k8s证书过期问题处理

最新推荐文章于 2025-04-11 17:36:06 发布
最新推荐文章于 2025-04-11 17:36:06 发布
阅读量1k 收藏 6
点赞数 8
文章标签: kubernetes 容器 云原生
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/m0_49710410/article/details/142988577
版权

k8s证书过期问题处理

1、文档目的

处理k8s证书过期问题,使用 kubelet get node 后报错: x509: certificate has expired or is not yet valid ,提示证书过期。

2、系统要求

kubernetes:V1.19.10

3、修改过期时间

如果不需要自定义证书时间,可以直接下载:kubeadm,从3.4开始执行即可,默认证书过期时间为99年。

3.1 查看当前证书过期时间

[root@master ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 May 21, 2025 06:29 UTC   356d                                    no      
apiserver                  May 21, 2025 06:29 UTC   356d            ca                      no      
apiserver-etcd-client      May 21, 2025 06:29 UTC   356d            etcd-ca                 no      
apiserver-kubelet-client   May 21, 2025 06:29 UTC   356d            ca                      no      
controller-manager.conf    May 21, 2025 06:29 UTC   356d                                    no      
etcd-healthcheck-client    May 21, 2025 06:29 UTC   356d            etcd-ca                 no      
etcd-peer                  May 21, 2025 06:29 UTC   356d            etcd-ca                 no      
etcd-server                May 21, 2025 06:29 UTC   356d            etcd-ca                 no      
front-proxy-client         May 21, 2025 06:29 UTC   356d            front-proxy-ca          no      
scheduler.conf             May 21, 2025 06:29 UTC   356d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      May 19, 2034 06:29 UTC   9y              no      
etcd-ca                 May 19, 2034 06:29 UTC   9y              no      
front-proxy-ca          May 19, 2034 06:29 UTC   9y              no  

3.2 下载并修改k8s源码

找到cmd/kubeadm/app/constants/constants.go文件,并修改CertificateValidity为time.Hour * 24 * 365 * 99,其中99为你想修改的证书日期,可以是其他年份。

const (
    // KubernetesDir is the directory Kubernetes owns for storing various configuration files
    KubernetesDir = "/etc/kubernetes"
    // ManifestsSubDirName defines directory name to store manifests
    ManifestsSubDirName = "manifests"
    // TempDirForKubeadm defines temporary directory for kubeadm
    // should be joined with KubernetesDir.
    TempDirForKubeadm = "tmp"

    // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
    CertificateValidity = time.Hour * 24 * 365

    // CACertAndKeyBaseName defines certificate authority base name
    CACertAndKeyBaseName = "ca"
    // CACertName defines certificate name
    CACertName = "ca.crt"
    // CAKeyName defines certificate name
    CAKeyName = "ca.key"
    ...
}

3.3 编译kubeadm

# 加载go运行环境并启动
docker load -i golang.tar.gz
docker run -itd --name golang golang

# 解压k8s源码
unzip kubernetes-release-1.19.zip

# 复制代码到容器中
docker cp kubernetes-release-1.19/kubernetes-release-1.19/ golang:/opt/

# 进入容器
docker exec -it golang bash

# 安装编译工具
apt update && apt-get install rsync

# 开始编译
cd /opt/kubernetes-release-1.19 && make WHAT=cmd/kubeadm

# 退出容器,并复制编译好的kubeadm
docker cp golang:/opt/kubernetes-release-1.19/_output/local/bin/linux/amd64/kubeadm ./

3.4 重新生成证书

# 备份
cp /usr/bin/kubeadm{,.bak20240520}
cp -r /etc/kubernetes/pki{,.bak20240520}

# 替换kubeadm
cp ./kubeadm /usr/bin/kubeadm

# 生成新的证书
cd /etc/kubernetes/pki
kubeadm alpha certs renew all

输出如下:

[root@master pki]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

刷新配置:

 cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
 docker ps |grep kube-apiserver|grep -v pause|awk '{print $1}'|xargs -i docker restart {}

 docker ps |grep kube-controller-manage|grep -v pause|awk '{print $1}'|xargs -i docker restart {}

 docker ps |grep kube-scheduler|grep -v pause|awk '{print $1}'|xargs -i docker restart {}

验证:

kubeadm alpha certs check-expiration

输出如下:

