k8s之kubelet证书时间过期升级

news2024/12/25 12:55:17

1.查看当前证书时间

# kubeadm alpha certs renew kubelet
Kubeadm experimental sub-commands

kubeadm是一个用于引导Kubernetes集群的工具,它提供了许多命令和子命令来管理集群的一生周期。过去,某些功能被标记为实验性的,并通过kubeadm alpha子命令进行访问。然而,从Kubernetes 1.15版本开始,kubeadm将这些功能从alpha子命令迁移到了稳定的命令中。

在新版本中,使用kubeadm certs renew kubelet即可

 检查

# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 26, 2025 08:52 UTC   286d            ca                      no      
apiserver                  Mar 26, 2025 08:52 UTC   286d            ca                      no      
apiserver-etcd-client      Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
apiserver-kubelet-client   Mar 26, 2025 08:52 UTC   286d            ca                      no      
controller-manager.conf    Mar 26, 2025 08:52 UTC   286d            ca                      no      
etcd-healthcheck-client    Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
etcd-peer                  Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
etcd-server                Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
front-proxy-client         Mar 26, 2025 08:52 UTC   286d            front-proxy-ca          no      
scheduler.conf             Mar 26, 2025 08:52 UTC   286d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 24, 2034 08:52 UTC   9y              no      
etcd-ca                 Mar 24, 2034 08:52 UTC   9y              no      
front-proxy-ca          Mar 24, 2034 08:52 UTC   9y              no 

kubelet证书时间只有1年有效期。 

# openssl x509 -in kubelet.crt -noout -text | grep "Not"
            Not Before: Mar 26 07:52:16 2024 GMT
            Not After : Mar 26 07:52:16 2025 GMT

备份原证书

# mkdir backup_certs
# cd backup_certs/

# cp /usr/bin/kube* .
# ll
total 211260
-rwxr-x--- 1 root root  45210392 Jun 13 15:15 kubeadm
-rwxr-x--- 1 root root  46592216 Jun 13 15:15 kubectl
-rwxr-x--- 1 root root 124521288 Jun 13 15:15 kubelet

# cp -r /etc/kubernetes/pki .
]# ll
total 211264
-rwxr-x--- 1 root root  45210392 Jun 13 15:15 kubeadm
-rwxr-x--- 1 root root  46592216 Jun 13 15:15 kubectl
-rwxr-x--- 1 root root 124521288 Jun 13 15:15 kubelet
drwxr-x--- 3 root root      4096 Jun 13 15:18 pki

删除旧证书

# rm -rf /etc/kubernetes/pki/*

生成新证书

# kubeadm certs renew -h
This command is not meant to be run on its own. See list of available subcommands.

Usage:
  kubeadm certs renew [flags]
  kubeadm certs renew [command]

Available Commands:
  admin.conf               Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
  all                      Renew all available certificates
  apiserver                Renew the certificate for serving the Kubernetes API
  apiserver-etcd-client    Renew the certificate the apiserver uses to access etcd
  apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
  controller-manager.conf  Renew the certificate embedded in the kubeconfig file for the controller manager to use
  etcd-healthcheck-client  Renew the certificate for liveness probes to healthcheck etcd
  etcd-peer                Renew the certificate for etcd nodes to communicate with each other
  etcd-server              Renew the certificate for serving etcd
  front-proxy-client       Renew the certificate for the front proxy client
  scheduler.conf           Renew the certificate embedded in the kubeconfig file for the scheduler manager to use

Flags:
  -h, --help   help for renew

Global Flags:
      --add-dir-header           If true, adds the file directory to the header of the log messages
      --log-file string          If non-empty, use this log file
      --log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
      --one-output               If true, only write logs to their native severity level (vs also writing to each lower severity level)
      --rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.
      --skip-headers             If true, avoid header prefixes in the log messages
      --skip-log-headers         If true, avoid headers when opening log files
  -v, --v Level                  number for the log level verbosity

Use "kubeadm certs renew [command] --help" for more information about a command.

