离线状态下k8s集群证书续期

openssl x509 -noout -dates -in /etc/kubernetes/pki/apiserver.crt

生成一个集群配置的yaml文件:

kubeadm config view > cluster.yaml

 Step 1): Backup old certs and kubeconfigs 备份所有证书和文件 mkdir /etc/kubernetes.bak cp -r /etc/kubernetes/pki/ /etc/kubernetes.bak cp /etc/kubernetes/*.conf /etc/kubernetes.bak #

Step 2): Renew all certs 更新证书 kubeadm alpha certs renew all --config kubeadm.yaml

上面全量更新如果有报错可以执行以下步骤来更新证书

kubeadm alpha certs renew apiserver-kubelet-client --config cluster.yaml

kubeadm alpha certs renew front-proxy-client --config cluster.yaml

kubeadm alpha certs renew apiserver --config cluster.yaml #

Step 3): Renew all kubeconfigs 更新配置文件

kubeadm alpha kubeconfig user --client-name=admin

kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin > /etc/kubernetes/admin.conf

kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf

kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > /etc/kubernetes/kubelet.conf

kubeadm alpha kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf 

Step 4): Copy certs/kubeconfigs and restart Kubernetes services

以下重启都是在master上操作

systemctl restrat kubelet

docker restart $(docker ps | grep k8s_kube-apiserver_kube-apiserver | awk -F " " '{print $1}') 不重启无法与apiserver通信，即kubectl无法使用

docker restart $(docker ps | grep k8s_kube-controller-manager | awk -F " " '{print $1}') 不重启无法实现更新pod

docker restart $(docker ps | grep k8s_kube-scheduler | awk -F " " '{print $1}') 不重启无法调度pod

最后

以上就是典雅小蜜蜂最近收集整理的关于离线状态下k8s集群证书续期的全部内容，更多相关离线状态下k8s集群证书续期内容请搜索靠谱客的其他文章。