k8s之kubelet证书时间过期升级

1.查看当前证书时间

# kubeadm alpha certs renew kubelet
Kubeadm experimental sub-commands

kubeadm是一个用于引导Kubernetes集群的工具,它提供了许多命令和子命令来管理集群的一生周期。过去,某些功能被标记为实验性的,并通过kubeadm alpha子命令进行访问。然而,从Kubernetes 1.15版本开始,kubeadm将这些功能从alpha子命令迁移到了稳定的命令中。

在新版本中,使用kubeadm certs renew kubelet即可

 检查

# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 26, 2025 08:52 UTC   286d            ca                      no      
apiserver                  Mar 26, 2025 08:52 UTC   286d            ca                      no      
apiserver-etcd-client      Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
apiserver-kubelet-client   Mar 26, 2025 08:52 UTC   286d            ca                      no      
controller-manager.conf    Mar 26, 2025 08:52 UTC   286d            ca                      no      
etcd-healthcheck-client    Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
etcd-peer                  Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
etcd-server                Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
front-proxy-client         Mar 26, 2025 08:52 UTC   286d            front-proxy-ca          no      
scheduler.conf             Mar 26, 2025 08:52 UTC   286d            ca                      no      CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 24, 2034 08:52 UTC   9y              no      
etcd-ca                 Mar 24, 2034 08:52 UTC   9y              no      
front-proxy-ca          Mar 24, 2034 08:52 UTC   9y              no 

kubelet证书时间只有1年有效期。 

# openssl x509 -in kubelet.crt -noout -text | grep "Not"Not Before: Mar 26 07:52:16 2024 GMTNot After : Mar 26 07:52:16 2025 GMT

备份原证书

# mkdir backup_certs
# cd backup_certs/# cp /usr/bin/kube* .
# ll
total 211260
-rwxr-x--- 1 root root  45210392 Jun 13 15:15 kubeadm
-rwxr-x--- 1 root root  46592216 Jun 13 15:15 kubectl
-rwxr-x--- 1 root root 124521288 Jun 13 15:15 kubelet# cp -r /etc/kubernetes/pki .
]# ll
total 211264
-rwxr-x--- 1 root root  45210392 Jun 13 15:15 kubeadm
-rwxr-x--- 1 root root  46592216 Jun 13 15:15 kubectl
-rwxr-x--- 1 root root 124521288 Jun 13 15:15 kubelet
drwxr-x--- 3 root root      4096 Jun 13 15:18 pki

删除旧证书

# rm -rf /etc/kubernetes/pki/*

生成新证书

# kubeadm certs renew -h
This command is not meant to be run on its own. See list of available subcommands.Usage:kubeadm certs renew [flags]kubeadm certs renew [command]Available Commands:admin.conf               Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itselfall                      Renew all available certificatesapiserver                Renew the certificate for serving the Kubernetes APIapiserver-etcd-client    Renew the certificate the apiserver uses to access etcdapiserver-kubelet-client Renew the certificate for the API server to connect to kubeletcontroller-manager.conf  Renew the certificate embedded in the kubeconfig file for the controller manager to useetcd-healthcheck-client  Renew the certificate for liveness probes to healthcheck etcdetcd-peer                Renew the certificate for etcd nodes to communicate with each otheretcd-server              Renew the certificate for serving etcdfront-proxy-client       Renew the certificate for the front proxy clientscheduler.conf           Renew the certificate embedded in the kubeconfig file for the scheduler manager to useFlags:-h, --help   help for renewGlobal Flags:--add-dir-header           If true, adds the file directory to the header of the log messages--log-file string          If non-empty, use this log file--log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)--one-output               If true, only write logs to their native severity level (vs also writing to each lower severity level)--rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.--skip-headers             If true, avoid header prefixes in the log messages--skip-log-headers         If true, avoid headers when opening log files-v, --v Level                  number for the log level verbosityUse "kubeadm certs renew [command] --help" for more information about a command.

