc/kubernetes/scheduler.conf
[2025-07-10T15:56:52.88+0800] [INFO] found file: /etc/kubernetes/admin.conf
[2025-07-10T15:56:52.88+0800] [INFO] found file: /etc/kubernetes/pki/ca.crt
[2025-07-10T15:56:52.88+0800] [INFO] found file: /etc/kubernetes/pki/ca.key
[2025-07-10T15:56:52.89+0800] [INFO] found file: /etc/kubernetes/pki/apiserver.crt
[2025-07-10T15:56:52.89+0800] [INFO] found file: /etc/kubernetes/pki/apiserver.key
[2025-07-10T15:56:52.89+0800] [INFO] found file: /etc/kubernetes/pki/apiserver-kubelet-client.crt
[2025-07-10T15:56:52.90+0800] [INFO] found file: /etc/kubernetes/pki/apiserver-kubelet-client.key
[2025-07-10T15:56:52.90+0800] [INFO] found file: /etc/kubernetes/pki/front-proxy-ca.crt
[2025-07-10T15:56:52.90+0800] [INFO] found file: /etc/kubernetes/pki/front-proxy-ca.key
[2025-07-10T15:56:52.91+0800] [INFO] found file: /etc/kubernetes/pki/front-proxy-client.crt
[2025-07-10T15:56:52.91+0800] [INFO] found file: /etc/kubernetes/pki/front-proxy-client.key
[2025-07-10T15:56:52.91+0800] [INFO] found file: /etc/kubernetes/controller-manager.conf
[2025-07-10T15:56:52.92+0800] [INFO] found file: /etc/kubernetes/scheduler.conf
[2025-07-10T15:56:52.92+0800] [INFO] found file: /etc/kubernetes/admin.conf
[2025-07-10T15:56:52.93+0800] [INFO] all certificate files are existed
[2025-07-10T15:56:52.93+0800] [INFO] backup /etc/kubernetes to /etc/kubernetes.old-2025-07-10_15-56-52
[2025-07-10T15:56:52.98+0800] [INFO] checking certificate expiration before update...
|-----------------------------------|----------------------------|
| CERTIFICATE | EXPIRES |
| ca.crt | Jul 7 11:13:23 2035 GMT |
| apiserver.crt | Jul 9 11:13:23 2026 GMT |
| apiserver-kubelet-client.crt | Jul 9 11:13:23 2026 GMT |
| front-proxy-ca.crt | Jul 7 11:13:24 2035 GMT |
| front-proxy-client.crt | Jul 9 11:13:24 2026 GMT |
|-----------------------------------|----------------------------|
| controller-manager.conf | Jul 9 11:13:26 2026 GMT |
| scheduler.conf | Jul 9 11:13:26 2026 GMT |
| admin.conf | Jul 9 11:13:25 2026 GMT |
|-----------------------------------|----------------------------|
| etcd/ca.crt | Jul 7 11:13:24 2035 GMT |
| etcd/server.crt | Jul 9 11:13:24 2026 GMT |
| etcd/peer.crt | Jul 9 11:13:24 2026 GMT |
| etcd/healthcheck-client.crt | Jul 9 11:13:25 2026 GMT |
| apiserver-etcd-client.crt | Jul 9 11:13:25 2026 GMT |
|-----------------------------------|----------------------------|
[2025-07-10T15:56:53.25+0800] [INFO] updating certificates with 3650 days expiration...
