Kubernetes集群的证书有效期是1年,若是超过有效期,kublet服务会无效,此时继续使用kubelet命令,将会获得相似这样的提示“Unable to connect to the server: x509: certificate has expired or is not yet valid.”所以,咱们须要对其进行维护。node
kubeadm alpha certs check-expiration
mkdir -p $HOME/k8s-old-certs/pki cp -p /etc/kubernetes/pki/*.* $HOME/k8s-old-certs/pki ls -l $HOME/k8s-old-certs/pki/
结果:api
total 56 -rw-r--r-- 1 root root 1261 Sep 4 2019 apiserver.crt -rw-r--r-- 1 root root 1090 Sep 4 2019 apiserver-etcd-client.crt -rw------- 1 root root 1679 Sep 4 2019 apiserver-etcd-client.key -rw------- 1 root root 1679 Sep 4 2019 apiserver.key -rw-r--r-- 1 root root 1099 Sep 4 2019 apiserver-kubelet-client.crt -rw------- 1 root root 1679 Sep 4 2019 apiserver-kubelet-client.key -rw-r--r-- 1 root root 1025 Sep 4 2019 ca.crt -rw------- 1 root root 1675 Sep 4 2019 ca.key -rw-r--r-- 1 root root 1038 Sep 4 2019 front-proxy-ca.crt -rw------- 1 root root 1675 Sep 4 2019 front-proxy-ca.key -rw-r--r-- 1 root root 1058 Sep 4 2019 front-proxy-client.crt -rw------- 1 root root 1679 Sep 4 2019 front-proxy-client.key -rw------- 1 root root 1675 Sep 4 2019 sa.key -rw------- 1 root root 451 Sep 4 2019 sa.pub
cp -p /etc/kubernetes/*.conf $HOME/k8s-old-certs ls -ltr $HOME/k8s-old-certs
结果:服务器
total 36 -rw------- 1 root root 5451 Sep 4 2019 admin.conf -rw------- 1 root root 5595 Sep 4 2019 kubelet.conf -rw------- 1 root root 5483 Sep 4 2019 controller-manager.conf -rw------- 1 root root 5435 Sep 4 2019 scheduler.conf drwxr-xr-x 2 root root 4096 Dec 19 21:21 pki
mkdir -p $HOME/k8s-old-certs/.kube cp -p ~/.kube/config $HOME/k8s-old-certs/.kube/. ls -l $HOME/k8s-old-certs/.kube/.
结果:ide
-rw------- 1 root root 5451 Sep 4 2019 config
kubeadm alpha certs renew all
结果rest
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healtcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed
kubeadm alpha certs check-expiration
kubectl get nodes
若是输出如下信息code
The connection to the server 9.37.21.119:6443 was refused - did you specify the right host or port?
则须要执行下面步骤继续进行修复server
diff $HOME/k8s-old-certs/kubelet.conf /etc/kubernetes/kubelet.conf
若是没有任何输出,则更新证书操做没有影响此文件,继续下面的步骤手动修复。ci
cd /etc/kubernetes sudo kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > kubelet.conf diff $HOME/k8s-old-certs/kubelet.conf /etc/kubernetes/kubelet.conf
更新后能够查看与备份文件的区别.get
diff ~/.kube/config $HOME/fcik8s-old-certs/.kube/config
若是没有任何输出,则该文件包含过时的key和证书,继续下面的步骤手动修复。kubernetes
systemctl daemon-reload&&systemctl restart kubelet
kubectl get nodes ... kubectl get pods
参考资料:https://www.ibm.com/docs/en/fci/1.1.0?topic=kubernetes-renewing-cluster-certificates