k8s之kubelet证书时间过期升级

最新推荐文章于 2025-05-06 17:15:39 发布
原创 最新推荐文章于 2025-05-06 17:15:39 发布 · 1.5k 阅读 · 6 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#kubernetes #kubelet #linux

1.查看当前证书时间

# kubeadm alpha certs renew kubelet
Kubeadm experimental sub-commands

kubeadm是一个用于引导Kubernetes集群的工具,它提供了许多命令和子命令来管理集群的一生周期。过去,某些功能被标记为实验性的,并通过kubeadm alpha子命令进行访问。然而,从Kubernetes 1.15版本开始,kubeadm将这些功能从alpha子命令迁移到了稳定的命令中。

在新版本中,使用kubeadm certs renew kubelet即可

 检查

# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 26, 2025 08:52 UTC   286d            ca                      no      
apiserver                  Mar 26, 2025 08:52 UTC   286d            ca                      no      
apiserver-etcd-client      Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
apiserver-kubelet-client   Mar 26, 2025 08:52 UTC   286d            ca                      no      
controller-manager.conf    Mar 26, 2025 08:52 UTC   286d            ca                      no      
etcd-healthcheck-client    Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
etcd-peer                  Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
etcd-server                Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
front-proxy-client         Mar 26, 2025 08:52 UTC   286d            front-proxy-ca          no      
scheduler.conf             Mar 26, 2025 08:52 UTC   286d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 24, 2034 08:52 UTC   9y              no      
etcd-ca                 Mar 24, 2034 08:52 UTC   9y              no      
front-proxy-ca          Mar 24, 2034 08:52 UTC   9y              no

kubelet证书时间只有1年有效期。 

# openssl x509 -in kubelet.crt -noout -text | grep "Not"
            Not Before: Mar 26 07:52:16 2024 GMT
            Not After : Mar 26 07:52:16 2025 GMT

备份原证书

# mkdir backup_certs
# cd backup_certs/

# cp /usr/bin/kube* .
# ll
total 211260
-rwxr-x--- 1 root root  45210392 Jun 13 15:15 kubeadm
-rwxr-x--- 1 root root  46592216 Jun 13 15:15 kubectl
-rwxr-x--- 1 root root 124521288 Jun 13 15:15 kubelet

# cp -r /etc/kubernetes/pki .
]# ll
total 211264
-rwxr-x--- 1 root root  45210392 Jun 13 15:15 kubeadm
-rwxr-x--- 1 root root  46592216 Jun 13 15:15 kubectl
-rwxr-x--- 1 root root 124521288 Jun 13 15:15 kubelet
drwxr-x--- 3 root root      4096 Jun 13 15:18 pki

删除旧证书

# rm -rf /etc/kubernetes/pki/*

生成新证书

# kubeadm certs renew -h
This command is not meant to be run on its own. See list of available subcommands.

Usage:
  kubeadm certs renew [flags]
  kubeadm certs renew [command]

Available Commands:
  admin.conf               Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
  all                      Renew all available certificates
  apiserver                Renew the certificate for serving the Kubernetes API
  apiserver-etcd-client    Renew the certificate the apiserver uses to access etcd
  apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
  controller-manager.conf  Renew the certificate embedded in the kubeconfig file for the controller manager to use
  etcd-healthcheck-client  Renew the certificate for liveness probes to healthcheck etcd
  etcd-peer                Renew the certificate for etcd nodes to communicate with each other
  etcd-server              Renew the certificate for serving etcd
  front-proxy-client       Renew the certificate for the front proxy client
  scheduler.conf           Renew the certificate embedded in the kubeconfig file for the scheduler manager to use

Flags:
  -h, --help   help for renew

Global Flags:
      --add-dir-header           If true, adds the file directory to the header of the log messages
      --log-file string          If non-empty, use this log file
      --log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
      --one-output               If true, only write logs to their native severity level (vs also writing to each lower severity level)
      --rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.
      --skip-headers             If true, avoid header prefixes in the log messages
      --skip-log-headers         If true, avoid headers when opening log files
  -v, --v Level                  number for the log level verbosity

Use "kubeadm certs renew [command] --help" for more information about a command.

