Kubernetes 证书过期续签完整指南
问题发现:kubectl 连接失败
当执行 kubectl 命令时,出现证书过期提示:
# kubectl version
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.4", GitCommit:"d360454c9bcd1634cf4cc52d1867af5491dc9c5f", GitTreeState:"clean", BuildDate:"2020-11-11T13:17:17Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"linux/amd64"}
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2022-08-10T20:36:58+08:00 is after 2022-03-23T13:56:31Z
错误信息明确显示当前时间已超过证书有效期。
检查证书状态
使用 kubeadm 工具查看所有证书的过期状态:
# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Mar 23, 2022 13:56 UTC <invalid> no
apiserver Mar 23, 2022 13:56 UTC <invalid> ca no
apiserver-etcd-client Mar 23, 2022 13:56 UTC <invalid> etcd-ca no
apiserver-kubelet-client Mar 23, 2022 13:56 UTC <invalid> ca no
controller-manager.conf Mar 23, 2022 13:56 UTC <invalid> no
etcd-healthcheck-client Mar 23, 2022 13:56 UTC <invalid> etcd-ca no
etcd-peer Mar 23, 2022 13:56 UTC <invalid> etcd-ca no
etcd-server Mar 23, 2022 13:56 UTC <invalid> etcd-ca no
front-proxy-client Mar 23, 2022 13:56 UTC <invalid> front-proxy-ca no
scheduler.conf Mar 23, 2022 13:56 UTC <invalid> no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Mar 21, 2031 13:56 UTC 8y no
etcd-ca Mar 21, 2031 13:56 UTC 8y no
front-proxy-ca Mar 21, 2031 13:56 UTC 8y no
可以看到所有证书均已过期,但 CA 证书仍然有效(有效期长达 8 年)。
续签所有证书
执行以下命令批量续签证书:
# kubeadm alpha certs renew all
再次验证证书状态:
# kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Aug 10, 2023 12:39 UTC 364d no
apiserver Aug 10, 2023 12:39 UTC 364d ca no
apiserver-etcd-client Aug 10, 2023 12:39 UTC 364d etcd-ca no
apiserver-kubelet-client Aug 10, 2023 12:39 UTC 364d ca no
controller-manager.conf Aug 10, 2023 12:39 UTC 364d no
etcd-healthcheck-client Aug 10, 2023 12:39 UTC 364d etcd-ca no
etcd-peer Aug 10, 2023 12:39 UTC 364d etcd-ca no
etcd-server Aug 10, 2023 12:39 UTC 364d etcd-ca no
front-proxy-client Aug 10, 2023 12:39 UTC 364d front-proxy-ca no
scheduler.conf Aug 10, 2023 12:39 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Mar 21, 2031 13:56 UTC 8y no
etcd-ca Mar 21, 2031 13:56 UTC 8y no
front-proxy-ca Mar 21, 2031 13:56 UTC 8y no
所有证书已成功续签至一年后。
重启关键组件容器
需要重启 API Server、Scheduler 和 Controller Manager 容器以加载新证书:
# 查找容器 ID
docker ps | grep apiserver
docker ps | grep scheduler
docker ps | grep controller-manager
# 重启容器
docker restart <container-id>
根据实际输出中的容器 ID 执行重启操作。
更新 kubectl 配置
复制新生成的 admin.conf 到默认配置路径:
cp /etc/kubernetes/admin.conf ~/.kube/config
更新 kubelet 证书
kubelet 的证书需要手动更新,进入证书目录:
cd /var/lib/kubelet/pki/
查看当前证书信息:
openssl x509 -in kubelet.crt -text -noout
生成新的 kubelet 密钥和证书:
# 生成新的私钥
openssl genrsa -out kubelet.key 2048
# 使用 CA 签署新的证书
openssl x509 -req -in kubelet.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -out kubelet.crt -days 3600 -CAcreateserial
创建 PEM 格式证书文件:
cat kubelet.crt > kubelet-client-2021-03-23-21-56-34.pem
cat kubelet.key >> kubelet-client-2021-03-23-21-56-34.pem
获取 CA 证书的 Base64 编码:
cat /etc/kubernetes/pki/ca.crt | base64
更新 kubelet 配置(/etc/kubernetes/kubelet.conf)中的 certificate-authority-data 字段为新 Base64 编码。
最后重启 kubelet 服务:
systemctl restart kubelet
systemctl status kubelet