生成某个证书

升级哪个证书,就生成哪个组件的证书,保险,就生成所有证书

# kubeadm certs renew apiserver-kubelet-client
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate for the API server to connect to kubelet renewed

生成所有证书

# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

查看配置已经更新

# ll /etc/kubernetes/
total 32
-rwxrwxrwx 1 root root 5640 Jun 13 15:26 admin.conf
-rw------- 1 root root 5668 Jun 13 15:26 controller-manager.conf
-rw------- 1 root root 2004 Mar 26 16:52 kubelet.conf
drwxr-xr-x 2 root root  113 May 29 17:12 manifests
drwxr-x--- 3 root root 4096 Mar 26 16:52 pki
-rw------- 1 root root 5620 Jun 13 15:26 scheduler.conf

生成新配置

查看帮助

# kubeadm init phase kubeconfig -h
This command is not meant to be run on its own. See list of available subcommands.

Usage:
  kubeadm init phase kubeconfig [flags]
  kubeadm init phase kubeconfig [command]

Available Commands:
  admin              Generate a kubeconfig file for the admin to use and for kubeadm itself
  all                Generate all kubeconfig files
  controller-manager Generate a kubeconfig file for the controller manager to use
  kubelet            Generate a kubeconfig file for the kubelet to use *only* for cluster bootstrapping purposes
  scheduler          Generate a kubeconfig file for the scheduler to use

Flags:
  -h, --help   help for kubeconfig

Global Flags:
      --add-dir-header           If true, adds the file directory to the header of the log messages
      --log-file string          If non-empty, use this log file
      --log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
      --one-output               If true, only write logs to their native severity level (vs also writing to each lower severity level)
      --rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.
      --skip-headers             If true, avoid header prefixes in the log messages
      --skip-log-headers         If true, avoid headers when opening log files
  -v, --v Level                  number for the log level verbosity

Use "kubeadm init phase kubeconfig [command] --help" for more information about a command.

生成某个配置

失败是正常,版本垮裤较大,而且也只更新证书有效期

# kubeadm init phase kubeconfig admin
I0613 15:31:07.518079   30859 version.go:255] remote version is much newer: v1.30.2; falling back to: stable-1.23
W0613 15:31:17.521449   30859 version.go:103] could not fetch a Kubernetes version from the internet: unable to get URL "https://dl.k8s.io/release/stable-1.23.txt": Get "https://cdn.dl.k8s.io/release/stable-1.23.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
W0613 15:31:17.521573   30859 version.go:104] falling back to the local client version: v1.23.4

生成所有配置

# kubeadm init phase kubeconfig all
W0613 15:45:39.731181    7842 version.go:103] could not fetch a Kubernetes version from the internet: unable to get URL "https://dl.k8s.io/release/stable-1.txt": Get "https://cdn.dl.k8s.io/release/stable-1.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
W0613 15:45:39.731479    7842 version.go:104] falling back to the local client version: v1.23.4
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/admin.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/scheduler.conf"

重启kubelet

# systemctl status kubelet.service  | grep Active
   Active: active (running) since Tue 2024-03-26 16:52:52 CST; 2 months 18 days ago

# systemctl restart kubelet.service 

# systemctl status kubelet.service  | grep Active
   Active: active (running) since Thu 2024-06-13 15:47:19 CST; 3s ago

更新admin.conf文件

# cp /etc/kubernetes/admin.conf  ~/.kube/config 
cp: overwrite ‘/root/.kube/config’? y

2.检查证书有效期

# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jun 13, 2025 07:26 UTC   364d            ca                      no      
apiserver                  Jun 13, 2025 07:26 UTC   364d            ca                      no      
apiserver-etcd-client      Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Jun 13, 2025 07:26 UTC   364d            ca                      no      
controller-manager.conf    Jun 13, 2025 07:26 UTC   364d            ca                      no      
etcd-healthcheck-client    Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
etcd-peer                  Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
etcd-server                Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
front-proxy-client         Jun 13, 2025 07:26 UTC   364d            front-proxy-ca          no      
scheduler.conf             Jun 13, 2025 07:26 UTC   364d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 24, 2034 08:52 UTC   9y              no      
etcd-ca                 Mar 24, 2034 08:52 UTC   9y              no      
front-proxy-ca          Mar 24, 2034 08:52 UTC   9y              no   

查看各证书时间

# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text
            Not Before: Mar 26 08:52:10 2024 GMT
            Not After : Jun 13 07:26:54 2025 GMT
# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt -noout -text
            Not Before: Mar 26 08:52:11 2024 GMT
            Not After : Jun 13 07:26:55 2025 GMT
# openssl x509 -in /etc/kubernetes/pki/apiserver-kubelet-client.crt -noout -text
            Not Before: Mar 26 08:52:10 2024 GMT
            Not After : Jun 13 07:26:55 2025 GMT
# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text
            Not Before: Mar 26 08:52:10 2024 GMT
            Not After : Mar 24 08:52:10 2034 GMT
# openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt -noout -text
            Not Before: Mar 26 08:52:10 2024 GMT
            Not After : Mar 24 08:52:10 2034 GMT
# openssl x509 -in /etc/kubernetes/pki/front-proxy-client.crt -noout -text
            Not Before: Mar 26 08:52:10 2024 GMT
            Not After : Jun 13 07:26:57 2025 GMT

