问题分析
master ip地址变更以后,我们首先应该检查以下内容:
-
/etc/kubernetes/manifests
下面的config配置文件,替换里面对应的ip -
相关的证书文件
-
客户端文件
解决步骤
准备config文件
如果环境能出国网则不用进行该步骤,此文件为kubeadm.config
使用该文件时候注意替换相关的API地址和端口等信息
apiVersion: kubeadm.k8s.io/v1beta2 bootstrapTokens: - groups: - system:bootstrappers:kubeadm:default-node-token token: abcdef.0123456789abcdef ttl: 24h0m0s usages: - signing - authentication kind: InitConfiguration localAPIEndpoint: advertiseAddress: 100.64.139.62 bindPort: 6443 nodeRegistration: criSocket: /var/run/dockershim.sock name: k8s-master-2 taints: - effect: NoSchedule key: node-role.kubernetes.io/master --- apiServer: timeoutForControlPlane: 4m0s apiVersion: kubeadm.k8s.io/v1beta2 certificatesDir: /etc/kubernetes/pki clusterName: kubernetes controllerManager: {} dns: type: CoreDNS etcd: local: dataDir: /var/lib/etcd kind: ClusterConfiguration imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers kubernetesVersion: v1.16.0 networking: dnsDomain: cluster.local serviceSubnet: 10.96.0.0/12 scheduler: {}
修改配置文件
[root@k8s-master-2 kubernetes]# cd /etc/kubernetes [root@k8s-master-2 kubernetes]# find . -type f |xargs grep 100.64.139.60 |awk '{print $1}' |sort |uniq ./admin.conf: ./controller-manager.conf: ./kubelet.conf: ./manifests/etcd.yaml: ./manifests/kube-apiserver.yaml: ./scheduler.conf:
其中几个conf文件为kubeadm自动生成的带证书的客户端配置文件,需要修改的为etcd.yaml
,kube-apiserver.yaml
两个配置文件。将里面对应的ip地址修改为新的ip地址。
生成新证书
方法一:部分删除生成证书
备份原始证书,根据find
命令的输出,以下相关的服务证书需要更换kubelt api proxy
# 备份原始证书
mv /etc/kubernetes/pki/apiserver.key /etc/kubernetes/pki/apiserver.key.old mv /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.crt.old mv /etc/kubernetes/pki/apiserver-kubelet-client.crt /etc/kubernetes/pki/apiserver-kubelet-client.crt.old mv /etc/kubernetes/pki/apiserver-kubelet-client.key /etc/kubernetes/pki/apiserver-kubelet-client.key.old mv /etc/kubernetes/pki/front-proxy-client.crt /etc/kubernetes/pki/front-proxy-client.crt.old mv /etc/kubernetes/pki/front-proxy-client.key /etc/kubernetes/pki/front-proxy-client.key.old
# 生成新证书
kubeadm init phase certs apiserver --config kubeadm.config kubeadm init phase certs apiserver-kubelet-client --config kubeadm.config kubeadm init phase certs front-proxy-client --config kubeadm.config
kubeadm init phase certs apiserver --config kubeadm.config
kubeadm init phase certs apiserver-kubelet-client --config kubeadm.config
kubeadm init phase certs front-proxy-client --config kubeadm.config
方法二:全部删除生成证书
# 全部删除证书
mv /etc/kubernetes/pki /etc/kubernetes/pki.old
# 生成新证书
kubeadm init phase certs all --config kubeadm.config
生成新的客户端文件
方法一:分步骤生成
kubeadm init phase kubeconfig admin --config kubeadm.config kubeadm init phase kubeconfig controller-manager --config kubeadm.config kubeadm init phase kubeconfig kubelet --config kubeadm.config kubeadm init phase kubeconfig scheduler --config kubeadm.config
方法二:一次全部生成
mv /etc/kubernetes/*.conf /tmp
kubeadm init phase kubeconfig all --config kubeadm.config
查看证书过期时间
[root@k8s-master-2 pki]# kubeadm alpha certs check-expiration CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED admin.conf Dec 10, 2020 05:31 UTC 364d no apiserver Dec 10, 2020 05:30 UTC 364d no apiserver-etcd-client Dec 10, 2020 05:31 UTC 364d no apiserver-kubelet-client Dec 10, 2020 05:30 UTC 364d no controller-manager.conf Dec 10, 2020 05:31 UTC 364d no etcd-healthcheck-client Dec 10, 2020 05:31 UTC 364d no etcd-peer Dec 10, 2020 05:31 UTC 364d no etcd-server Dec 10, 2020 05:30 UTC 364d no front-proxy-client Dec 10, 2020 05:30 UTC 364d no scheduler.conf Dec 10, 2020 05:31 UTC 364d no
重启服务
service docker restart
service kubelet restart