说明
1.本文描述的k8s集群,均是通过相应版本的kubeadm工具安装。
2.以下的操作之前,请务必先备份/etc/kubernetes目录,以备不时之需。
3.以下更新证书的过程中,均不重新生成ca证书。(如果更新了ca证书,集群node节点均需要重新join)
kubernetes v1.13更新证书的方法
1.准备集群信息描述文件
kubeadm config view > cluster.yaml
如果证书已经过期,上述步骤难以执行成功,需要手动构建cluster.yaml文件,示例如下:
apiServer: extraArgs: authorization-mode: Node,RBAC timeoutForControlPlane: 4m0s apiVersion: kubeadm.k8s.io/v1beta1 certificatesDir: /etc/kubernetes/pki clusterName: kubernetes controlPlaneEndpoint: 10.40.53.101:6443 //根据实际情况填写 controllerManager: {} dns: type: CoreDNS etcd: local: dataDir: /var/lib/etcd imageRepository: k8s.gcr.io kind: ClusterConfiguration kubernetesVersion: v1.13.2 //根据实际情况填写 networking: dnsDomain: cluster.local podSubnet: 192.168.0.0/16 //此为默认值,根据实际填写 serviceSubnet: 10.96.0.0/12 //此为默认值,根据实际填写 scheduler: {}
2.生成etcd健康检查连接所需证书
kubeadm alpha phase certs etcd-healthcheck-client --config cluster.yaml
3.生成etcd peer之间认证所需证书
kubeadm alpha phase certs etcd-peer --config cluster.yaml
4.生成etcd server端证书
kubeadm alpha phase certs etcd-server --config cluster.yaml
5.生成apiserver front proxy所需的证书
kubeadm alpha phase certs front-proxy-client --config cluster.yaml
注意:front-proxy
证书仅在你运行kube-proxy来支持 an extension API server时需要用到。
6.生成apiserver连接etcd所需的证书
kubeadm alpha phase certs apiserver-etcd-client --config cluster.yaml
7.生成apiserver连接kubelet所需的证书
kubeadm alpha phase certs apiserver-kubelet-client --config cluster.yaml
8.生成apiserver服务端证书
kubeadm alpha phase certs apiserver --config cluster.yaml
9.重新生成新的kubeconf文件
即通过如下命令即可更新/etc/kubernetes/目录下的*.conf文件。
kubeadm alpha phase kubeconfig all --config cluster.yaml
10.依次重启master节点的docker和kubelet,确保master组件容器重启运行成功。至此证书更新完成,替换~/.kube/config文件后,即可恢复对集群的控制。
kubernetes v1.14更新证书的方法
说明:
- kubeadm v1.14未提供kubeadm alpha phase kubeconfig all 之类的命令来自动生成/etc/kubernetes/*.conf文件,那只能按照下面步骤自行更新。
- 以下步骤中的 ip:port 按实际更改。
##renew all cert except ca cert
kubeadm alpha certs renew all
##generate admin.conf
kubectl config
set
-cluster kubernetes
--certificate-authority=pki
/ca
.crt
--embed-certs=
true
--server=https:
//
10.10.53.101:6443
--kubeconfig=admin.conf
kubectl config
set
-credentials kubernetes-admin
--client-certificate=pki
/apiserver-kubelet-client
.crt
--client-key=pki
/apiserver-kubelet-client
.key
--embed-certs=
true
--kubeconfig=admin.conf
kubectl config
set
-context kubernetes-admin@kubernetes
--cluster=kubernetes
--user=kubernetes-admin
--kubeconfig=admin.conf
kubectl config use-context kubernetes-admin@kubernetes --kubeconfig=admin.conf
##generate controller-manager.conf
kubectl config
set
-cluster kubernetes
--certificate-authority=pki
/ca
.crt
--embed-certs=
true
--server=https:
//
10.10.53.101:6443
--kubeconfig=controller-manager.conf
kubectl config
set
-credentials system:kube-controller-manager
--client-certificate=pki
/apiserver-kubelet-client
.crt
--client-key=pki
/apiserver-kubelet-client
.key
--embed-certs=
true
--kubeconfig=controller-manager.conf
kubectl config
set
-context system:kube-controller-manager@kubernetes
--cluster=kubernetes
--user=system:kube-controller-manager
--kubeconfig=controller-manager.conf
kubectl config use-context system:kube-controller-manager@kubernetes --kubeconfig=controller-manager.conf
##generate scheduler.conf
kubectl config
set
-cluster kubernetes
--certificate-authority=pki
/ca
.crt
--embed-certs=
true
--server=https:
//
10.10.53.101:6443
--kubeconfig=scheduler.conf
kubectl config
set
-credentials system:kube-scheduler
--client-certificate=pki
/apiserver-kubelet-client
.crt
--client-key=pki
/apiserver-kubelet-client
.key
--embed-certs=
true
--kubeconfig=scheduler.conf
kubectl config
set
-context system:kube-scheduler@kubernetes
--cluster=kubernetes
--user=system:kube-scheduler
--kubeconfig=scheduler.conf
kubectl config use-context system:kube-scheduler@kubernetes --kubeconfig=scheduler.conf
##generate kubelet.conf
kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(
hostname
) > kubelet.conf
systemctl stop kubelet
systemctl stop docker
##clear kubelet pki
mkdir
-p
/var/lib/kubelet/pki-bak
mv
/var/lib/kubelet/pki/
*
/var/lib/kubelet/pki-bak/
systemctl start docker
systemctl start kubelet
##set admin config
cp
/etc/kubernetes/admin
.conf ~/.kube
/config
##approve node csr
kubectl get csr|
grep
$(
hostname
)|
awk
'{print $1}'
|
xargs
kubectl certificate approve
kubernetes v1.15更新证书的方法
1.更新/etc/kubernetes/pki目录下的所有证书(不包含ca证书)
kubeadm alpha certs renew all
2.检查csr状态,如果没有approved,则手动执行如下命令
kubectl get csr|grep -v NAME|awk '{print $1}'|xargs kubectl certificate approve