[2025-07-10T15:56:53.33+0800] [INFO] updated /etc/kubernetes/pki/etcd/server.crt
[2025-07-10T15:56:53.40+0800] [INFO] updated /etc/kubernetes/pki/etcd/peer.crt
[2025-07-10T15:56:53.45+0800] [INFO] updated /etc/kubernetes/pki/etcd/healthcheck-client.crt
[2025-07-10T15:56:53.50+0800] [INFO] updated /etc/kubernetes/pki/apiserver-etcd-client.crt
[2025-07-10T15:56:55.03+0800] [INFO] restarted etcd
[2025-07-10T15:56:55.13+0800] [INFO] updated /etc/kubernetes/pki/apiserver.crt
[2025-07-10T15:56:55.20+0800] [INFO] updated /etc/kubernetes/pki/apiserver-kubelet-client.crt
[2025-07-10T15:56:55.27+0800] [INFO] updated /etc/kubernetes/controller-manager.conf
[2025-07-10T15:56:55.37+0800] [INFO] updated /etc/kubernetes/scheduler.conf
[2025-07-10T15:56:55.57+0800] [INFO] updated /etc/kubernetes/admin.conf
[2025-07-10T15:56:55.73+0800] [INFO] updated /etc/kubernetes/pki/front-proxy-client.crt
[2025-07-10T15:56:57.12+0800] [INFO] restarted control-plane pod: apiserver
[2025-07-10T15:56:58.65+0800] [INFO] restarted control-plane pod: controller-manager
[2025-07-10T15:56:59.56+0800] [INFO] restarted control-plane pod: scheduler
[2025-07-10T15:56:59.66+0800] [INFO] restarted kubelet
[2025-07-10T15:56:59.66+0800] [INFO] checking certificate expiration after update...
|-----------------------------------|----------------------------|
| CERTIFICATE | EXPIRES |
| ca.crt | Jul 7 11:13:23 2035 GMT |
| apiserver.crt | Jul 8 07:56:55 2035 GMT |
| apiserver-kubelet-client.crt | Jul 8 07:56:55 2035 GMT |
| front-proxy-ca.crt | Jul 7 11:13:24 2035 GMT |
| front-proxy-client.crt | Jul 8 07:56:55 2035 GMT |
|-----------------------------------|----------------------------|
| controller-manager.conf | Jul 8 07:56:55 2035 GMT |
| scheduler.conf | Jul 8 07:56:55 2035 GMT |
| admin.conf | Jul 8 07:56:55 2035 GMT |
|-----------------------------------|----------------------------|
| etcd/ca.crt | Jul 7 11:13:24 2035 GMT |
| etcd/server.crt | Jul 8 07:56:53 2035 GMT |
| etcd/peer.crt | Jul 8 07:56:53 2035 GMT |
| etcd/healthcheck-client.crt | Jul 8 07:56:53 2035 GMT |
| apiserver-etcd-client.crt | Jul 8 07:56:53 2035 GMT |
|-----------------------------------|----------------------------|
[2025-07-10T15:57:00.30+0800] [INFO] DONE!!!enjoy itplease copy admin.conf to /root/.kube/config manually.
# back old config
cp /root/.kube/config /root/.kube/config_backup
# copy new admin.conf to /root/.kube/config for kubectl manually
cp -i /etc/kubernetes/admin.conf /root/.kube/config
6 查看pod、node是否正常
[root@103 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
103.org Ready control-plane 20h v1.26.0
104.org Ready worker 20h v1.26.0
105.org Ready worker 20h v1.26.0
[root@103 ~]#
[root@103 ~]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
calico-kube-controllers-b48d575fb-jngns 1/1 Running 0 17h
calico-node-59gdp 1/1 Running 0 17h
calico-node-m6x29 1/1 Running 0 17h
calico-node-tlqdq 1/1 Running 0 17h
coredns-567c556887-58cwt 1/1 Running 0 20h
coredns-567c556887-wdcrh 1/1 Running 0 20h
etcd-103.org 1/1 Running 3 (117s ago) 20h
kube-apiserver-103.org 1/1 Running 3 (115s ago) 20h
kube-controller-manager-103.org 1/1 Running 3 (114s ago) 20h
kube-proxy-6wt6v 1/1 Running 0 20h
kube-proxy-nfwgf 1/1 Running 0 20h
kube-proxy-tv5t5 1/1 Running 0 20h
kube-scheduler-103.org 1/1 Running 3 (113s ago) 20h
7 查看证书有效期
可以看到,证书有效期已延长至2035年(延长了10年)
如果不想使用脚本,可以使用官方的命令,进行证书有效期更新
kubeadm certs renew all 来更新证书有效期,
注意:大于等于 v1.15.x 的版本可直接使用上述命令,执行命令后证书有效期延长 1 年。
最后,这个脚本很强大。也可以更新证书有效期为100年,前提是未使用kubeadm初始化集群前使用。
ok,问题解决,撤!
如果转载,请附上原文链接!