生成某个证书

升级哪个证书,就生成哪个组件的证书,保险,就生成所有证书

# kubeadm certs renew apiserver-kubelet-client
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate for the API server to connect to kubelet renewed

生成所有证书

# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

查看配置已经更新

# ll /etc/kubernetes/
total 32
-rwxrwxrwx 1 root root 5640 Jun 13 15:26 admin.conf
-rw------- 1 root root 5668 Jun 13 15:26 controller-manager.conf
-rw------- 1 root root 2004 Mar 26 16:52 kubelet.conf
drwxr-xr-x 2 root root  113 May 29 17:12 manifests
drwxr-x--- 3 root root 4096 Mar 26 16:52 pki
-rw------- 1 root root 5620 Jun 13 15:26 scheduler.conf

生成新配置

查看帮助

# kubeadm init phase kubeconfig -h
This command is not meant to be run on its own. See list of available subcommands.

Usage:
  kubeadm init phase kubeconfig [flags]
  kubeadm init phase kubeconfig [command]

Available Commands:
  admin              Generate a kubeconfig file for the admin to use and for kubeadm itself
  all                Generate all kubeconfig files
  controller-manager Generate a kubeconfig file for the controller manager to use
  kubelet            Generate a kubeconfig file for the kubelet to use *only* for cluster bootstrapping purposes
  scheduler          Generate a kubeconfig file for the scheduler to use

Flags:
  -h, --help   help for kubeconfig

Global Flags:
      --add-dir-header           If true, adds the file directory to the header of the log messages
      --log-file string          If non-empty, use this log file
      --log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
      --one-output               If true, only write logs to their native severity level (vs also writing to each lower severity level)
      --rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.
      --skip-headers             If true, avoid header prefixes in the log messages
      --skip-log-headers         If true, avoid headers when opening log files
  -v, --v Level                  number for the log level verbosity

Use "kubeadm init phase kubeconfig [command] --help" for more information about a command.

生成某个配置

失败是正常,版本垮裤较大,而且也只更新证书有效期

# kubeadm init phase kubeconfig admin
I0613 15:31:07.518079   30859 version.go:255] remote version is much newer: v1.30.2; falling back to: stable-1.23
W0613 15:31:17.521449   30859 version.go:103] could not fetch a Kubernetes version from the internet: unable to get URL "https://dl.k8s.io/release/stable-1.23.txt": Get "https://cdn.dl.k8s.io/release/stable-1.23.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
W0613 15:31:17.521573   30859 version.go:104] falling back to the local client version: v1.23.4

生成所有配置

# kubeadm init phase kubeconfig all
W0613 15:45:39.731181    7842 version.go:103] could not fetch a Kubernetes version from the internet: unable to get URL "https://dl.k8s.io/release/stable-1.txt": Get "https://cdn.dl.k8s.io/release/stable-1.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
W0613 15:45:39.731479    7842 version.go:104] falling back to the local client version: v1.23.4
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/admin.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/scheduler.conf"

重启kubelet

# systemctl status kubelet.service  | grep Active
   Active: active (running) since Tue 2024-03-26 16:52:52 CST; 2 months 18 days ago

# systemctl restart kubelet.service 

# systemctl status kubelet.service  | grep Active
   Active: active (running) since Thu 2024-06-13 15:47:19 CST; 3s ago

更新admin.conf文件

# cp /etc/kubernetes/admin.conf  ~/.kube/config 
cp: overwrite ‘/root/.kube/config’? y

2.检查证书有效期

# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jun 13, 2025 07:26 UTC   364d            ca                      no      
apiserver                  Jun 13, 2025 07:26 UTC   364d            ca                      no      
apiserver-etcd-client      Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Jun 13, 2025 07:26 UTC   364d            ca                      no      
controller-manager.conf    Jun 13, 2025 07:26 UTC   364d            ca                      no      
etcd-healthcheck-client    Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
etcd-peer                  Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
etcd-server                Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
front-proxy-client         Jun 13, 2025 07:26 UTC   364d            front-proxy-ca          no      
scheduler.conf             Jun 13, 2025 07:26 UTC   364d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 24, 2034 08:52 UTC   9y              no      
etcd-ca                 Mar 24, 2034 08:52 UTC   9y              no      
front-proxy-ca          Mar 24, 2034 08:52 UTC   9y              no