生成某个证书

升级哪个证书,就生成哪个组件的证书,保险,就生成所有证书

# kubeadm certs renew apiserver-kubelet-client
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'certificate for the API server to connect to kubelet renewed

生成所有证书

# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewedDone renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

查看配置已经更新

# ll /etc/kubernetes/
total 32
-rwxrwxrwx 1 root root 5640 Jun 13 15:26 admin.conf
-rw------- 1 root root 5668 Jun 13 15:26 controller-manager.conf
-rw------- 1 root root 2004 Mar 26 16:52 kubelet.conf
drwxr-xr-x 2 root root  113 May 29 17:12 manifests
drwxr-x--- 3 root root 4096 Mar 26 16:52 pki
-rw------- 1 root root 5620 Jun 13 15:26 scheduler.conf

生成新配置

查看帮助

# kubeadm init phase kubeconfig -h
This command is not meant to be run on its own. See list of available subcommands.Usage:kubeadm init phase kubeconfig [flags]kubeadm init phase kubeconfig [command]Available Commands:admin              Generate a kubeconfig file for the admin to use and for kubeadm itselfall                Generate all kubeconfig filescontroller-manager Generate a kubeconfig file for the controller manager to usekubelet            Generate a kubeconfig file for the kubelet to use *only* for cluster bootstrapping purposesscheduler          Generate a kubeconfig file for the scheduler to useFlags:-h, --help   help for kubeconfigGlobal Flags:--add-dir-header           If true, adds the file directory to the header of the log messages--log-file string          If non-empty, use this log file--log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)--one-output               If true, only write logs to their native severity level (vs also writing to each lower severity level)--rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.--skip-headers             If true, avoid header prefixes in the log messages--skip-log-headers         If true, avoid headers when opening log files-v, --v Level                  number for the log level verbosityUse "kubeadm init phase kubeconfig [command] --help" for more information about a command.

生成某个配置

失败是正常,版本垮裤较大,而且也只更新证书有效期

# kubeadm init phase kubeconfig admin
I0613 15:31:07.518079   30859 version.go:255] remote version is much newer: v1.30.2; falling back to: stable-1.23
W0613 15:31:17.521449   30859 version.go:103] could not fetch a Kubernetes version from the internet: unable to get URL "https://dl.k8s.io/release/stable-1.23.txt": Get "https://cdn.dl.k8s.io/release/stable-1.23.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
W0613 15:31:17.521573   30859 version.go:104] falling back to the local client version: v1.23.4

生成所有配置

# kubeadm init phase kubeconfig all
W0613 15:45:39.731181    7842 version.go:103] could not fetch a Kubernetes version from the internet: unable to get URL "https://dl.k8s.io/release/stable-1.txt": Get "https://cdn.dl.k8s.io/release/stable-1.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
W0613 15:45:39.731479    7842 version.go:104] falling back to the local client version: v1.23.4
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/admin.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/scheduler.conf"

重启kubelet

# systemctl status kubelet.service  | grep ActiveActive: active (running) since Tue 2024-03-26 16:52:52 CST; 2 months 18 days ago# systemctl restart kubelet.service # systemctl status kubelet.service  | grep ActiveActive: active (running) since Thu 2024-06-13 15:47:19 CST; 3s ago

更新admin.conf文件

# cp /etc/kubernetes/admin.conf  ~/.kube/config 
cp: overwrite ‘/root/.kube/config’? y

2.检查证书有效期

# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jun 13, 2025 07:26 UTC   364d            ca                      no      
apiserver                  Jun 13, 2025 07:26 UTC   364d            ca                      no      
apiserver-etcd-client      Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Jun 13, 2025 07:26 UTC   364d            ca                      no      
controller-manager.conf    Jun 13, 2025 07:26 UTC   364d            ca                      no      
etcd-healthcheck-client    Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
etcd-peer                  Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
etcd-server                Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
front-proxy-client         Jun 13, 2025 07:26 UTC   364d            front-proxy-ca          no      
scheduler.conf             Jun 13, 2025 07:26 UTC   364d            ca                      no      CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 24, 2034 08:52 UTC   9y              no      
etcd-ca                 Mar 24, 2034 08:52 UTC   9y              no      
front-proxy-ca          Mar 24, 2034 08:52 UTC   9y              no   