[root@master pki]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 May 07, 2123 04:34 UTC   98y                                     no      
apiserver                  May 07, 2123 04:34 UTC   98y             ca                      no      
apiserver-etcd-client      May 07, 2123 04:34 UTC   98y             etcd-ca                 no      
apiserver-kubelet-client   May 07, 2123 04:34 UTC   98y             ca                      no      
controller-manager.conf    May 07, 2123 04:34 UTC   98y                                     no      
etcd-healthcheck-client    May 07, 2123 04:34 UTC   98y             etcd-ca                 no      
etcd-peer                  May 07, 2123 04:34 UTC   98y             etcd-ca                 no      
etcd-server                May 07, 2123 04:34 UTC   98y             etcd-ca                 no      
front-proxy-client         May 07, 2123 04:34 UTC   98y             front-proxy-ca          no      
scheduler.conf             May 07, 2123 04:34 UTC   98y                                     no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      May 19, 2034 06:29 UTC   9y              no      
etcd-ca                 May 19, 2034 06:29 UTC   9y              no      
front-proxy-ca          May 19, 2034 06:29 UTC   9y              no

检查集群状态:

[root@master pki]# kubectl get nodes
NAME     STATUS   ROLES    AGE   VERSION
master   Ready    master   8d    v1.19.10
node1    Ready    <none>   8d    v1.19.10
node2    Ready    <none>   8d    v1.19.10

[root@master pki]# kubectl get po -A
NAMESPACE     NAME                                      READY   STATUS    RESTARTS   AGE
default       nfs-client-provisioner-5ddcc4547d-9rbs9   1/1     Running   0          35m
default       nfs-client-provisioner-5ddcc4547d-fgwk6   1/1     Running   1          8d
kube-system   calico-etcd-8dbfx                         1/1     Running   0          8d
kube-system   calico-kube-controllers-9b4cd4c97-wrf4x   1/1     Running   0          8d
kube-system   calico-node-dtnng                         1/1     Running   0          8d
kube-system   calico-node-s52fp                         1/1     Running   0          8d
kube-system   calico-node-wzzdp                         1/1     Running   0          8d
kube-system   coredns-f9fd979d6-8krvk                   1/1     Running   0          8d
kube-system   coredns-f9fd979d6-tv56g                   1/1     Running   0          8d
kube-system   etcd-master                               1/1     Running   0          8d
kube-system   heapster-55bb46945c-bhqsc                 1/1     Running   0          8d
kube-system   kube-apiserver-master                     1/1     Running   0          8d
kube-system   kube-controller-manager-master            1/1     Running   2          8d
kube-system   kube-proxy-cz4w7                          1/1     Running   0          8d
kube-system   kube-proxy-g9vvk                          1/1     Running   0          8d
kube-system   kube-proxy-nd888                          1/1     Running   0          8d
kube-system   kube-scheduler-master                     1/1     Running   2          8d
kube-system   kubernetes-dashboard-75bf8468f8-g6r88     1/1     Running   0          8d
kube-system   monitoring-grafana-649955cdf7-52rcv       1/1     Running   0          8d
kube-system   monitoring-influxdb-5cf7f5bf76-2hqhv      1/1     Running   0          8d