查看各证书时间

# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text
            Not Before: Mar 26 08:52:10 2024 GMT
            Not After : Jun 13 07:26:54 2025 GMT
# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt -noout -text
            Not Before: Mar 26 08:52:11 2024 GMT
            Not After : Jun 13 07:26:55 2025 GMT
# openssl x509 -in /etc/kubernetes/pki/apiserver-kubelet-client.crt -noout -text
            Not Before: Mar 26 08:52:10 2024 GMT
            Not After : Jun 13 07:26:55 2025 GMT
# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text
            Not Before: Mar 26 08:52:10 2024 GMT
            Not After : Mar 24 08:52:10 2034 GMT
# openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt -noout -text
            Not Before: Mar 26 08:52:10 2024 GMT
            Not After : Mar 24 08:52:10 2034 GMT
# openssl x509 -in /etc/kubernetes/pki/front-proxy-client.crt -noout -text
            Not Before: Mar 26 08:52:10 2024 GMT
            Not After : Jun 13 07:26:57 2025 GMT

查看k8s环境

k8s 证书过期【完美解决】:x509_ certificate has expired or is not yet valid
甘蓝的专栏
04-08 1992
【完美解决】k8s证书在安装1年后过期,导致k8s集群不可用的问题!
K8s集群证书续签100年有效期
m0_50978391的博客
05-10 1075
K8s集群证书续签100年有效期
k8s集群查看证书到期时间
weixin_45112997的博客
02-02 3470
k8s集群查看证书到期时间
k8s集群证书过期
Dang_Ni的博客
02-21 1528
k8s集群证书过期
kubeadm部署k8s 证书升级kubelet证书自动续期
weixin_38582858的博客
08-27 980
vi /etc/kubernetes/manifests/kube-controller-manager.yaml //文件中添加一下两行。配置完成后,重启kube-controller-manager pod使之生效。默认kubelet证书轮询已启用。
K8Skubeadm版)更新证书
ArrogantB的博客
03-18 3238
k8s证书过期更换,kubeadm方式更换证书
k8s证书过期,更新后kubelet启动失败
jiazhenming的博客
05-28 1099
k8s证书过期
k8s 证书过期解决
热门推荐
记录点滴生活
11-16 1万+
K8S CA证书是10年,但是组件证书的日期只有1年,为了证书一直可用状态需要更新,目前主流的一共有3种: 1、版本升级,只要升级就会让各个证书延期1年,官方设置1年有效期的目的就是希望用户在一年内能升级1次,详见:k8s升级 2、通过命令续期 (这种只能延长一年) 3、编译源码Kubeadm,设置10年 一、查看证书过期时间 vim test.sh for item in `find /etc/kubernetes/pki -maxdepth 2 -name "*.crt"`; do openssl x5
k8s证书续期及版本升级
geriletuma
07-28 1227
k8s证书续期及版本升级
K8S 证书过期的解决方法
paul_ham的博客
10-12 1611
K8S 证书 过期
k8s1.19.1证书续期(etcd外设版)
weixin_50763319的博客
06-21 1406
• 工作节点:工作节点主要是指kubelet连接apiserver所需的客户端证书,这个证书由controller-manager组件自动颁发,默认是一年,如果到期,kubelet将无法使用过期证书连接apiserver,从而导致无法正常工作,日志会_kubelet-client-2023-01-18-22-31-02.pem。Kubernetes Kubeadm Kubelet 证书自动续签_kubelet-client-2023-01-18-22-31-02.pem-优快云博客。
k8s查看证书有效期的两种方法
学亮编程手记
05-17 4068
要查看Kubernetes (k8s) 集群中各个组件的证书有效期,您可以使用不同的方法,具体取决于您的集群是如何部署和配置的。
k8s- kubernetes证书过期替换之kubeadm命令 certs renew all方式
liuyij3430448的博客
04-27 7825
**k8s集群之间的访问会使用到证书,如果使用kubeadm搭建的集群,默认CA证书的有效期为10年,其他组件访问证书的有效期为1年。如果过期后没有更新证书可能会引起k8s集群的不可用**
更新 k8s 证书(续签)
poemchapter的博客
09-22 522
更新 k8s 证书(续签)
kubelet 证书过期问题
qq_36864672的博客
04-14 1185
