[root@k8s-master01 kubernetes]# kubeadm alpha certs renew all --config /root/config.yaml certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed apiserver-etcd-client is not a valid certificate for this cluster # 这样就造成后面的证书没有办法续期了,目前看官方没有提供跳过指定证书续期的方法。 # 根据官方的Issues说明,在Kubernetes v1.17版本中已经解决了此bug,但因为木子的Kubernetes集群是v1.15.x,所以此方法是不可行的,如果你的是v1.17的版本,刚好证书已经到期,可以试用以下方法(根据现在的时间计算,因为Kubernetes v1.17版本还没有发布一年时间,所以正常应该是测试不了的@-@) # 官方Issues说明:https://github.com/kubernetes/kubernetes/issues/86864
# 进入/etc/kubernetes管理目录 [root@k8s-master01 ~]# cd /etc/kubernetes/
# 续订kubeconfig文件中嵌入的证书,供管理员和kubeadm自身使用。 [root@k8s-master01 kubernetes]# kubeadm alpha certs renew admin.conf certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
# 续订apiserver用于连接kubelet的证书。 [root@k8s-master01 kubernetes]# kubeadm alpha certs renew apiserver-kubelet-client --config /root/config.yaml certificate for the API server to connect to kubelet renewed
# 续订用于提供Kubernetes API的证书。 [root@k8s-master01 kubernetes]# kubeadm alpha certs renew apiserver --config /root/config.yaml certificate for serving the Kubernetes API renewed
# 续订kubeconfig文件中嵌入的证书,以供控制器管理器(controller manager)使用。 [root@k8s-master01 kubernetes]# kubeadm alpha certs renew controller-manager.conf --config /root/config.yaml certificate embedded in the kubeconfig file for the controller manager to use renewed
# 为前端代理客户端续订证书。 [root@k8s-master01 kubernetes]# kubeadm alpha certs renew front-proxy-client --config /root/config.yaml certificate for the front proxy client renewed
# 续订kubeconfig文件中嵌入的证书,以供调度管理器使用。 [root@k8s-master01 kubernetes]# kubeadm alpha certs renew scheduler.conf --config /root/config.yaml certificate embedded in the kubeconfig file for the scheduler manager to use renewed
# 复制重新生成的admin.conf至$HOME/.kube/config [root@k8s-master01 kubernetes]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config cp:是否覆盖"/root/.kube/config"? y
# 查看所有证书到期日期时间,都是至2021年到期,还需要确认所有conf配置文件所有节点到期时间是一样的。 [root@k8s-master01 kubernetes]# kubeadm alpha certs check-expiration --config /root/config.yaml CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED admin.conf Apr 13, 2021 08:49 UTC 364d no apiserver Apr 13, 2021 08:50 UTC 364d no apiserver-kubelet-client Apr 13, 2021 08:50 UTC 364d no controller-manager.conf Apr 13, 2021 08:51 UTC 364d no front-proxy-client Apr 13, 2021 08:51 UTC 364d no scheduler.conf Apr 13, 2021 08:51 UTC 364d no
# apiserver证书有效期已经从2019年至2020年更新到2019年至2021年,续期一年成功。 [root@k8s-master01 kubernetes]# openssl x509 -in /etc/kubernetes/pki/front-proxy-client.crt -noout -text |grep ' Not ' Not Before: Apr 13 12:32:11 2019 GMT Not After : Apr 13 08:51:09 2021 GMT # apiserver-kubelet-client证书 [root@k8s-master01 kubernetes]# openssl x509 -in /etc/kubernetes/pki/apiserver-kubelet-client.crt -noout -text |grep ' Not ' Not Before: Apr 13 12:32:11 2019 GMT Not After : Apr 13 08:50:27 2021 GMT # front-proxy-client证书 [root@k8s-master01 kubernetes]# openssl x509 -in /etc/kubernetes/pki/front-proxy-client.crt -noout -text |grep ' Not ' Not Before: Apr 13 12:32:11 2019 GMT Not After : Apr 13 08:51:09 2021 GMT # 这里我们可以看到ca证书都是10年 [root@k8s-master01 kubernetes]# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text |grep ' Not ' Not Before: Apr 13 12:32:11 2019 GMT Not After : Apr 10 12:32:11 2029 GMT [root@k8s-master01 kubernetes]# openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt -noout -text |grep ' Not ' Not Before: Apr 13 12:32:11 2019 GMT Not After : Apr 10 12:32:11 2029 GMT