K8s 集群证书过期处理,更新 kubeadm 生成的证书有效期为 10 年。支持全部版本。
License: MIT License
[root@node1 update-kube-cert]# ./update-kubeadm-cert.sh all
[2020-10-23T18:38:30.019660073+0800]: WARNING: does not backup, /etc/kubernetes.old-20201023 already exists
[2020-10-23T18:38:30.020856512+0800]: ERROR: can not find /etc/kubernetes/pki/etcd/ca.crt
这边k8s版本为1.17.11
分别在三台master节点上执行
./update-kubeadm-cert.sh all
后etcd无法启动,查看日志提示
集群版本:1.19
我之前用以下命令更新过集群的apiserver证书,其中包含了高可用域名和各个 master 节点的 主机名 和 ip ,请问使用咱们的脚本更新后,里面的内容是否会有变化?
kubeadm init phase certs apiserver --config kubeadm.yaml
感谢解答
ubuntu@ubuntu:~/update-kube-cert$ sudo ./update-kubeadm-cert.sh all
CERTIFICATE EXPIRES
/etc/kubernetes/controller-manager.config Jan 4 15:51:26 2023 GMT
/etc/kubernetes/scheduler.config Jan 4 15:51:32 2023 GMT
/etc/kubernetes/admin.config Apr 28 12:43:55 2023 GMT
/etc/kubernetes/pki/ca.crt Jul 19 04:57:47 2031 GMT
/etc/kubernetes/pki/apiserver.crt Jan 4 15:51:08 2023 GMT
/etc/kubernetes/pki/apiserver-kubelet-client.crt Jan 4 15:51:08 2023 GMT
/etc/kubernetes/pki/front-proxy-ca.crt Jul 19 04:57:46 2031 GMT
/etc/kubernetes/pki/front-proxy-client.crt Jan 4 15:51:08 2023 GMT
Can't open /etc/kubernetes/pki/etcd/ca.crt for reading, No such file or directory
140414413820352:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('/etc/kubernetes/pki/etcd/ca.crt','r')
140414413820352:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
unable to load certificate
/etc/kubernetes/pki/etcd/ca.crt
Can't open /etc/kubernetes/pki/etcd/server.crt for reading, No such file or directory
139710240743872:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('/etc/kubernetes/pki/etcd/server.crt','r')
139710240743872:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
unable to load certificate
/etc/kubernetes/pki/etcd/server.crt
Can't open /etc/kubernetes/pki/etcd/peer.crt for reading, No such file or directory
140302155653568:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('/etc/kubernetes/pki/etcd/peer.crt','r')
140302155653568:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
unable to load certificate
/etc/kubernetes/pki/etcd/peer.crt
Can't open /etc/kubernetes/pki/etcd/healthcheck-client.crt for reading, No such file or directory
139896056136128:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('/etc/kubernetes/pki/etcd/healthcheck-client.crt','r')
139896056136128:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
unable to load certificate
/etc/kubernetes/pki/etcd/healthcheck-client.crt
Can't open /etc/kubernetes/pki/apiserver-etcd-client.crt for reading, No such file or directory
140245347066304:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('/etc/kubernetes/pki/apiserver-etcd-client.crt','r')
140245347066304:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
unable to load certificate
/etc/kubernetes/pki/apiserver-etcd-client.crt
[2022-05-01T10:56:31.55+0000][WARNING] does not backup, /etc/kubernetes.old-20220501 already exists
[2022-05-01T10:56:31.55+0000][INFO] updating...
ubuntu@ubuntu:~/update-kube-cert$
你好,我执行脚本后证书更新都成功了。
kubectl get pod -A 也可以看到pod,这些pod都是运行了很久的时间。
当试图重建这些pod后则无法建立了,比如会报如下错误
MountVolume.SetUp failed for volume "flannel-cfg" : failed to sync configmap cache: timed out waiting for the condition
MountVolume.SetUp failed for volume "flannel-token-7qt7z" : failed to sync secret cache: timed out waiting for the condition
看上去是cm以及secret在更新证书后,无法被读取了?
