一次K8s-1.25 证书过期

1.17的那个集群之前记录过，今天一个1.25的集群内部证书过期了，处理方式和1.17已经不太一样，记录如下：

执行命令发现，直接就提示2天前过期了：

[root@master /etc/ansible ]$k get ns
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2025-03-22T17:46:36+08:00 is after 2025-03-20T15:07:25Z
You have new mail in /var/spool/mail/root
[root@master /etc/ansible ]$k get po -A
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2025-03-22T17:49:00+08:00 is after 2025-03-20T15:07:25Z

 然后kubelet日志和message日志里也没有有用的信息， 直接更新renew，12.5 已经不需要加alpha了:

[root@master /etc/kubernetes/pki ]$kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
You have new mail in /var/spool/mail/root

此时还不能登录，因为用户的配置文件还是旧的：

CONTAINER    IMAGE    RUNTIME    
[root@master /etc/kubernetes ]$k get po
error: You must be logged in to the server (Unauthorized)
You have new mail in /var/spool/mail/root

复制替换：

[root@master /etc/kubernetes ]$cp admin.conf /root/.kube/config 
cp: overwrite ‘/root/.kube/config’? y
You have new mail in /var/spool/mail/root

查看API访问成功：

[root@master /etc/kubernetes ]$k get po -A
NAMESPACE              NAME                                                    READY   STATUS      RESTARTS         AGE
azure                  flask-azure-devops-6fdbdf6d65-vdnqq                     1/1     Running     14 (4d5h ago)    343d
default                ingress-nginx-admission-create-mwxtm                    0/1     Completed   0                271d
default                my-nginx-ingress-ingress-nginx-admission-create-jcx7f   0/1     Completed   0                271d
gitlab-agent           myagent-gitlab-agent-v2-7dd7cd5cdc-ppmlq                1/1     Running     21 (4d5h ago)    366d
gitlab-agent           myagent-gitlab-agent-v2-7dd7cd5cdc-t7jm2                1/1     Running     14 (4d5h ago)    343d
ingress-nginx          my-nginx-ingress-ingress-nginx-admission-create-fc72m   0/1     Completed   0                343d
kube-system            calico-kube-controllers-74cfc9ffcc-sjfh9                1/1     Running     21 (4d5h ago)    366d
kube-system            calico-node-wxf2k                                       1/1     Running     20 (4d5h ago)    366d
kube-system            calico-node-zmlms                                       1/1     Running     21 (4d5h ago)    366d
kube-system            coredns-c676cc86f-69cqr                                 1/1     Running     191 (4d5h ago)   366d
kube-system            coredns-c676cc86f-rsdcv                                 1/1     Running     191 (4d5h ago)   366d
kube-system            etcd-master                                             1/1     Running     22 (4d5h ago)    366d
kube-system            kube-apiserver-master                                   1/1     Running     22 (4d5h ago)    366d
kube-system            kube-controller-manager-master                          1/1     Running     23 (42h ago)     366d
kube-system            kube-proxy-46d52                                        1/1     Running     21 (4d5h ago)    366d
kube-system            kube-proxy-ppdnp                                        1/1     Running     20 (4d5h ago)    366d
kube-system            kube-scheduler-master                                   1/1     Running     23 (42h ago)     366d
kubernetes-dashboard   dashboard-metrics-scraper-6867776b74-pclf4              1/1     Running     14 (4d5h ago)    343d
kubernetes-dashboard   kubernetes-dashboard-b774b76c7-ht5cb                    1/1     Running     14 (4d5h ago)    343d

相比老版本，方便了一些。