查看k8s环境

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1821034.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

vue3 前端验证码-删除最后一个,焦点聚焦在前一个值上,并不会删除值

删除最后一个数字&#xff0c;焦点聚焦在前一个值上&#xff0c;并不会删除值 <inputv-for"(box, index) in boxes":key"index"ref"inputRefs":value"box"input"onInputChange(index)"keyup"onKeyDown($event, inde…

WARNING: pip is configured with locations that require TLS/SSL

在pycharm中运行pip下载软件包遇到该问题&#xff1a;WARNING: pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available 原因&#xff1a;没有安装openssl&#xff1b; 到https://slproweb.com/products/Win32OpenSSL.ht…

u-boot(五) - 启动流程概述

一&#xff0c;XIP设备 一上电&#xff0c;CPU必定从XIP设备得到第1条指令。 XIP设备是指一种可以直接在存储器中执行程序代码的设备&#xff0c;而不需要将代码复制到内存中。XIP的全称是eXecute In Place&#xff0c;即芯片内执行。这类设备包括片内的SRAM、NOR Flash、Boot…

社区论坛圈子软件APP ,提供互动交流、知识共享和专业交流的社交平台。

社区论坛圈子软件APP的开发能够为用户提供一个互动交流的社交平台&#xff0c;促进用户之间的知识分享、交流和互助。本文将突出社区论坛圈子软件APP的前景、作用和特点&#xff0c;以帮助您了解该系统的潜力和优势。 一、前景&#xff1a; 知识共享&#xff1a;社区论坛圈子软…

线程有规律循环打印输出,线程拷贝图片运用

1&#xff1a;线程打印循环&#xff08;保证循环顺序输出&#xff09; 使用互斥锁和条件变量实现&#xff1a; #include <stdio.h>#include <pthread.h>#include <unistd.h>#include <stdlib.h>#include <string.h>#include <semaphore.h>…

【SAP-ABAP】-权限批导-批量给某个角色导入事务码权限

需求&#xff1a;SAP期初上线的时候&#xff0c;业务顾问经常会遇到批量创建角色和分配角色权限的情况 岗位需求&#xff1a;一般是业务顾问定义权限&#xff0c;BASIS进行后期运维&#xff0c;今天讲两个批导功能&#xff0c;方便期初上线 主要函数&#xff1a;PRGN_READ_ROLE…

群体优化算法----多乌鸦搜寻算法介绍,找多目标函数组解,Pareto前沿

介绍 乌鸦搜寻算法&#xff08;Crow Search Algorithm&#xff0c;CSA&#xff09;是一种新型的群体智能优化算法&#xff0c;其灵感来源于乌鸦的行为特性&#xff0c;尤其是乌鸦在食物搜寻和藏匿过程中的智能行为。乌鸦是一种高度聪明的鸟类&#xff0c;它们展示出复杂的社会…

html实现粘贴excel数据,在页面表格中复制

录入数据时&#xff0c;有时候需要把excel中的数据一条条粘贴到页面中&#xff0c;当数据量过多时&#xff0c;这种操作很令人崩溃。本篇文章实现了从excel复制好多行数据后,可在页面粘贴的功能 具体实现代码 <!DOCTYPE html> <html lang"en"> <head…

自适应巡航控制技术规范(简化版)

自适应巡航控制技术规范(简化版) 1 系统概述2 功能需求3 性能需求4 功能激活条件5 功能抑制条件6 系统局限性1 系统概述 ACC 自适应巡航系统可自动控制纵向跟车距离,减轻驾驶员的工作量,即驾驶员无需频繁的踩制动和油门便可完成部分的驾驶任务,但责任主体仍然是驾驶员,驾…

