K8S 证书过期修复

dreamer 字数: 5551 阅读耗时: 13 分钟 2023/04/04 2024/03/24 博客独享热度: 297 评论: 0

1. 问题

K8S 证书过期，报错：Unable to connect to the server: x509: certificate has expired or is not yet valid

2. 查看证书有效期

kubeadm certs check-expiration

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 30, 2024 02:52 UTC   364d                                    no      
apiserver                  Mar 30, 2024 02:52 UTC   364d            ca                      no      
apiserver-etcd-client      Mar 30, 2024 02:52 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Mar 30, 2024 02:52 UTC   364d            ca                      no      
controller-manager.conf    Mar 30, 2024 02:52 UTC   364d                                    no      
etcd-healthcheck-client    Mar 30, 2024 02:52 UTC   364d            etcd-ca                 no      
etcd-peer                  Mar 30, 2024 02:52 UTC   364d            etcd-ca                 no      
etcd-server                Mar 30, 2024 02:52 UTC   364d            etcd-ca                 no      
front-proxy-client         Mar 30, 2024 02:52 UTC   364d            front-proxy-ca          no      
scheduler.conf             Mar 30, 2024 02:52 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 16, 2032 12:49 UTC   8y              no      
etcd-ca                 Mar 16, 2032 12:49 UTC   8y              no      
front-proxy-ca          Mar 16, 2032 12:49 UTC   8y              no

2、证书备份

cp -rp /etc/kubernetes /etc/kubernetes.bak

3、重新生成证书，使用该命令不用提前删除过期证书

kubeadm alpha certs renew all

4、再查看证书有效期

# 显示已经到2023年
x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep 'Not'
            Not Before: Sep 14 14:01:12 2021 GMT
            Not After : Sep 15 01:53:20 2023 GMT

5、更新用户证书凭证

cp /etc/kubernetes/admin.conf ~/.kube/config

6、重启 kubelet

systemctl restart kubelet

7、检测状态，成功

systemctl status kubelet



 kubelet.service - kubelet: The Kubernetes Node Agent
   Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/kubelet.service.d
           └─10-kubeadm.conf
   Active: active (running) since Fri 2023-03-31 10:52:21 CST; 33s ago
     Docs: https://kubernetes.io/docs/
 Main PID: 3861 (kubelet)
    Tasks: 13
   Memory: 56.3M
   CGroup: /system.slice/kubelet.service
           └─3861 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --networ...