注意高版本的命令变化(根据环境请自行调整),下面的操作kubernetes版本1.19.15
1.19.x是下面的命令 kubeadm alpha certs check-expiration1.21.x版本:去掉了alpha kubeadm certs check-expiration
# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Oct 22, 2122 03:41 UTC 99y ca no
apiserver Oct 22, 2122 03:41 UTC 99y ca no
apiserver-etcd-client Oct 22, 2122 03:41 UTC 99y etcd-ca no
apiserver-kubelet-client Oct 22, 2122 03:41 UTC 99y ca no
controller-manager.conf Oct 22, 2122 03:41 UTC 99y ca no
etcd-healthcheck-client Oct 22, 2122 03:41 UTC 99y etcd-ca no
etcd-peer Oct 22, 2122 03:41 UTC 99y etcd-ca no
etcd-server Oct 22, 2122 03:41 UTC 99y etcd-ca no
front-proxy-client Oct 22, 2122 03:41 UTC 99y front-proxy-ca no
scheduler.conf Oct 22, 2122 03:41 UTC 99y ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Oct 22, 2122 03:40 UTC 99y no
etcd-ca Oct 22, 2122 03:41 UTC 99y no
front-proxy-ca Oct 22, 2122 03:41 UTC 99y no
一、重新编译kubeadm,生成新的证书
查看证书的有效期
kubeadm alpha certs check-expiration
使用for循环进行查看
for item in `find /etc/kubernetes/pki -maxdepth 2 -name "*.crt"`;do openssl x509 -in $item -text -noout| grep Not;echo ======================$item===============;done
一)编译kubeadm
1、下载源码并切换指定分支
yum -y install git git clone https://github.com/kubernetes/kubernetes.git cd kubernetes && git checkout -b v1.19.15
2、下载go的编译环境
查看kube-cross的版本可以去源码文件的build\build-image\cross查看,具体命令为:
cat ./build/build-image/cross/VERSION
使用docker镜像进行编译:注意go版本和k8s版本对应
https://hub.docker.com/r/wzshiming/kube-cross/tags 在dockerhub 下载相应的版本 docker pull gcrcontainer/kube-cross:v1.13.6-1 docker run --rm -v /root/kubernetes/:/go/src/k8s.io/kubernetes -it gcrcontainer/kube-cross:v1.13.6-1 bash
本地安装k8s对应的go环境进行编译
3、修改源码
vim ./staging/src/k8s.io/client-go/util/cert/cert.go //此文件修改如下内容 maxAge := time.Hour * 24 * 365 * 100 #修改后 给证书期限为100年vim ./cmd/kubeadm/app/constants/constants.go //此文件修改如下内容 CertificateValidity = time.Hour * 24 * 365 * 100
4、编译
# 切到换源码跟路径,编译kubeadm, 这里主要编译kubeadm 即可 make all WHAT=cmd/kubeadm GOFLAGS=-v
编译后的文件所在路径
./_output/local/bin/linux/amd64/kubeadm
二)生成新的证书
1、备份原来的证书和kubeadm
mkdir backups cp /etc/kubernetes/pki/ backups/ -a cp /usr/bin/kubeadm backups/ -a cp /etc/kubernetes/kubelet.conf backups/
2、备份完以后用新编译的文件覆盖掉以前的
#用源码包里的kubeadm覆盖掉以前的 \cp -rp ./_output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
3、更新证书
执行kubeadm config view > kubeadm.yaml会在当前目录生成一个kubeadm.yaml文件
高版本根据变更操作命令
# kubeadm config view > kubeadm.yaml Command "view" is deprecated, This command is deprecated and will be removed in a future release, please use 'kubectl get cm -o yaml -n kube-system kubeadm-config' to get the kubeadm config directly.
扩展:1.21.x的操作命令
kubectl get cm -o yaml -n kube-system kubeadm-config > kubeadm.yaml
更新证书
kubeadm alpha certs renew all --config=kubeadm.yaml
kubeadm alpha certs check-expiration
ca证书是10年有效期,因为我是续期,所以显示8年
4、备份原来的配置文件,重新初始化admin.conf等文件
备份原来的配置文件
mv /etc/kubernetes/admin.conf{,.bak} mv /etc/kubernetes/kubelet.conf{,.bak} mv /etc/kubernetes/controller-manager.conf{,.bak} mv /etc/kubernetes/scheduler.conf{,.bak}
重新初始化admin.conf等配置文件
kubeadm init phase kubeconfig all --config kubeadm.yaml
三)重启服务,更新管理配置
1、重启服务
-
若证书没到期就续期的话,重启kubelet无效,操作重启kube-apiserver,kube-controller,kube-scheduler,etcd这4个容器
kubectl delete po -n kube-system ${pod_name}
-
若证书已到期,集群无法操作了,出杀手锏——重启容器引擎:docker
systemctl restart docker.service
2、更新kubectl的admin配置文件
将新生成的 admin.conf 文件拷贝,替换 ~/.kube 目录下的 config 文件。
rm -rf $HOME/.kube
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
四)验证集群的可用性
我以nginx deployment举例,你若有业务容器的话,可以测试下
1、yaml文件
nginx-deployment.yaml
apiVersion: apps/v1 kind: Deployment metadata:name: nginx-deploymentlabels:app: nginx spec:replicas: 1selector:matchLabels:app: nginxtemplate:metadata:labels:app: nginxspec:containers:- name: nginximage: nginx:1.14.0ports:- containerPort: 80
2、启动
kubectl apply -f nginx-deployment.yaml
3、验证服务
因为nginx的镜像中没有wget、telnet、curl等环境验证命令,从宿主机copy一个telnet命令来验证nginx服务
kubectl cp /usr/bin/telnet nginx-deployment-596f5df7f-6j7x7:/usr/bin/ kubectl exec -it nginx-deployment-596f5df7f-6j7x7 -- telnet 127.0.0.1 80