查看各证书时间

# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -textNot Before: Mar 26 08:52:10 2024 GMTNot After : Jun 13 07:26:54 2025 GMT
# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt -noout -textNot Before: Mar 26 08:52:11 2024 GMTNot After : Jun 13 07:26:55 2025 GMT
# openssl x509 -in /etc/kubernetes/pki/apiserver-kubelet-client.crt -noout -textNot Before: Mar 26 08:52:10 2024 GMTNot After : Jun 13 07:26:55 2025 GMT
# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -textNot Before: Mar 26 08:52:10 2024 GMTNot After : Mar 24 08:52:10 2034 GMT
# openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt -noout -textNot Before: Mar 26 08:52:10 2024 GMTNot After : Mar 24 08:52:10 2034 GMT
# openssl x509 -in /etc/kubernetes/pki/front-proxy-client.crt -noout -textNot Before: Mar 26 08:52:10 2024 GMTNot After : Jun 13 07:26:57 2025 GMT

查看k8s环境

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/851871.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

第一个Vue3.0应用程序

Vue 是一款用于构建用户界面的 JavaScript 框架。它基于标准 HTML、CSS 和 JavaScript 构建,并提供了一套声明式的、组件化的编程模型,帮助你高效地开发用户界面。无论是简单还是复杂的界面,Vue 都可以胜任。 1、准备工作 工欲善其事&#…

如何安装和配置JDK?(详细步骤分享)

1、下载JDK 访问Oracle官方网站(Oracle | Cloud Applications and Cloud Platform),选择适合您操作系统的JDK版本进行下载。建议下载最新的稳定版本。 打开Java,往下拉,找到Oracle JDK 打开后,选择右边的J…

Linux服务器快速下载GoogleDriver小技巧——利用gdown工具

Linux服务器快速下载GoogleDriver小技巧——利用gdown工具 1. 安装gdown pip install gdown安装好后如果在终端输入gdown显示如下错误:gdown: command not found,则说明gdown默认安装的位置需要软链接一下,执行以下命令: sudo …

开源超闭源?ChatGPT危!

在全球AI开源大模型的竞争格局中,一场引人注目的变革刚刚上演。阿里巴巴旗下的最新力作——通义千问Qwen2,一跃成为开源界的新宠,以其惊人的性能全面超越了此前的开源标杆Llama 3。不到发布两小时,Qwen2就直接冲上了Hugging Face开…

大数据可视化电子沙盘:前端技术的全新演绎

随着大数据时代的到来,数据可视化成为了一个重要的技术趋势。数据可视化不仅可以让复杂的数据变得更加直观易懂,还能帮助我们更好地分析和理解数据。在本文中,我们将深入探讨一种基于HTML/CSS/Echarts等技术的大数据可视化电子沙盘&#xff0…

超越 Transformer开启高效开放语言模型的新篇章

在人工智能快速发展的今天,对于高效且性能卓越的语言模型的追求,促使谷歌DeepMind团队开发出了RecurrentGemma这一突破性模型。这款新型模型在论文《RecurrentGemma:超越Transformers的高效开放语言模型》中得到了详细介绍,它通过…

工控PLC通信协议规约采集测试软件工具网关监测系统

系统概述 功能概述 DAQ for IIOT通用工业数据采集系统是一套运行在边缘计算机上的设备数据采集与管理软件,主要用于对各种仪器设备(PLC、注塑机、数控机床、电表、流量计等)数据的采集、控制、存储、查询、展示以及上传。 系统主体功能包括…

闪烁与常亮的符号状态判断机制(状态机算法)

背景说明 在视觉项目中,经常要判断目标的状态,例如:符号的不同频率闪烁、常亮等。然而常规的视觉算法例如YOLO,仅仅只能获取当前帧是否存在该符号,而无法对于符号状态进行判断,然而重新写一个基于时序的卷积…

DDD领域应用理论实践分析回顾

目录 一、DDD的重要性 (一)拥抱互联网黑话(抓痛点、谈愿景、搞方法论) (二)DDD真的重要吗? 二、领域驱动设计DDD在B端营销系统的实践 (一)设计落地步骤 &#xff0…

