问题:kubeadm 安装k8s集群证书过期。
kubeadm 是 kubernetes 提供的一个初始化集群的工具,使用起来非常方便,但是它创建的 apiserver、controller-manager 等证书默认只有一年的有效期,同时 kubelet 证书也只有一年有效期,一年之后 kubernetes 将停止服务。
{"log":"W1217 03:00:36.668150 1 clientconn.go:1208] grpc: addrConn.createTransport failed to connect to {https://127.0.0.1:2379 \u003cnil\u003e 0 \u003cnil\u003e}. Err :connection error: desc = \"transport: authentication handshake failed: x509: certificate has expired or is not yet valid\". Reconnecting...\n","stream":"stderr","time":"2021-12-17T03:00:36.668329523Z"} {"log":"panic: context deadline exceeded\n","stream":"stderr","time":"2021-12-17T03:00:39.149697103Z"} {"log":"\n","stream":"stderr","time":"2021-12-17T03:00:39.149752232Z"}
证书过期查看
# etcd [root@master pods]# openssl x509 -in /etc/kubernetes/pki/etcd/healthcheck-client.crt -noout -text |grep ' Not ' Not Before: Sep 18 06:30:55 2022 GMT Not After : Sep 18 06:30:55 2023 GMT # api-server [root@master pods]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep 'Not' Not Before: Sep 18 06:30:54 2022 GMT Not After : Sep 18 06:30:54 2023 GMT
把主节点生成的证书分发到work节点
[root@node1 ~]# kubectl get node error: You must be logged in to the server (Unauthorized) [root@node1 ~]# kubectl get node error: You must be logged in to the server (Unauthorized)
# 主节点 [root@master kubernetes]# scp admin.conf root@192.168.31.138:/etc/kubernetes # work节点 cp -i /etc/kubernetes/admin.conf $HOME/.kube/config chown $(id -u):$(id -g) $HOME/.kube/config chmod 777 $HOME/.kube/config # 可以看到了 [root@master update-kube-cert]# kubectl get node NAME STATUS ROLES AGE VERSION master Ready master 366d v1.18.0 node1 Ready <none> 366d v1.18.0
![[总结]Windows Crypto API 自动更新根证书问题原因及解决方案](https://ucc.alicdn.com/pic/developer-ecology/810560fa8d7f412da3ff143078ba7649.png?x-oss-process=image/resize,h_160,m_lfit)