如何更新 Kubernetes 证书

 1
2
3
4
5
6
7
8
9
10
11
12
13

kubeadm certs check-expiration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Apr 02, 2023 09:53 UTC   296d                                    no      
apiserver                  Apr 02, 2023 09:53 UTC   296d            ca                      no      
apiserver-kubelet-client   Apr 02, 2023 09:53 UTC   296d            ca                      no      
controller-manager.conf    Apr 02, 2023 09:53 UTC   296d                                    no      
front-proxy-client         Apr 02, 2023 09:53 UTC   296d            front-proxy-ca          no      
scheduler.conf             Apr 02, 2023 09:53 UTC   296d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 30, 2032 09:53 UTC   9y              no      
front-proxy-ca          Mar 30, 2032 09:53 UTC   9y              no      

cp -r /etc/kubernetes /etc/kubernetes.old

kubeadm certs renew all

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

docker ps |egrep "k8s_kube-apiserver|k8s_kube-scheduler|k8s_kube-controller"|awk '{print $1}'|xargs docker restart

sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config