K8S 各个组件需要与 api-server 进行通信,通信使用的证书都存放在 /etc/kubernetes/pki 路径下,kubeadm 生成的证书默认有效为 1 年,因此需要定时更新证书,否则证书到期会导致整个集群不可用。
一. 检查证书是否过期。
可以通过下面两种方式检查 Kubernetes 的证书是否过期。
1. kubeadm 命令查看
可以通过 kubeadm alpha certs check-expiration 命令查看相关证书是否过期。
注:该命令仅在 v.15 之后的版本可用。
$ sudo kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
W0713 16:53:15.764121 13993 defaults.go:186] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf May 07, 2021 11:28 UTC 298d no
apiserver May 07, 2021 10:26 UTC 298d ca no
apiserver-kubelet-client May 07, 2021 10:26 UTC 298d ca no
controller-manager.conf May 07, 2021 11:28 UTC 298d no
front-proxy-client May 07, 2021 10:26 UTC 298d front-proxy-ca no
scheduler.conf May 07, 2021 11:28 UTC 298d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca May 05, 2030 10:25 UTC 9y no
front-proxy-ca May 05, 2030 10:26 UTC 9y no
2. openssl 命令查看
版本过低无法使用 kubeadm 命令时,可以通过 openssl 查看对应证书是否过期。
$ openssl x509 \-in /etc/kubernetes/pki/apiserver\.crt \-noout \-text \|grep ' Not '
Not Before: May 7 10:25:59 2020 GMT
Not After : May 7 10:26:00 2021 GMT
二. 自动更新证书
Kubenetes 在升级控制面板相关组件时会主动更新证书,因此如果保证 Kubernetes 能够定期(一年以内)升级的话,证书会自动更新。
三. 手动更新证书
1. 证书备份
cp -rp /etc/kubernetes /etc/kubernetes.bak
2. 删除旧的证书
将 /etc/kubernetes/pki 下要重新生成的证书删除
sudo rm -rf /etc/kubernetes/pki/apiserver.key
3. 重新生成证书
主要通过 kubeadm alpha certs renew 命令生成,命令简介如下
kubeadm alpha certs renew
Usage:
kubeadm alpha certs renew [flags]
kubeadm alpha certs renew [command]
Available Commands:
all renew all available certificates
apiserver Generates the certificate for serving the Kubernetes API
apiserver-etcd-client Generates the client apiserver uses to access etcd
apiserver-kubelet-client Generates the Client certificate for the API server to connect to kubelet
etcd-healthcheck-client Generates the client certificate for liveness probes to healtcheck etcd
etcd-peer Generates the credentials for etcd nodes to communicate with each other
etcd-server Generates the certificate for serving etcd
front-proxy-client Generates the client for the front proxy
重新生成所有证书
kubeadm alpha certs renew all
重新生成某个组件的证书
kubeadm alpha certs renew apiserver
4. 重新生成配置文件
备份旧的配置
mv /etc/kubernetes/\*.conf /tmp/
生成新的配置
主要通过 kubeadm init phase kubeconfig 命令执行:
kubeadm init phase kubeconfig -h
Usage:
kubeadm init phase kubeconfig [flags]
kubeadm init phase kubeconfig [command]
Available Commands:
admin Generates a kubeconfig file for the admin to use and for kubeadm itself
all Generates all kubeconfig files
controller-manager Generates a kubeconfig file for the controller manager to use
kubelet Generates a kubeconfig file for the kubelet to use \*only\* for cluster bootstrapping purposes
scheduler Generates a kubeconfig file for the scheduler to use
重新生成所有配置
kubeadm init phase kubeconfig all
重新生成单个配置文件
重新生成 admin 配置文件
kubeadm init phase kubeconfig admin
重新生成 kubelet 配置文件
kubeadm init phase kubeconfig kubelet
5. 后续操作
完成证书和配置文件的更新后,需要进行一系列后续操作保证更新生效,主要包括重启 kubelet、更新管理配置。
重启 kubelet
systemctl restart kubelet
更新 admin 配置
将新生成的 admin.conf 文件拷贝,替换 ~/.kube 目录下的 config 文件。
cp /etc/kubernetes/admin.conf \~/.kube/config
完成以上操作后整个集群就可以正常通信了,操作过程中主要就是 kubeadm alpha certs renew 命令和 kube init phase kubeconfig,我在操作过程中发现网上很多资料命令因为版本原因已经不适用了,因此自己在操作时一定要通过 -h 详细看下命令,避免操作出错。