Ansys Mechanical|使用Trace Mapping建立PCB板的有限元模型

Trace Mapping需要使用ECAD的方法 传统方法 vs ECAD方法 传统方法既繁琐又费时。以下是一些数据: 导出电路板布局的step文件大约需要30分钟。 导入Ansys SpaceClaim中大约需要10分钟。 进行布尔运算和共享拓扑操作大约需要24小时甚至更久。 而ECAD方法更加快速且…

剧本新纪元:探索短剧系统的魔力

在现代社会,随着科技的迅猛进步和生活节奏的不断加快,传统的长篇电视剧和电影已不能完全满足所有人的需求。短剧,由于其简短、快速、直接的特性,正在逐步成为一种文化新趋势。短剧系统正是这一趋势的典型代表,它以独特…

自己用pip下载好模块啦,但是在pycharm里面不显示?

问题: 今天在cmd里面用pip命令安装第三方模块,最后用pip list 命令发现已经成功安装,但是在pycharm里面用该模块的时候,还是爆红,显示没有该库 。 解决方法: 第一种(项目刚创建)&am…

如何学习软件测试,并成功找到工作

在IT行业日益繁荣的今天,软件测试作为确保软件质量的关键环节,越来越受到企业的重视。对于初入职场的小白来说,掌握软件测试技能不仅能够帮助他们快速适应工作,还能为未来的职业发展奠定坚实的基础。本文将为职场小白推荐学习软件…

NVIDIA DeepStream SDK 说明及链接

NVIDIA DeepStream SDK DeepStream 的多平台支持为您提供了一种更快、更简单的方式来开发视觉AI应用程序和服务。您甚至可以在本地、边缘和云中部署它们,只需单击一个按钮。 开始 在Launchpad上试用 什么是 NVIDIA DeepStream? NVIDIA 的 DeepStream …

公交车载视频监控系统解决方案

公交车载视频监控系统基于iVMS-7200移动视频监控管理平台,通过3G/4G网络接入车载前端,实现实时监控、录像回放、GIS地图定位、轨迹回放、设备状态查询、紧急报警等功能。 车载前端包含车载硬盘录像机(简称车载DVR或MDVR)、车载专用摄像机、车载LCD显示屏…

50.Python-web框架-Django中引入静态的bootstrap样式

目录 Bootstrap 官网 特性 下载 在线样例 Bootstrap 入门 Bootstrap v5 中文文档 v5.3 | Bootstrap 中文网 在django中使用bootstrap 新建static\bootstrap5目录,解压后的Bootstrap文件,拷贝项目里就好。 在template文件里引用css文…

k8s metrics-server服务监控pod 的 cpu、内存

项目场景: 需要开启指标服务,依据pod 的 cpu、内存使用率进行自动的扩容或缩容 pod 的数量 解决方案: 下载 metrics-server 组件配置文件: wget https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/…

植物大战僵尸杂交版 MacBook 苹果电脑下载安装详细教程

最近老是看到别人玩植物大战僵尸杂交版,可是找了一圈发现都是PC版本的,原来游戏作者只做了一个PC版本,还好最终没有放弃终于在 Mac 上安装上了植物大战僵尸杂交版 版本是 2.0.88 真的蛮好玩的就是关卡有亿点点难,我最爱玩无尽模式…

一站式解决ComfyUI安装、调试和界面操作,附安装包 C001

点击打开以上网页,页面往下拉,找到“Direct link to download”,点击即可下载官方安装包。 下载完成后,将安装包移动到你想要安装的地方,解压(推荐使用7-Zip),然后点击“run_nvidia_…

无需插件脚本,IDEA配置多服务一键启动

分享本教程的初衷是本人在本地调试时业务场景中需要调用多个服务,并且每次为了找到需要启动的服务花了很多不必要的时间,我相信很多同为开发的小伙伴也有和我一样的困扰。但是学会这招后多个服务需要同时启动时仅需一键即可搞定。接下来让我们一步步设置…