对于版本 1.21.5，这是我的解决方案：

步骤1：

ssh 到主节点，然后在步骤 2 中检查证书。

步骤2：

运行这个命令：kubeadm certs check-expiration

root@kube-master-1:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configurationCERTIFICATE                         EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                          Oct 21, 2022 16:05 UTC   <invalid>                               no      
apiserver                           Oct 21, 2022 16:05 UTC   <invalid>       ca                      no      
!MISSING! apiserver-etcd-client                                                                      
apiserver-kubelet-client            Oct 21, 2022 16:05 UTC   <invalid>       ca                      no      
controller-manager.conf             Oct 21, 2022 16:05 UTC   <invalid>                               no      
!MISSING! etcd-healthcheck-client                                                                    
!MISSING! etcd-peer                                                                                  
!MISSING! etcd-server                                                                                
front-proxy-client                  Oct 21, 2022 16:05 UTC   <invalid>       front-proxy-ca          no      
scheduler.conf                      Oct 21, 2022 16:05 UTC   <invalid>                               no      CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 19, 2031 16:05 UTC   8y              no      
!MISSING! etcd-ca                                                
front-proxy-ca          Oct 19, 2031 16:05 UTC   8y              no      

并看到昨天所有的都过期了。

步骤3：

所有现有证书的备份：

root@kube-master-1:~# cp -R /etc/kubernetes/ssl /etc/kubernetes/ssl.backup
root@kube-master-1:~# cp /etc/kubernetes/admin.conf /etc/kubernetes/admin.conf.backup
root@kube-master-1:~# cp /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.backup
root@kube-master-1:~# cp /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.backup
root@kube-master-1:~# cp /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.backup

步骤4：

要全部更新，请运行以下命令： kubeadm certs renew all

root@kube-master-1:~# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W1023 15:15:16.234334 2175921 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewedDone renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

步骤 5：步骤 4 的最后一行告诉我们重要的注意事项：

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates

完成本次运行：

kubectl -n kube-system delete pod -l 'component=kube-apiserver'
kubectl -n kube-system delete pod -l 'component=kube-controller-manager'
kubectl -n kube-system delete pod -l 'component=kube-scheduler'
kubectl -n kube-system delete pod -l 'component=etcd'

步骤6：然后重新启动主节点。

systemctl restart kubeletsystemctl restart docker

第7步：查看结果：

root@kube-master-1:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W1023 15:15:23.141925 2177263 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 23, 2023 07:15 UTC   364d                                    no      
apiserver                  Oct 23, 2023 07:15 UTC   364d            ca                      no      
apiserver-kubelet-client   Oct 23, 2023 07:15 UTC   364d            ca                      no      
controller-manager.conf    Oct 23, 2023 07:15 UTC   364d                                    no      
front-proxy-client         Oct 23, 2023 07:15 UTC   364d            front-proxy-ca          no      
scheduler.conf             Oct 23, 2023 07:15 UTC   364d                                    no      CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 19, 2031 16:05 UTC   8y              no      
front-proxy-ca          Oct 19, 2031 16:05 UTC   8y              no     

全部续订至 2023 年

参考

https://stackoverflow.com/questions/49885636/kubernetes-expired-certificate