k8s集群--证书延期

发布于:2025-07-11 ⋅ 阅读:(30) ⋅ 点赞:(0)

注意:通过kubeadm 搭建的k8s集群,其证书有效期为1年,如下图所示。

今天,介绍通过脚本进行证书延期,具体步骤如下

1 下载脚本

自动更新证书脚本https://github.com/yuyicai/update-kube-cert

也可以通过git方式,进行。

git clone https://github.com/yuyicai/update-kube-cert.git
cd update-kube-cert

2 进入到cd update-kube-cert目录中,将 update-kubeadm-cert.sh 上传到控制节点(如,103.org)

3 赋予执行权限

 chmod +x update-kubeadm-cert.sh

4 执行


    [root@103 ~]# ./update-kubeadm-cert.sh all
    /usr/bin/env: “bash\r”: No such file or directory
报错了,需要调整下此脚本文件的格式
    vim update-kubeadm-cert.sh
    
    :set ff=unix
    
    :wq  保存退出后

5 再次执行 ./update-kubeadm-cert.sh all

操作前备份目录:/etc/kubernetes 和 /var/lib/kubelet/pki

[root@103 ~]# ./update-kubeadm-cert.sh all
[2025-07-10T15:56:52.83+0800] [INFO] checking if all certificate files are existed...
[2025-07-10T15:56:52.83+0800] [INFO] found file: /etc/kubernetes/pki/etcd/ca.crt
[2025-07-10T15:56:52.83+0800] [INFO] found file: /etc/kubernetes/pki/etcd/ca.key
[2025-07-10T15:56:52.84+0800] [INFO] found file: /etc/kubernetes/pki/etcd/server.crt
[2025-07-10T15:56:52.84+0800] [INFO] found file: /etc/kubernetes/pki/etcd/server.key
[2025-07-10T15:56:52.85+0800] [INFO] found file: /etc/kubernetes/pki/etcd/peer.crt
[2025-07-10T15:56:52.85+0800] [INFO] found file: /etc/kubernetes/pki/etcd/peer.key
[2025-07-10T15:56:52.85+0800] [INFO] found file: /etc/kubernetes/pki/etcd/healthcheck-client.crt
[2025-07-10T15:56:52.86+0800] [INFO] found file: /etc/kubernetes/pki/etcd/healthcheck-client.key
[2025-07-10T15:56:52.86+0800] [INFO] found file: /etc/kubernetes/pki/apiserver-etcd-client.crt
[2025-07-10T15:56:52.86+0800] [INFO] found file: /etc/kubernetes/pki/apiserver-etcd-client.key
[2025-07-10T15:56:52.87+0800] [INFO] found file: /etc/kubernetes/controller-manager.conf
[2025-07-10T15:56:52.87+0800] [INFO] found file: /etc/kubernetes/scheduler.conf
[2025-07-10T15:56:52.88+0800] [INFO] found file: /etc/kubernetes/admin.conf
[2025-07-10T15:56:52.88+0800] [INFO] found file: /etc/kubernetes/pki/ca.crt
[2025-07-10T15:56:52.88+0800] [INFO] found file: /etc/kubernetes/pki/ca.key
[2025-07-10T15:56:52.89+0800] [INFO] found file: /etc/kubernetes/pki/apiserver.crt
[2025-07-10T15:56:52.89+0800] [INFO] found file: /etc/kubernetes/pki/apiserver.key
[2025-07-10T15:56:52.89+0800] [INFO] found file: /etc/kubernetes/pki/apiserver-kubelet-client.crt
[2025-07-10T15:56:52.90+0800] [INFO] found file: /etc/kubernetes/pki/apiserver-kubelet-client.key
[2025-07-10T15:56:52.90+0800] [INFO] found file: /etc/kubernetes/pki/front-proxy-ca.crt
[2025-07-10T15:56:52.90+0800] [INFO] found file: /etc/kubernetes/pki/front-proxy-ca.key
[2025-07-10T15:56:52.91+0800] [INFO] found file: /etc/kubernetes/pki/front-proxy-client.crt
[2025-07-10T15:56:52.91+0800] [INFO] found file: /etc/kubernetes/pki/front-proxy-client.key
[2025-07-10T15:56:52.91+0800] [INFO] found file: /etc/kubernetes/controller-manager.conf
[2025-07-10T15:56:52.92+0800] [INFO] found file: /etc/kubernetes/scheduler.conf
[2025-07-10T15:56:52.92+0800] [INFO] found file: /etc/kubernetes/admin.conf
[2025-07-10T15:56:52.93+0800] [INFO] all certificate files are existed
[2025-07-10T15:56:52.93+0800] [INFO] backup /etc/kubernetes to /etc/kubernetes.old-2025-07-10_15-56-52
[2025-07-10T15:56:52.98+0800] [INFO] checking certificate expiration before update...
|-----------------------------------|----------------------------|
| CERTIFICATE                       | EXPIRES                    |
| ca.crt                            | Jul  7 11:13:23 2035 GMT   |
| apiserver.crt                     | Jul  9 11:13:23 2026 GMT   |
| apiserver-kubelet-client.crt      | Jul  9 11:13:23 2026 GMT   |
| front-proxy-ca.crt                | Jul  7 11:13:24 2035 GMT   |
| front-proxy-client.crt            | Jul  9 11:13:24 2026 GMT   |
|-----------------------------------|----------------------------|
| controller-manager.conf           | Jul  9 11:13:26 2026 GMT   |
| scheduler.conf                    | Jul  9 11:13:26 2026 GMT   |
| admin.conf                        | Jul  9 11:13:25 2026 GMT   |
|-----------------------------------|----------------------------|
| etcd/ca.crt                       | Jul  7 11:13:24 2035 GMT   |
| etcd/server.crt                   | Jul  9 11:13:24 2026 GMT   |
| etcd/peer.crt                     | Jul  9 11:13:24 2026 GMT   |
| etcd/healthcheck-client.crt       | Jul  9 11:13:25 2026 GMT   |
| apiserver-etcd-client.crt         | Jul  9 11:13:25 2026 GMT   |
|-----------------------------------|----------------------------|
[2025-07-10T15:56:53.25+0800] [INFO] updating certificates with 3650 days expiration...
[2025-07-10T15:56:53.33+0800] [INFO] updated /etc/kubernetes/pki/etcd/server.crt
[2025-07-10T15:56:53.40+0800] [INFO] updated /etc/kubernetes/pki/etcd/peer.crt
[2025-07-10T15:56:53.45+0800] [INFO] updated /etc/kubernetes/pki/etcd/healthcheck-client.crt
[2025-07-10T15:56:53.50+0800] [INFO] updated /etc/kubernetes/pki/apiserver-etcd-client.crt
[2025-07-10T15:56:55.03+0800] [INFO] restarted etcd
[2025-07-10T15:56:55.13+0800] [INFO] updated /etc/kubernetes/pki/apiserver.crt
[2025-07-10T15:56:55.20+0800] [INFO] updated /etc/kubernetes/pki/apiserver-kubelet-client.crt
[2025-07-10T15:56:55.27+0800] [INFO] updated /etc/kubernetes/controller-manager.conf
[2025-07-10T15:56:55.37+0800] [INFO] updated /etc/kubernetes/scheduler.conf
[2025-07-10T15:56:55.57+0800] [INFO] updated /etc/kubernetes/admin.conf
[2025-07-10T15:56:55.73+0800] [INFO] updated /etc/kubernetes/pki/front-proxy-client.crt
[2025-07-10T15:56:57.12+0800] [INFO] restarted control-plane pod: apiserver
[2025-07-10T15:56:58.65+0800] [INFO] restarted control-plane pod: controller-manager
[2025-07-10T15:56:59.56+0800] [INFO] restarted control-plane pod: scheduler
[2025-07-10T15:56:59.66+0800] [INFO] restarted kubelet
[2025-07-10T15:56:59.66+0800] [INFO] checking certificate expiration after update...
|-----------------------------------|----------------------------|
| CERTIFICATE                       | EXPIRES                    |
| ca.crt                            | Jul  7 11:13:23 2035 GMT   |
| apiserver.crt                     | Jul  8 07:56:55 2035 GMT   |
| apiserver-kubelet-client.crt      | Jul  8 07:56:55 2035 GMT   |
| front-proxy-ca.crt                | Jul  7 11:13:24 2035 GMT   |
| front-proxy-client.crt            | Jul  8 07:56:55 2035 GMT   |
|-----------------------------------|----------------------------|
| controller-manager.conf           | Jul  8 07:56:55 2035 GMT   |
| scheduler.conf                    | Jul  8 07:56:55 2035 GMT   |
| admin.conf                        | Jul  8 07:56:55 2035 GMT   |
|-----------------------------------|----------------------------|
| etcd/ca.crt                       | Jul  7 11:13:24 2035 GMT   |
| etcd/server.crt                   | Jul  8 07:56:53 2035 GMT   |
| etcd/peer.crt                     | Jul  8 07:56:53 2035 GMT   |
| etcd/healthcheck-client.crt       | Jul  8 07:56:53 2035 GMT   |
| apiserver-etcd-client.crt         | Jul  8 07:56:53 2035 GMT   |
|-----------------------------------|----------------------------|
[2025-07-10T15:57:00.30+0800] [INFO] DONE!!!enjoy it

