kubenetes证书过期之续签证书

1

2

3

4

5

6

[root@k8s-master ~]# kubectl -version

Error: invalid argument "ersion" for "-v, --v" flag: strconv.ParseInt: parsing "ersion": invalid syntax

See 'kubectl --help' for usage.

[root@k8s-master ~]# kubectl version

Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.4", GitCommit:"d360454c9bcd1634cf4cc52d1867af5491dc9c5f", GitTreeState:"clean", BuildDate:"2020-11-11T13:17:17Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"linux/amd64"}

Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2022-08-10T20:36:58+08:00 is after 2022-03-23T13:56:31Z

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

[root@k8s-master ~]# kubeadm alpha certs check-expiration

[kubelet.config.k8s.io kubeproxy.config.k8s.io]

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED

admin.conf                 Mar 23, 2022 13:56 UTC   <invalid>                               no     

apiserver                  Mar 23, 2022 13:56 UTC   <invalid>       ca                      no     

apiserver-etcd-client      Mar 23, 2022 13:56 UTC   <invalid>       etcd-ca                 no     

apiserver-kubelet-client   Mar 23, 2022 13:56 UTC   <invalid>       ca                      no     

controller-manager.conf    Mar 23, 2022 13:56 UTC   <invalid>                               no     

etcd-healthcheck-client    Mar 23, 2022 13:56 UTC   <invalid>       etcd-ca                 no     

etcd-peer                  Mar 23, 2022 13:56 UTC   <invalid>       etcd-ca                 no     

etcd-server                Mar 23, 2022 13:56 UTC   <invalid>       etcd-ca                 no     

front-proxy-client         Mar 23, 2022 13:56 UTC   <invalid>       front-proxy-ca          no     

scheduler.conf             Mar 23, 2022 13:56 UTC   <invalid>                               no     

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED

ca                      Mar 21, 2031 13:56 UTC   8y              no     

etcd-ca                 Mar 21, 2031 13:56 UTC   8y              no     

front-proxy-ca          Mar 21, 2031 13:56 UTC   8y              no     

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

[root@k8s-master ~]# kubeadm alpha certs renew all

[root@k8s-master ~]# kubeadm alpha certs check-expiration

[check-expiration] Reading configuration from the cluster...

[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED

admin.conf                 Aug 10, 2023 12:39 UTC   364d                                    no     

apiserver                  Aug 10, 2023 12:39 UTC   364d            ca                      no     

apiserver-etcd-client      Aug 10, 2023 12:39 UTC   364d            etcd-ca                 no     

apiserver-kubelet-client   Aug 10, 2023 12:39 UTC   364d            ca                      no     

controller-manager.conf    Aug 10, 2023 12:39 UTC   364d                                    no     

etcd-healthcheck-client    Aug 10, 2023 12:39 UTC   364d            etcd-ca                 no     

etcd-peer                  Aug 10, 2023 12:39 UTC   364d            etcd-ca                 no     

etcd-server                Aug 10, 2023 12:39 UTC   364d            etcd-ca                 no     

front-proxy-client         Aug 10, 2023 12:39 UTC   364d            front-proxy-ca          no     

scheduler.conf             Aug 10, 2023 12:39 UTC   364d                                    no     

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED

ca                      Mar 21, 2031 13:56 UTC   8y              no     

etcd-ca                 Mar 21, 2031 13:56 UTC   8y              no     

front-proxy-ca          Mar 21, 2031 13:56 UTC   8y              no     

1

2

3

4

5

docker ps | grep apiserver

docker ps | grep scheduler

docker ps | grep controller-manager

docker restart containerID

1

cp /etc/kubernetes/admin.conf ~/.kube/config

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

[root@k8s-master pki]# cd  /var/lib/kubelet/pki/

[root@k8s-master pki]# openssl x509 -in kubelet.crt -text -noout

[root@k8s-master pki]# openssl genrsa -out kubelet.key 2048

[root@k8s-master pki]# openssl x509 -req -in kubelet.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -out kubelet.crt -days 3600 -CAcreateserial

[root@k8s-master pki]# cat kubelet.crt > kubelet-client-2021-03-23-21-56-34.pem

[root@k8s-master pki]# cat kubelet.key >> kubelet-client-2021-03-23-21-56-34.pem

[root@k8s-master pki]# cat /etc/kubernetes/pki/ca.crt |base64

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Fo

a2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1ETXlN

ekV6TlRZek1Wb1hEVE14TURNeU1URXpOVFl6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVa

WFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSm1WClBPQStz

MkpVNStMVm5CbDEvdC95S1U2U2pwS0w4N0JaMTB5RVVVU3d4RHlObFE0ZG9CSE9CME1KQlExVVJI

VGYKWDdSZ1BTeHpobExyc1d4b04zRGlla3lMWjdpaUlrNWdSZjI2YkhCVndkVDFyb1FOM0Nmem9j

blNteEFPZGpJcgo4K1A5aUEwajhaQzhGZjZRMlBNNDBSSkgwOWZDWkJSNDdkR0YzbFZYS2Eva1ov

WFNKdG8zNlYwSldTUkxyMGdUClJQUTVFWmc0SHdEN2JIKzB6bVV3dWRQWDR1ZTNGc21CWjFPUDJj

YmtneDlnQjk0eHRPN2JNZVZ6T2ZsazNrSW4KSGljSG9aTVd4L0JTcXpDejJZVFFVcGw3T3c2bGVZ

VldUdUVJcmkvTmNRakxqT2duMWZkNlRsWW9wUjBrQ25RbQoxMTZQK0g3dXNCUWJHS3JIc2Q4Q0F3

RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hR

WURWUjBPQkJZRUZCOU9nNVp0T2pKaWRXa0o0NGdJYldQZzY3Q1dNQTBHQ1NxR1NJYjMKRFFFQkN3

VUFBNElCQVFCRTRBMEJOd2gvRFRRY3M3L0tiRlFVaUorTnlXbXdKMlZBQnRKWUE0eVJRaDAvREpX

Mwp5NHU2QjFpNk1UWkVxZERFMGdUL2NxUHl0OE5nYk9IbE80VFl1dStsY2xxMUUyZElHQkhlRE80

RjFsWkY3TnF4CnM4T0hrV0ZTTDEydHBjTVNjWlM0TEJRYXozeU52NVRhY0FJWkU3S2FqckRLY3du

akRzd2Q2L1d6Zk45VEVMbUMKR1FnZWlDL2VOaHk3K2hPWitWU0dqMFY4KzR4WTZwMnhGMlAzbEFi

ZDZQN0Y1VFVZYXZPMGFYdC8xbmdwbHBtZwpzYVdyQUM5VXJLTU9HMGhlcHpoei9ONUJIckd4MkFr

Q09GTzR6SDRENFkybUtQWVNGbFFsa2Q0cG1ZZVc3blBaCk8xUTBUSG9mWFdvelcvRzhOZURrWE5U

VDlvUmJ3ZVdpWE9KOAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

[root@k8s-master pki]# vim /etc/kubernetes/kubelet.conf

certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1ETXlNekV6TlRZek1Wb1hEVE14TURNeU1URXpOVFl6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSm1WClBPQStzMkpVNStMVm5CbDEvdC95S1U2U2pwS0w4N0JaMTB5RVVVU3d4RHlObFE0ZG9CSE9CME1KQlExVVJIVGYKWDdSZ1BTeHpobExyc1d4b04zRGlla3lMWjdpaUlrNWdSZjI2YkhCVndkVDFyb1FOM0Nmem9jblNteEFPZGpJcgo4K1A5aUEwajhaQzhGZjZRMlBNNDBSSkgwOWZDWkJSNDdkR0YzbFZYS2Eva1ovWFNKdG8zNlYwSldTUkxyMGdUClJQUTVFWmc0SHdEN2JIKzB6bVV3dWRQWDR1ZTNGc21CWjFPUDJjYmtneDlnQjk0eHRPN2JNZVZ6T2ZsazNrSW4KSGljSG9aTVd4L0JTcXpDejJZVFFVcGw3T3c2bGVZVldUdUVJcmkvTmNRakxqT2duMWZkNlRsWW9wUjBrQ25RbQoxMTZQK0g3dXNCUWJHS3JIc2Q4Q0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZCOU9nNVp0T2pKaWRXa0o0NGdJYldQZzY3Q1dNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCRTRBMEJOd2gvRFRRY3M3L0tiRlFVaUorTnlXbXdKMlZBQnRKWUE0eVJRaDAvREpXMwp5NHU2QjFpNk1UWkVxZERFMGdUL2NxUHl0OE5nYk9IbE80VFl1dStsY2xxMUUyZElHQkhlRE80RjFsWkY3TnF4CnM4T0hrV0ZTTDEydHBjTVNjWlM0TEJRYXozeU52NVRhY0FJWkU3S2FqckRLY3duakRzd2Q2L1d6Zk45VEVMbUMKR1FnZWlDL2VOaHk3K2hPWitWU0dqMFY4KzR4WTZwMnhGMlAzbEFiZDZQN0Y1VFVZYXZPMGFYdC8xbmdwbHBtZwpzYVdyQUM5VXJLTU9HMGhlcHpoei9ONUJIckd4MkFrQ09GTzR6SDRENFkybUtQWVNGbFFsa2Q0cG1ZZVc3blBaCk8xUTBUSG9mWFdvelcvRzhOZURrWE5UVDlvUmJ3ZVdpWE9KOAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

[root@k8s-master ~]# systemctl restart kubelet

[root@k8s-master ~]# systemctl status kubelet