请问该如何处理
安装Kubectl的方式为 sealos
./update-kubeadm-cert.sh all --cri containerd
apiserver.cluster.local:6443
--cri containerd[root@s1 update-kube-cert]# bash update-kubeadm-cert.sh all
[2021-07-19T16:32:00.768567557+0800]: WARNING: does not backup, /etc/kubernetes.old-20210719 already exists
[2021-07-19T16:32:00.770018187+0800]: ERROR: can not find /etc/kubernetes/pki/etcd/ca.crt
[root@s1 update-kube-cert]#
[root@s1 update-kube-cert]# kubectl version
Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.0", GitCommit:"91e7b4fd31fcd3d5f436da26c980becec37ceefe", GitTreeState:"clean", BuildDate:"2018-06-27T20:17:28Z", GoVersion:"go1.10.2", Compiler:"gc", Platform:"linux/amd64"}
Unable to connect to the server: x509: certificate has expired or is not yet valid
[root@s1 ~]# tree /etc/kubernetes
/etc/kubernetes
|-- admin.conf
|-- controller-manager.conf
|-- k8sconf.bak
| |-- admin.conf
| |-- controller-manager.conf
| |-- kubelet.conf
| `-- scheduler.conf
|-- kubelet.conf
|-- manifests
| |-- kube-apiserver.yaml
| |-- kube-controller-manager.yaml
| `-- kube-scheduler.yaml
|-- njwjw.conf
|-- old
| |-- admin.conf
| |-- controller-manager.conf
| |-- kubelet.conf
| `-- scheduler.conf
|-- pki
| |-- apiserver.crt
| |-- apiserver.key
| |-- apiserver-kubelet-client.crt
| |-- apiserver-kubelet-client.key
| |-- ca.crt
| |-- ca.key
| |-- front-proxy-ca.crt
| |-- front-proxy-ca.key
| |-- front-proxy-client.crt
| |-- front-proxy-client.key
| |-- old
| | |-- apiserver.crt
| | |-- apiserver.crt.old
| | |-- apiserver.key
| | |-- apiserver.key.old
| | |-- apiserver-kubelet-client.crt
| | |-- apiserver-kubelet-client.crt.old
| | |-- apiserver-kubelet-client.key
| | |-- apiserver-kubelet-client.key.old
| | |-- front-proxy-client.crt
| | |-- front-proxy-client.crt.old
| | |-- front-proxy-client.key
| | `-- front-proxy-client.key.old
| |-- sa.key
| `-- sa.pub
|-- refreshcer.sh
`-- scheduler.conf
5 directories, 41 files
您好,我的kubeadm版本为v1.15.7,想请问一下,这个版本的kubelet证书是默认自动轮换更新的吗?可以主动手动更新吗?
证书更新后发现确实是更新了十年的,但是拷贝新的admin.conf 无法正常的链接到集群中。
报错日志如下:
"Unable to authenticate the request" err="[x509: certificate has expired or is not yet valid..."
但是集群使用kubectl相关命令正常。
I see that the bash script of containerd already contains the action of restarting the container.
crictl ps | awk '/kube-'${item}'-/{print $(NF-1)}' | xargs -r -I '{}' crictl stopp {} >/dev/null 2>&1 || true
Why does it need to be restarted manually as mentioned in the document for containerd?
(By the way, the script is very niubility... help me a lot)
你好 我通过kubeadm alpha certs renew all更新完证书之后,kubelet的证书没有更新/var/lib/kubelet/pki。这个需要怎么处理,还是kubelet证书到期之前会自动更新吗?我的版本是v1.19.7
你好,用脚本跑完之后怎么验证是否生效呢,pki目录下直接openssl看有用吗,高版本的可以通过kubeadm alpha certs check-expiration命令查看,1.9的版本不知道怎么确认,openssl查看是已经改了的。
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.