到此证书修改完成。

雨天带伞
关注
K8S证书过期解决办法之替换证书
q_hsolucky的博客
06-20 1万+
k8s证书过期解决方案之替换证书
K8s 集群(kubeadm) CA 证书过期解决方案
RAB
07-04 3333
K8s 集群(kubeadm) CA 证书过期解决方案。
K8S-证书过期更新
最新发布
qq_40189664的博客
04-11 669
K8S证书过期处理方法 Unable to connect to the server: x509: certificate has expired or is not yet valid2、备份证书3、直接重建证书4、再次查看证书有效期:证书5、更新用户凭证6、重启kubeblet7、docker 重启apiserver,scheduler,controller-manager 容器如果你和我一样误删除了组件, 可以看我这个8、再次尝试执行kubectl相关命令即可发现已恢复正常。或者。
K8S集群证书过期,一键修复指南 | 干货分享
weixin_38320674的博客
10-09 1579
在日常维护Kubernetes集群时,如果在安装的时候没有把证书设置足够长的时间,那运行一段时间k8s就会面临证书过期问题。如果处理不及时,会导致kubectl命令无法使用,集群服务瘫痪。本文将详细讲解在k8s集群证书已经过期的情况下,如何检查和更新证书,有效延长证书的有效期,并确保集群恢复正常运行。通过几步操作,你可以轻松解决证书过期问题,避免实验环境或生产集群长时间宕机。一、检查证书状态首先...
k8s证书过期处理
qq_35573061的博客
09-14 3092
证书一共分为根CA(ca.crt)master各组件的证书(包括etcd、apiserver、front-proxy、controller-manager等各种)kubelet证书其中,根CA和master各组件证书默认已经改成了100年,kubelet证书改成了10年且有自动轮换在一些用老包部署的环境里,可能出现证书过期问题,需要按如下操作解决证书问题
K8S证书过期处理
李半仙
10-09 1313
K8S证书过期处理 一、查看证书过期时间 find /etc/kubernetes/pki/ -type f -name "*.crt" -print|xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep After' 二、备份原来的配置文件和证书 find /etc/kubernetes/pki/ -regex '.*.[crt|key]'|grep -v sa|grep -v ca|xargs -i cp {} /opt/ 三
K8S 证书过期解决办法
一切有为法,如梦亦如幻,如露亦如电,应作如是观。
12-29 999
问题现象K8S集群证书过期后,会导无法创建Pod,通过kubectl get nodes也无法获取信息,甚至dashboard也无法访问。执行命令发现报错:查看K8S的日志:这是说明k8s使用的证书过期了,k8s自带证书是一年的有效期。所以我们解决问题的办法就是更换证书
K8S证书过期问题处理方法
wangwu9999的博客
12-06 4537
最近有些客户在使用SuperMap iManager for K8S的过程中遇到服务无法访问,查看K8S的日志 Part of the existing bootstrap client certificate is expired: 2021-06-10 06:29:04 +0000 UT 这是说明k8s使用的证书过期了,k8s自带证书是一年的有效期。所以我们解决问题的办法就是更换证书。 以下延长证书过期的方法适合kubernetes1.14、1.15、1.16、1.17、1.18版本 下载所需
k8s证书过期处理方案
11-17
处理证书过期问题,首要任务是备份当前的证书。在Linux系统中,证书通常位于`/etc/kubernetes/pki`目录下,可以使用`cp -r`命令进行备份。这样做的目的是在更新过程中,如果出现问题,可以快速恢复到旧的状态。 ...
解决K8s证书过期问题
m0_52931616的博客
11-02 3731
解决K8s证书过期问题
k8s证书过期
u010674101的专栏
10-16 490
只要apiserver容器重启了加载了新证书即可,否则请查询apiserver日志。更新/etc/kubernetes/pki目录下的所有证书(不包含ca证书)由于我之前是有kubekey部署的,在我的电脑上找了很久配置文件才找到。可以看到这个文章,我部署的,1年到期,童嫂无欺!话说回来,证书过期,真是一个巨坑。注意:需要在每一个节点上都更新。
K8S-证书过期问题:默认1年
only_xiao_的博客
03-28 586
k8s证书过期
k8s证书过期---手动更新
lcm_linux的博客
03-17 6079
背景: 执行命令发现报错: Unable to connect to the server: x509: certificate has expired or is not yet valid 这就是k8s证书过期k8s解决证书过期官方文档:https://kubernetes.io/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/ 查看是k8s master 节点证书过期了,登录master服务器,进入 /etc/kubernetes/
k8s集群证书过期解决
weixin_45112997的博客
08-29 2794
k8s集群证书过期解决
k8s 证书过期【完美解决】:x509_ certificate has expired or is not yet valid
甘蓝的专栏
04-08 1624
【完美解决】k8s证书在安装1年后过期,导致k8s集群不可用的问题
K8S 证书到期解决方法
weixin_44772835的博客
03-18 449
前戏登录测试环境查看 pod 时保持如下内容Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-03-16T23:18:09+08:00 is after 2023-02-...
K8s证书过期处理:续签与操作指南
总结来说,处理k8s证书过期的关键步骤包括确认证书状态、备份现有证书、更新证书并替换相关配置文件。定期检查和自动化的证书管理是保障k8s集群稳定运行的重要环节。在多master的kubeadm部署中,这个过程可能需要更...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值