当前位置: 首页 > news >正文

k8s集群--证书延期

注意:通过kubeadm 搭建的k8s集群,其证书有效期为1年,如下图所示。

今天,介绍通过脚本进行证书延期,具体步骤如下

1 下载脚本

自动更新证书脚本https://github.com/yuyicai/update-kube-cert

也可以通过git方式,进行。

git clone https://github.com/yuyicai/update-kube-cert.git
cd update-kube-cert

2 进入到cd update-kube-cert目录中,将 update-kubeadm-cert.sh 上传到控制节点(如,103.org)

3 赋予执行权限

 chmod +x update-kubeadm-cert.sh

4 执行


    [root@103 ~]# ./update-kubeadm-cert.sh all
    /usr/bin/env: “bash\r”: No such file or directory
报错了,需要调整下此脚本文件的格式
    vim update-kubeadm-cert.sh
    
    :set ff=unix
    
    :wq  保存退出后

5 再次执行 ./update-kubeadm-cert.sh all

操作前备份目录:/etc/kubernetes 和 /var/lib/kubelet/pki

[root@103 ~]# ./update-kubeadm-cert.sh all
[2025-07-10T15:56:52.83+0800] [INFO] checking if all certificate files are existed...
[2025-07-10T15:56:52.83+0800] [INFO] found file: /etc/kubernetes/pki/etcd/ca.crt
[2025-07-10T15:56:52.83+0800] [INFO] found file: /etc/kubernetes/pki/etcd/ca.key
[2025-07-10T15:56:52.84+0800] [INFO] found file: /etc/kubernetes/pki/etcd/server.crt
[2025-07-10T15:56:52.84+0800] [INFO] found file: /etc/kubernetes/pki/etcd/server.key
[2025-07-10T15:56:52.85+0800] [INFO] found file: /etc/kubernetes/pki/etcd/peer.crt
[2025-07-10T15:56:52.85+0800] [INFO] found file: /etc/kubernetes/pki/etcd/peer.key
[2025-07-10T15:56:52.85+0800] [INFO] found file: /etc/kubernetes/pki/etcd/healthcheck-client.crt
[2025-07-10T15:56:52.86+0800] [INFO] found file: /etc/kubernetes/pki/etcd/healthcheck-client.key
[2025-07-10T15:56:52.86+0800] [INFO] found file: /etc/kubernetes/pki/apiserver-etcd-client.crt
[2025-07-10T15:56:52.86+0800] [INFO] found file: /etc/kubernetes/pki/apiserver-etcd-client.key
[2025-07-10T15:56:52.87+0800] [INFO] found file: /etc/kubernetes/controller-manager.conf
[2025-07-10T15:56:52.87+0800] [INFO] found file: /etc/kubernetes/scheduler.conf
[2025-07-10T15:56:52.88+0800] [INFO] found file: /etc/kubernetes/admin.conf
[2025-07-10T15:56:52.88+0800] [INFO] found file: /etc/kubernetes/pki/ca.crt
[2025-07-10T15:56:52.88+0800] [INFO] found file: /etc/kubernetes/pki/ca.key
[2025-07-10T15:56:52.89+0800] [INFO] found file: /etc/kubernetes/pki/apiserver.crt
[2025-07-10T15:56:52.89+0800] [INFO] found file: /etc/kubernetes/pki/apiserver.key
[2025-07-10T15:56:52.89+0800] [INFO] found file: /etc/kubernetes/pki/apiserver-kubelet-client.crt
[2025-07-10T15:56:52.90+0800] [INFO] found file: /etc/kubernetes/pki/apiserver-kubelet-client.key
[2025-07-10T15:56:52.90+0800] [INFO] found file: /etc/kubernetes/pki/front-proxy-ca.crt
[2025-07-10T15:56:52.90+0800] [INFO] found file: /etc/kubernetes/pki/front-proxy-ca.key
[2025-07-10T15:56:52.91+0800] [INFO] found file: /etc/kubernetes/pki/front-proxy-client.crt
[2025-07-10T15:56:52.91+0800] [INFO] found file: /etc/kubernetes/pki/front-proxy-client.key
[2025-07-10T15:56:52.91+0800] [INFO] found file: /etc/kubernetes/controller-manager.conf
[2025-07-10T15:56:52.92+0800] [INFO] found file: /etc/kubernetes/scheduler.conf
[2025-07-10T15:56:52.92+0800] [INFO] found file: /etc/kubernetes/admin.conf
[2025-07-10T15:56:52.93+0800] [INFO] all certificate files are existed
[2025-07-10T15:56:52.93+0800] [INFO] backup /etc/kubernetes to /etc/kubernetes.old-2025-07-10_15-56-52
[2025-07-10T15:56:52.98+0800] [INFO] checking certificate expiration before update...
|-----------------------------------|----------------------------|
| CERTIFICATE                       | EXPIRES                    |
| ca.crt                            | Jul  7 11:13:23 2035 GMT   |
| apiserver.crt                     | Jul  9 11:13:23 2026 GMT   |
| apiserver-kubelet-client.crt      | Jul  9 11:13:23 2026 GMT   |
| front-proxy-ca.crt                | Jul  7 11:13:24 2035 GMT   |