OrangePi AIpro测评:性能、应用与开发者体验解析

一、OrangePi AIpro介绍 OrangePi AIpro(8T)采用昇腾AI技术路线&#xff0c;具体为4核64位处理器AI处理器&#xff0c;集成图形处理器&#xff0c;支持8TOPS AI算力&#xff0c;拥有8GB/16GB LPDDR4X&#xff0c;可以外接32GB/64GB/128GB/256GB eMMC模块&#xff0c;支持双4K高…

SPI转四串口芯片CH9434的设计

一、CH9434的介绍 CH9434 是一款SPI转四串口转接芯片&#xff0c;提供四组全双工的9线异步串口&#xff0c;用于单片机/嵌入式系统扩展异步串口。CH9434包含四个兼容16C550的异步串口&#xff0c;最高支持4Mbps波特率通讯。最多支持25 路GPIO&#xff0c;提供半双工收发自动切换…

Rust基础学习-ModulesPackage

在Rust中&#xff0c;模块有助于将程序分割成逻辑单元&#xff0c;以提高可读性和组织性。一旦程序变得更大&#xff0c;将其拆分为多个文件或命名空间非常重要。 模块有助于构建我们的程序。模块是项目的集合&#xff1a;包括函数、结构体甚至其他模块。 Module 定义模块 在…

嵌入式硬件VS软件,到底哪个更难?

在嵌入式系统开发中&#xff0c;硬件和软件是密不可分的两个方面。但是&#xff0c;究竟是硬件开发更具挑战性&#xff0c;还是软件开发更难以应对呢&#xff1f;本文将就这一问题展开讨论&#xff0c;探究嵌入式硬件和软件在开发过程中的各种挑战与特点。 一、硬件开发&#…

12.实战私有数据微调ChatGLM3

实战私有数据微调ChatGLM3 实战私有数据微调ChatGLM3实战构造私有的微调数据集基于 ChatGPT 设计生成训练数据的 Prompt使用 LangChain GPT-3.5-Turbo 生成训练数据样例训练数据解析、数据增强和持久化存储自动化批量生成训练数据集流水线提示工程&#xff08;Prompt Engineer…

HTTPS请求阶段图解分析

HTTPS请求阶段分析 请求阶段分析 请求阶段分析 一个完整、无任何缓存、未复用连接的 HTTPS 请求需要经过以下几个阶段&#xff1a; DNS 域名解析、TCP 握手、SSL 握手、服务器处理、内容传输。 一个 HTTPS 请求共需要 5 个 RTT 1 RTT&#xff08;域名解析&#xff09; 1 RTT…

element table 点击某一行中按钮加载

在Element UI中&#xff0c;实现表格&#xff08;element-table&#xff09;中的这种功能通常涉及到数据处理和状态管理。当你点击某一行的按钮时&#xff0c;其他行的按钮需要动态地切换为加载状态&#xff0c;这可以通过以下步骤实现&#xff1a; 1.表格组件&#xff1a;使用…

NodeClub:NodeJS构造开源交流社区

NodeClub&#xff1a; 连接每一个想法&#xff0c;NodeClub让社区更生动- 精选真开源&#xff0c;释放新价值。 概览 NodeClub是一个基于Node.js和MongoDB构建的社区系统&#xff0c;专为开发者和社区爱好者设计。它提供了一套完整的社区功能&#xff0c;包括用户管理、内容发…

基于 Nginx Ingress + 云效 AppStack 实现灰度发布

作者&#xff1a;子丑 场景简介 灰度发布是降低生产部署风险&#xff0c;提升线上服务稳定性的重要手段&#xff0c;这在当前快速迭代的软件研发中尤为重要。相对于 K8s 默认的滚动部署或者简单的 Pod 分批&#xff0c;基于流量特征的灰度发布验证更精准&#xff0c;风险更低…

安鸾学院靶场——安全基础

文章目录 1、Burp抓包2、指纹识别3、压缩包解密4、Nginx整数溢出漏洞5、PHP代码基础6、linux基础命令7、Mysql数据库基础8、目录扫描9、端口扫描10、docker容器基础11、文件类型 1、Burp抓包 抓取http://47.100.220.113:8007/的返回包&#xff0c;可以拿到包含flag的txt文件。…

buuctf----warmup_csaw_2016

进来医院先来一套常规检查 啥保护都没,看大佬说基本栈溢出 CT一看 OK cat flag 更喜欢了 40060D 找到地址 get也来了,稳啦! 0x80-0x40 8 根据上道题的exp from pwn import * ghust remote("node5.buuoj.cn",27229) addr 0x40060D payload bA * 0x40 bB*8…