更新证书

更新时间：2025年5月27日 00:21 浏览：56

检醒证书有效期

kubeadm certs check-expiration

证书项：

admin.conf
apiserver
apiserver-etcd-client
apiserver-kubelet-client
controller-manager.conf
etcd-healthcheck-client
etcd-peer
etcd-server
front-proxy-client
scheduler.conf
super-admin.conf

证书存放位置：
/etc/kubernetes
/etc/kubernetes/pki

更新证书

# 醒看帮助
# kubeadm certs renew -h

# 也可以只更新一项证书
# kubeadm certs renew apiserver

# 在一个主节点上执行更新所有证书
kubeadm certs renew all

cp /etc/kubernetes/admin.conf $HOME/.kube/config

变更证书中的 SANs

修改集群初始化文件 kubadm-init.yaml

apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
apiServer:
  timeoutForControlPlane: 4m0s
  certSANs:
    - "localhost"
    - "127.0.0.1"
    - "s6"
    - "s7"
    - "s8"
    - "10.117.11.6"
    - "10.117.11.7"
    - "10.117.11.8"
etcd:
  local:
    dataDir: /var/lib/etcd
    serverCertSANs:
      - "localhost"
      - "127.0.0.1"
      - "s6"
      - "s7"
      - "s8"
      - "10.117.11.6"
      - "10.117.11.7"
      - "10.117.11.8"
    peerCertSANs:
      - "localhost"
      - "127.0.0.1"
      - "s6"
      - "s7"
      - "s8"
      - "10.117.11.6"
      - "10.117.11.7"
      - "10.117.11.8"
...

使用 kubadm-init.yaml 生成证书


# kubeadm init phase certs 会读取 --config 参数中的数据
kubeadm init phase certs etcd-server --config=/data/nfs/k8s-app/init/kubeadm-init.yaml && \
kubeadm init phase certs etcd-peer -config=/data/nfs/k8s-app/init/kubeadm-init.yaml && \
kubeadm init phase certs etcd-healthcheck-client --config=/data/nfs/k8s-app/init/kubeadm-init.yaml && \
kubeadm init phase certs apiserver-etcd-client --config=/data/nfs/k8s-app/init/kubeadm-init.yaml
kubeadm init phase certs apiserver --config=/data/nfs/k8s-app/init/kubeadm-init.yaml

# renew 使用的是现有证书的 SANs
kubeadm certs renew admin.conf && \
kubeadm certs renew apiserver-kubelet-client && \
kubeadm certs renew controller-manager.conf && \
kubeadm certs renew front-proxy-client && \
kubeadm certs renew scheduler.conf && \
kubeadm certs renew super-admin.conf

验证生成的证书


openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout | grep -A1 "Subject Alternative Name"

openssl x509 -in /etc/kubernetes/pki/etcd/server.crt -text -noout | grep -A1 "Subject Alternative Name"

重启静态 pod

kubectl get pods -n kube-system -o wide
kubectl delete pod -n kube-system kube-apiserver-xx
kubectl delete pod -n kube-system kube-controller-manager-xx
kubectl delete pod -n kube-system kube-scheduler-xx
kubectl delete pod -n kube-system etcd-

强制重启静态 pod

上面 kubectl delete pod -n kube-system 并不能让这些容器真正重新加载证书
需要使用下边的方法强制它们重启

# 先将这个文件夹改名
mv /etc/kubernetes/manifests  /etc/kubernetes/manifests-tmp

# 等 20+ 秒后 ,kubectl 命令将失效
# 这时候可以将 manifests 改回，再等待 20+ 秒 kubectl 恢复正常
mv /etc/kubernetes/manifests-tmp  /etc/kubernetes/manifests

官方文档：
https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#check-certificate-expiration

检查 etcd 状态

# apt install etcd-client

ETCDCTL_API=3 etcdctl --endpoints=https://s6:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/peer.crt \
  --key=/etc/kubernetes/pki/etcd/peer.key endpoint health