本文共 4525 字,大约阅读时间需要 15 分钟。
今天本机查看k8s环境的pod时 ,提示链接k8s 服务失败:
baily@baily ~ kubectl -n david-test get pod -o wideUnable to connect to the server: x509: certificate has expired or is not yet valid
k8s解决证书过期官方文档:
帮助解决文档:查看是k8s master 节点证书过期了,登录master服务器,进入 /etc/kubernetes/ 查看:
root@lucy-dev2:~/go/src/lucy/david/build# cd /etc/kubernetesroot@lucy-dev2:/etc/kubernetes# lsadmin.conf controller-manager.conf kubelet.conf manifests pki scheduler.conf sslroot@lucy-dev2:/etc/kubernetes# cd pkiroot@lucy-dev2:/etc/kubernetes/pki# lsapiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt etcd front-proxy-ca.key front-proxy-client.key sa.pubroot@lucy-dev2:/etc/kubernetes/pki# openssl x509 -in apiserver.crt -noout -text |grep ' Not ' # 查看是否过期 Not Before: Apr 14 15:06:14 2020 GMT Not After : Apr 14 15:06:14 2021 GMTroot@lucy-dev2:/etc/kubernetes/pki# kubeadm alpha certs check-expiration #检查k8s环境证书是否过期[check-expiration] Reading configuration from the cluster...[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'[check-expiration] Error reading configuration from the Cluster. Falling back to default configurationW0416 12:01:16.329068 29740 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGEDadmin.conf Apr 14, 2021 15:06 UTCno apiserver Apr 14, 2021 15:06 UTC ca no apiserver-etcd-client Apr 14, 2021 15:06 UTC etcd-ca no apiserver-kubelet-client Apr 14, 2021 15:06 UTC ca no controller-manager.conf Apr 14, 2021 15:06 UTC no etcd-healthcheck-client Apr 14, 2021 15:06 UTC etcd-ca no etcd-peer Apr 14, 2021 15:06 UTC etcd-ca no etcd-server Apr 14, 2021 15:06 UTC etcd-ca no front-proxy-client Apr 14, 2021 15:06 UTC front-proxy-ca no scheduler.conf Apr 14, 2021 15:06 UTC no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDca Apr 12, 2030 15:06 UTC 8y no etcd-ca Apr 12, 2030 15:06 UTC 8y no front-proxy-ca Apr 12, 2030 15:06 UTC 8y no
经查看k8s master 组件 证书都过期了,有效期是一年,解决问题:
1, 备份一下 /etc /kubernetes /pki 目录下的所有文件。2, 手动更新所有证书,执行命令
kubeadm alpha certs renew all
3,查看证书有效期是否更新
root@lucy-dev2:/etc/kubernetes/pki# openssl x509 -in apiserver.crt -noout -text |grep ' Not ' Not Before: Apr 14 15:06:14 2020 GMT Not After : Apr 16 04:07:36 2022 GMT
4, 在master节点上将/etc/kubernetes目录下的所有配置文件备份
5, 更新用户配置:执行下面多个命令
kubeadm alpha kubeconfig user --client-name=adminkubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin > /etc/kubernetes/admin.confkubeadm alpha kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.confkubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > /etc/kubernetes/kubelet.confkubeadm alpha kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf
6, 用更新后的admin.conf替换/root/.kube/config文件
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
更新后,把master 节点服务器的 home目录下的 .kube 文件夹 复制到本机的/home/用户目录下 ,就可以直接操作 k8s 。
7, 重启所有master节点上的apiserver和scheduler两个系统组件
systemctl restart kube-apiserversystemctl restart kube-scheduler
8, 本机执行kubectl 命令
baily@baily ~ kubectl -n david-test get po -o wideNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESdavid-test-api-canon-7d889b96b5-jn88z 1/1 Running 0 2d22h 10.244.2.189 worker1david-test-api-regulatory-7bfb546894-cfnxf 1/1 Running 0 15d 10.244.2.156 worker1 david-test-api-threepartyplatform-7ccb58dcf8-hc9mw 1/1 Running 0 15d 10.244.2.158 worker1 david-test-db-asset-96489d7c5-n6v5q 1/1 Running 0 14d 10.244.2.183 worker1 david-test-db-event-8688566f-mw9hd 1/1 Running 0 15d 10.244.0.253 master1 david-test-db-user-77d6bddd98-h8ckt 1/1 Running 0 15d 10.244.0.252 master1
完成。
转载地址:http://fnqxi.baihongyu.com/