如果想要调整证书有效期可以通过设置 kube-controller-manager 的 --experimental-cluster-signing-duration 参数实现,该参数默认值为。此时执行 openssl x509 -in /var/lib/kubelet/pki/kubelet-server-current.pem -noout -text | grep ‘Not' 查看kubelet证书时间。没有在重启kubelet服务之前删除/var/lib/kubelet/pki。
Kubenetes更新证书
xxzblog的专栏
03-27 440
Kubenetes更新证书
K8S查看证书有效期
学亮编程手记
05-06 1082
快速检查:优先使用。精细排查:通过openssl解析具体证书文件。生产建议:定期监控证书有效期,并设置自动续期策略(如或。
K8S-证书过期更新
qq_40189664的博客
04-11 1044
K8S证书过期处理方法 Unable to connect to the server: x509: certificate has expired or is not yet valid2、备份证书3、直接重建证书4、再次查看证书有效期:证书5、更新用户凭证6、重启kubeblet7、docker 重启apiserver,scheduler,controller-manager 容器如果你和我一样误删除了组件, 可以看我这个8、再次尝试执行kubectl相关命令即可发现已恢复正常。或者。
Kubernetes集群更换证书(正常更新方法、和更新证书为99年)
虫虫的博客
03-29 2491
Kubernetes集群更换证书(正常更新方法、和更新证书为99年)
k8skubelet、kube-proxy的pod消失
最新发布
07-14
Kubernetes 集群中,`kubelet` 和 `kube-proxy` 是两个关键的系统组件。它们通常以守护进程(DaemonSet)的形式部署在每个节点上,确保节点上的 Pod 正常运行并提供网络代理功能。然而,在某些情况下,这些 Pod 可能会“消失”,即不再出现在集群资源列表中或处于非运行状态。 ### 原因分析 1. **Pod 被误删除** 如果用户手动执行了 `kubectl delete pod` 或其他自动化工具错误地清理了系统 Pod,可能会导致 `kube-proxy` 等组件的 Pod 被删除。由于 `kube-proxy` 通常是通过 DaemonSet 管理的,它会在节点上重新创建[^3]。 2. **节点异常或不可达** 当某个节点出现故障、网络中断或 kubelet 崩溃时,该节点上的所有 Pod(包括 kube-proxy)将无法被 API Server 获取到,从而表现为“消失”。 3. **资源不足或调度失败** 如果节点资源(如 CPU、内存)不足,或者调度器无法为 Pod 分配合适的节点,可能导致 kube-proxy Pod 处于 Pending 状态,甚至被驱逐。 4. **配置错误或证书失效** 如果 kube-proxy 使用的 kubeconfig 文件配置错误,或 TLS 证书过期,会导致其无法正常启动,进而无法看到 Pod 的运行状态[^1]。 5. **自动重启或更新过程中的短暂缺失** 在进行版本升级或配置变更时,DaemonSet 控制器可能会删除旧 Pod 并创建新 Pod。在此过程中,Pod 会短暂“消失”,随后恢复正常。 6. **垃圾回收机制触发** 如果节点长时间离线,Kubernetes 的节点控制器可能将其标记为 NotReady,并最终触发 Pod 的垃圾回收机制,删除其上的所有 Pod。 --- ### 解决方案 1. **检查 DaemonSet 状态** 查看 `kube-proxy` 的 DaemonSet 是否正常运行: ```bash kubectl get daemonset -n kube-system ``` 如果 `Desired` 和 `Current` 数量不一致,说明有节点未成功部署 kube-proxy。 2. **查看节点状态和事件信息** 检查节点是否处于 Ready 状态,并查看相关事件日志: ```bash kubectl get nodes kubectl describe node <node-name> ``` 3. **检查 kube-proxy Pod 日志** 如果发现 kube-proxy Pod 曾经存在但已终止,可以查看其日志以排查问题: ```bash kubectl logs <kube-proxy-pod-name> -n kube-system --previous ``` 4. **验证 kubeconfig 和证书** 确保 kube-proxy 使用的 kubeconfig 文件中包含正确的 server 地址和证书路径,并且证书过期[^1]: ```bash cat /etc/kubernetes/kube-proxy.kubeconfig openssl x509 -in /etc/kubernetes/cert/kube-proxy.pem -text -noout ``` 5. **检查 kubelet 状态和服务健康** 登录到节点上,确认 kubelet 是否正在运行: ```bash systemctl status kubelet journalctl -u kubelet -n 100 ``` 6. **恢复丢失的 Pod** 如果确定是误删或调度失败,可以通过以下方式恢复: - 删除现有的 kube-proxy Pod,让 DaemonSet 自动重建: ```bash kubectl delete pod -n kube-system -l k8s-app=kube-proxy ``` - 强制重新部署 kube-proxy DaemonSet: ```bash kubectl rollout restart daemonset kube-proxy -n kube-system ``` 7. **启用 Taint 和 Toleration 策略** 确保节点没有设置影响 kube-proxy 调度的 Taint,否则需添加相应的 Toleration。 --- ###
评论
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
表情包 代码片
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值