| front-proxy-client.crt            | Jul  9 11:13:24 2026 GMT   |
|-----------------------------------|----------------------------|
| controller-manager.conf           | Jul  9 11:13:26 2026 GMT   |
| scheduler.conf                    | Jul  9 11:13:26 2026 GMT   |
| admin.conf                        | Jul  9 11:13:25 2026 GMT   |
|-----------------------------------|----------------------------|
| etcd/ca.crt                       | Jul  7 11:13:24 2035 GMT   |
| etcd/server.crt                   | Jul  9 11:13:24 2026 GMT   |
| etcd/peer.crt                     | Jul  9 11:13:24 2026 GMT   |
| etcd/healthcheck-client.crt       | Jul  9 11:13:25 2026 GMT   |
| apiserver-etcd-client.crt         | Jul  9 11:13:25 2026 GMT   |
|-----------------------------------|----------------------------|
[2025-07-10T15:56:53.25+0800] [INFO] updating certificates with 3650 days expiration...
[2025-07-10T15:56:53.33+0800] [INFO] updated /etc/kubernetes/pki/etcd/server.crt
[2025-07-10T15:56:53.40+0800] [INFO] updated /etc/kubernetes/pki/etcd/peer.crt
[2025-07-10T15:56:53.45+0800] [INFO] updated /etc/kubernetes/pki/etcd/healthcheck-client.crt
[2025-07-10T15:56:53.50+0800] [INFO] updated /etc/kubernetes/pki/apiserver-etcd-client.crt
[2025-07-10T15:56:55.03+0800] [INFO] restarted etcd
[2025-07-10T15:56:55.13+0800] [INFO] updated /etc/kubernetes/pki/apiserver.crt
[2025-07-10T15:56:55.20+0800] [INFO] updated /etc/kubernetes/pki/apiserver-kubelet-client.crt
[2025-07-10T15:56:55.27+0800] [INFO] updated /etc/kubernetes/controller-manager.conf
[2025-07-10T15:56:55.37+0800] [INFO] updated /etc/kubernetes/scheduler.conf
[2025-07-10T15:56:55.57+0800] [INFO] updated /etc/kubernetes/admin.conf
[2025-07-10T15:56:55.73+0800] [INFO] updated /etc/kubernetes/pki/front-proxy-client.crt
[2025-07-10T15:56:57.12+0800] [INFO] restarted control-plane pod: apiserver
[2025-07-10T15:56:58.65+0800] [INFO] restarted control-plane pod: controller-manager
[2025-07-10T15:56:59.56+0800] [INFO] restarted control-plane pod: scheduler
[2025-07-10T15:56:59.66+0800] [INFO] restarted kubelet
[2025-07-10T15:56:59.66+0800] [INFO] checking certificate expiration after update...
|-----------------------------------|----------------------------|
| CERTIFICATE                       | EXPIRES                    |
| ca.crt                            | Jul  7 11:13:23 2035 GMT   |
| apiserver.crt                     | Jul  8 07:56:55 2035 GMT   |
| apiserver-kubelet-client.crt      | Jul  8 07:56:55 2035 GMT   |
| front-proxy-ca.crt                | Jul  7 11:13:24 2035 GMT   |
| front-proxy-client.crt            | Jul  8 07:56:55 2035 GMT   |
|-----------------------------------|----------------------------|
| controller-manager.conf           | Jul  8 07:56:55 2035 GMT   |
| scheduler.conf                    | Jul  8 07:56:55 2035 GMT   |
| admin.conf                        | Jul  8 07:56:55 2035 GMT   |
|-----------------------------------|----------------------------|
| etcd/ca.crt                       | Jul  7 11:13:24 2035 GMT   |
| etcd/server.crt                   | Jul  8 07:56:53 2035 GMT   |
| etcd/peer.crt                     | Jul  8 07:56:53 2035 GMT   |
| etcd/healthcheck-client.crt       | Jul  8 07:56:53 2035 GMT   |
| apiserver-etcd-client.crt         | Jul  8 07:56:53 2035 GMT   |
|-----------------------------------|----------------------------|
[2025-07-10T15:57:00.30+0800] [INFO] DONE!!!enjoy it

please copy admin.conf to /root/.kube/config manually.
    # back old config
    cp /root/.kube/config /root/.kube/config_backup
    # copy new admin.conf to /root/.kube/config for kubectl manually
    cp -i /etc/kubernetes/admin.conf /root/.kube/config

