K8S证书 kubernetes KubeKey

使用kubekey 更新K8S证书

Posted on 2021-11-19,3 min read

获取安装程序可执行文件

  • 下载KubeKey可执行文件 Releases page

    下载解压后可直接使用。

  • 从源代码生成二进制文件

    git clone https://github.com/kubesphere/kubekey.git
cd kubekey
./build.sh

检查证书有效期

./kk certs check-expiration [(-f | --file) path]

-f to specify the configuration file which was generated for cluster creation. This parameter is not required if it is single node.

./kk certs check-expiration

INFO[08:06:54 CST] Listing cluster certs ...                    
CERTIFICATE                    EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   NODE
apiserver.crt                  Nov 07, 2021 02:56 UTC   <invalid>       ca                      k8s-master1
apiserver-kubelet-client.crt   Nov 07, 2021 02:56 UTC   <invalid>       ca                      k8s-master1
front-proxy-client.crt         Nov 07, 2021 02:56 UTC   <invalid>       front-proxy-ca          k8s-master1
admin.conf                     Nov 07, 2021 02:57 UTC   <invalid>                               k8s-master1
controller-manager.conf        Nov 07, 2021 02:57 UTC   <invalid>                               k8s-master1
scheduler.conf                 Nov 07, 2021 02:57 UTC   <invalid>                               k8s-master1

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   NODE
ca.crt                  Nov 05, 2030 02:56 UTC   8y              k8s-master1
front-proxy-ca.crt      Nov 05, 2030 02:56 UTC   8y              k8s-master1
INFO[08:06:54 CST] Successful.

更新K8S证书

./kk certs renew [(-f | --file) path]

-f to specify the configuration file which was generated for cluster creation. This parameter is not required if it is single node.

./kk certs renew

INFO[08:07:23 CST] Renewing cluster certs ...                   
[k8s-master1 10.213.118.10] MSG:
v1.18.6
INFO[08:07:28 CST] Syncing cluster kubeConfig ...               
INFO[08:07:28 CST] Listing cluster certs ...                    
CERTIFICATE                    EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   NODE
apiserver.crt                  Nov 19, 2022 00:07 UTC   364d            ca                      k8s-master1
apiserver-kubelet-client.crt   Nov 19, 2022 00:07 UTC   364d            ca                      k8s-master1
front-proxy-client.crt         Nov 19, 2022 00:07 UTC   364d            front-proxy-ca          k8s-master1
admin.conf                     Nov 19, 2022 00:07 UTC   364d                                    k8s-master1
controller-manager.conf        Nov 19, 2022 00:07 UTC   364d                                    k8s-master1
scheduler.conf                 Nov 19, 2022 00:07 UTC   364d                                    k8s-master1

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   NODE
ca.crt                  Nov 05, 2030 02:56 UTC   8y              k8s-master1
front-proxy-ca.crt      Nov 05, 2030 02:56 UTC   8y              k8s-master1
INFO[08:07:28 CST] Successful.

kubernetes v1.15以上更新证书的方法

更新/etc/kubernetes/pki目录下的所有证书(不包含ca证书)

注意:需要在每一个节点上都更新

# 查看现有证书到期时间
$ kubeadm alpha certs check-expiration
# 使用二进制更新证书
$ kubeadm alpha certs renew all
# 每月的最后1天
crontab  -e

* * 1  * *  /usr/bin/kubeadm alpha certs renew all

下一篇: ceph生产环境规划→