离线状态下k8s集群证书续期

openssl x509 -noout -dates -in /etc/kubernetes/pki/apiserver.crt

生成一个集群配置的yaml文件:

kubeadm config view > cluster.yaml

 Step 1): Backup old certs and kubeconfigs 备份所有证书和文件 mkdir /etc/kubernetes.bak cp -r /etc/kubernetes/pki/ /etc/kubernetes.bak cp /etc/kubernetes/*.conf /etc/kubernetes.bak #

Step 2): Renew all certs 更新证书 kubeadm alpha certs renew all --config kubeadm.yaml

上面全量更新如果有报错可以执行以下步骤来更新证书

kubeadm alpha certs renew apiserver-kubelet-client --config cluster.yaml

kubeadm alpha certs renew front-proxy-client --config cluster.yaml

kubeadm alpha certs renew apiserver --config cluster.yaml #

Step 3): Renew all kubeconfigs 更新配置文件

kubeadm alpha kubeconfig user --client-name=admin

kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin > /etc/kubernetes/admin.conf

kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf

kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > /etc/kubernetes/kubelet.conf

kubeadm alpha kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf 

Step 4): Copy certs/kubeconfigs and restart Kubernetes services

以下重启都是在master上操作

systemctl restrat kubelet

docker restart $(docker ps | grep k8s_kube-apiserver_kube-apiserver | awk -F " " '{print $1}') 不重启无法与apiserver通信，即kubectl无法使用

docker restart $(docker ps | grep k8s_kube-controller-manager | awk -F " " '{print $1}') 不重启无法实现更新pod

docker restart $(docker ps | grep k8s_kube-scheduler | awk -F " " '{print $1}') 不重启无法调度pod

最后

以上就是典雅小蜜蜂为你收集整理的离线状态下k8s集群证书续期的全部内容，希望文章能够帮你解决离线状态下k8s集群证书续期所遇到的程序开发问题。

如果觉得靠谱客网站的内容还不错，欢迎将靠谱客网站推荐给程序员好友。