【K8s】Kubernetes 集群证书过期处理方法

Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-09-22T15:05:09+08:00 is after 2023-09-20T04:04:02Z

cd /etc/kubernetes && mv pki pki-old

# kubeadm 20 之前的版本使用本命令
kubeadm alpha certs check-expiration
 
# kubeadm 20 之后的版本使用本命令
kubeadm certs check-expiration
 
🔔 输出示例如下：
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
 
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 02, 2025 07:24 UTC   358d            ca                      no      
apiserver                  Aug 02, 2025 07:24 UTC   358d            ca                      no      
apiserver-etcd-client      Aug 02, 2025 07:24 UTC   358d            etcd-ca                 no      
apiserver-kubelet-client   Aug 02, 2025 07:24 UTC   358d            ca                      no      
controller-manager.conf    Aug 02, 2025 07:24 UTC   358d            ca                      no      
etcd-healthcheck-client    Aug 02, 2025 07:24 UTC   358d            etcd-ca                 no      
etcd-peer                  Aug 02, 2025 07:24 UTC   358d            etcd-ca                 no      
etcd-server                Aug 02, 2025 07:24 UTC   358d            etcd-ca                 no      
front-proxy-client         Aug 02, 2025 07:24 UTC   358d            front-proxy-ca          no      
scheduler.conf             Aug 02, 2025 07:24 UTC   358d            ca                      no      
super-admin.conf           Aug 02, 2025 07:24 UTC   358d            ca                      no      
 
CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jul 31, 2034 07:24 UTC   9y              no      
etcd-ca                 Jul 31, 2034 07:24 UTC   9y              no      
front-proxy-ca          Jul 31, 2034 07:24 UTC   9y              no

# kubeadm 20 之前的版本使用本命令
kubeadm alpha certs renew all
 
# kubeadm 20 之后的版本使用本命令
kubeadm certs renew all
 
🔔 有效期将被重置为 365 天
🔔 输出示例如下：
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
 
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
certificate embedded in the kubeconfig file for the super-admin renewed
 
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

cd ～/.kube && mv config config-bak
yes | cp /etc/kubernetes/admin.conf config
 
🔔 若不更新 Kubeconfig，执行 kubectl 命令会出现报错：error: You must be logged in to the server (Unauthorized)

# 重启 kubelet 服务
systemctl restart kubelet
 
# 重启 kube-apiserver、kube-controller-manage、kube-scheduler 容器
docker ps | grep kube-apiserver | grep -v pause | awk '{print $1}' | xargs -i docker restart {}
docker ps | grep kube-controller-manage | grep -v pause | awk '{print $1}' | xargs -i docker restart {}
docker ps | grep kube-scheduler | grep -v pause | awk '{print $1}' | xargs -i docker restart {}
 
🔔 使用 kubeadm 安装的集群，Master 节点的核心组件都是以静态 Pod 的方式运行的，因此重启服务可以采用重启对应容器的方式