6 查看pod、node是否正常

[root@103 ~]# kubectl get nodes
NAME      STATUS   ROLES           AGE   VERSION
103.org   Ready    control-plane   20h   v1.26.0
104.org   Ready    worker          20h   v1.26.0
105.org   Ready    worker          20h   v1.26.0
[root@103 ~]# 
[root@103 ~]# kubectl get pods -n kube-system
NAME                                      READY   STATUS    RESTARTS       AGE
calico-kube-controllers-b48d575fb-jngns   1/1     Running   0              17h
calico-node-59gdp                         1/1     Running   0              17h
calico-node-m6x29                         1/1     Running   0              17h
calico-node-tlqdq                         1/1     Running   0              17h
coredns-567c556887-58cwt                  1/1     Running   0              20h
coredns-567c556887-wdcrh                  1/1     Running   0              20h
etcd-103.org                              1/1     Running   3 (117s ago)   20h
kube-apiserver-103.org                    1/1     Running   3 (115s ago)   20h
kube-controller-manager-103.org           1/1     Running   3 (114s ago)   20h
kube-proxy-6wt6v                          1/1     Running   0              20h
kube-proxy-nfwgf                          1/1     Running   0              20h
kube-proxy-tv5t5                          1/1     Running   0              20h
kube-scheduler-103.org                    1/1     Running   3 (113s ago)   20h

7 查看证书有效期
可以看到,证书有效期已延长至2035年(延长了10年)

如果不想使用脚本,可以使用官方的命令,进行证书有效期更新

kubeadm  certs renew all 来更新证书有效期,

注意:大于等于 v1.15.x 的版本可直接使用上述命令,执行命令后证书有效期延长 1 年。

最后,这个脚本很强大。也可以更新证书有效期为100年,前提是未使用kubeadm初始化集群前使用。

ok,问题解决,撤!

如果转载,请附上原文链接!

http://www.dtcms.com/a/272469.html

相关文章:

  • 项目进度管控依赖Excel,如何提升数字化能力
  • 调度器与闲逛进程详解,(操作系统OS)
  • UI前端与数字孪生结合案例分享:智慧城市的智慧能源管理系统
  • 数据结构笔记10:排序算法
  • Windows 本地 使用mkcert 配置HTTPS 自签名证书
  • Java并发 - 阻塞队列详解
  • XSS(ctfshow)
  • 文心大模型4.5开源测评:保姆级部署教程+多维度测试验证
  • 图书管理系统(完结版)
  • PyCharm 中 Python 解释器的添加选项及作用
  • 创始人IP如何进阶?三次关键突破实现高效转化
  • QT解析文本框数据——详解
  • pycharm中自动补全方法返回变量
  • 自动化脚本配置网络IP、主机名、网段
  • React封装过哪些组件-下拉选择器和弹窗表单
  • 常用的.gitconfig 配置
  • 【显示模块】嵌入式显示与触摸屏技术理论
  • HarmonyOS AI辅助编程工具(CodeGenie)UI生成
  • 时序数据库的存储之道:从数据特性看技术要点
  • 使用深度学习框架yolov8训练监控视角下非机动车电动车头盔佩戴检测数据集VOC+YOLO格式11999张4类别步骤和流程
  • UEditor 对接 秀米 手机编辑器流程与问题
  • ClickHouse 查看正在执行的SQL查询
  • Django--01基本请求与响应流程
  • go go go 出发咯 - go web开发入门系列(四) 数据库ORM框架集成与解读
  • selenium跳转到新页面时如何进行定位
  • 前缀和|差分
  • S7-1200 与 S7-300 PNS7-400 PN UDP 通信 TIA 相同项目
  • 缓存一致性问题(Cache Coherence Problem)是什么?
  • 使用Word/Excel管理需求的10个痛点及解决方案Perforce ALM
  • Word中字号与公式字体磅值(pt)的对应关系