please copy admin.conf to /root/.kube/config manually.
    # back old config
    cp /root/.kube/config /root/.kube/config_backup
    # copy new admin.conf to /root/.kube/config for kubectl manually
    cp -i /etc/kubernetes/admin.conf /root/.kube/config

6 查看pod、node是否正常

[root@103 ~]# kubectl get nodes
NAME      STATUS   ROLES           AGE   VERSION
103.org   Ready    control-plane   20h   v1.26.0
104.org   Ready    worker          20h   v1.26.0
105.org   Ready    worker          20h   v1.26.0
[root@103 ~]# 
[root@103 ~]# kubectl get pods -n kube-system
NAME                                      READY   STATUS    RESTARTS       AGE
calico-kube-controllers-b48d575fb-jngns   1/1     Running   0              17h
calico-node-59gdp                         1/1     Running   0              17h
calico-node-m6x29                         1/1     Running   0              17h
calico-node-tlqdq                         1/1     Running   0              17h
coredns-567c556887-58cwt                  1/1     Running   0              20h
coredns-567c556887-wdcrh                  1/1     Running   0              20h
etcd-103.org                              1/1     Running   3 (117s ago)   20h
kube-apiserver-103.org                    1/1     Running   3 (115s ago)   20h
kube-controller-manager-103.org           1/1     Running   3 (114s ago)   20h
kube-proxy-6wt6v                          1/1     Running   0              20h
kube-proxy-nfwgf                          1/1     Running   0              20h
kube-proxy-tv5t5                          1/1     Running   0              20h
kube-scheduler-103.org                    1/1     Running   3 (113s ago)   20h

7 查看证书有效期
可以看到,证书有效期已延长至2035年(延长了10年)

如果不想使用脚本,可以使用官方的命令,进行证书有效期更新

kubeadm  certs renew all 来更新证书有效期,

注意:大于等于 v1.15.x 的版本可直接使用上述命令,执行命令后证书有效期延长 1 年。

最后,这个脚本很强大。也可以更新证书有效期为100年,前提是未使用kubeadm初始化集群前使用。

ok,问题解决,撤!

如果转载,请附上原文链接!

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布