k8s之kubelet证书时间过期升级

1.查看当前证书时间

# kubeadm alpha certs renew kubelet
Kubeadm experimental sub-commands

kubeadm是一个用于引导Kubernetes集群的工具,它提供了许多命令和子命令来管理集群的一生周期。过去,某些功能被标记为实验性的,并通过kubeadm alpha子命令进行访问。然而,从Kubernetes 1.15版本开始,kubeadm将这些功能从alpha子命令迁移到了稳定的命令中。

在新版本中,使用kubeadm certs renew kubelet即可

 检查

# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 26, 2025 08:52 UTC   286d            ca                      no      
apiserver                  Mar 26, 2025 08:52 UTC   286d            ca                      no      
apiserver-etcd-client      Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
apiserver-kubelet-client   Mar 26, 2025 08:52 UTC   286d            ca                      no      
controller-manager.conf    Mar 26, 2025 08:52 UTC   286d            ca                      no      
etcd-healthcheck-client    Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
etcd-peer                  Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
etcd-server                Mar 26, 2025 08:52 UTC   286d            etcd-ca                 no      
front-proxy-client         Mar 26, 2025 08:52 UTC   286d            front-proxy-ca          no      
scheduler.conf             Mar 26, 2025 08:52 UTC   286d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 24, 2034 08:52 UTC   9y              no      
etcd-ca                 Mar 24, 2034 08:52 UTC   9y              no      
front-proxy-ca          Mar 24, 2034 08:52 UTC   9y              no 

kubelet证书时间只有1年有效期。 

# openssl x509 -in kubelet.crt -noout -text | grep "Not"
            Not Before: Mar 26 07:52:16 2024 GMT
            Not After : Mar 26 07:52:16 2025 GMT

备份原证书

# mkdir backup_certs
# cd backup_certs/

# cp /usr/bin/kube* .
# ll
total 211260
-rwxr-x--- 1 root root  45210392 Jun 13 15:15 kubeadm
-rwxr-x--- 1 root root  46592216 Jun 13 15:15 kubectl
-rwxr-x--- 1 root root 124521288 Jun 13 15:15 kubelet

# cp -r /etc/kubernetes/pki .
]# ll
total 211264
-rwxr-x--- 1 root root  45210392 Jun 13 15:15 kubeadm
-rwxr-x--- 1 root root  46592216 Jun 13 15:15 kubectl
-rwxr-x--- 1 root root 124521288 Jun 13 15:15 kubelet
drwxr-x--- 3 root root      4096 Jun 13 15:18 pki

删除旧证书

# rm -rf /etc/kubernetes/pki/*

生成新证书

# kubeadm certs renew -h
This command is not meant to be run on its own. See list of available subcommands.

Usage:
  kubeadm certs renew [flags]
  kubeadm certs renew [command]

Available Commands:
  admin.conf               Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
  all                      Renew all available certificates
  apiserver                Renew the certificate for serving the Kubernetes API
  apiserver-etcd-client    Renew the certificate the apiserver uses to access etcd
  apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
  controller-manager.conf  Renew the certificate embedded in the kubeconfig file for the controller manager to use
  etcd-healthcheck-client  Renew the certificate for liveness probes to healthcheck etcd
  etcd-peer                Renew the certificate for etcd nodes to communicate with each other
  etcd-server              Renew the certificate for serving etcd
  front-proxy-client       Renew the certificate for the front proxy client
  scheduler.conf           Renew the certificate embedded in the kubeconfig file for the scheduler manager to use

Flags:
  -h, --help   help for renew

Global Flags:
      --add-dir-header           If true, adds the file directory to the header of the log messages
      --log-file string          If non-empty, use this log file
      --log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
      --one-output               If true, only write logs to their native severity level (vs also writing to each lower severity level)
      --rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.
      --skip-headers             If true, avoid header prefixes in the log messages
      --skip-log-headers         If true, avoid headers when opening log files
  -v, --v Level                  number for the log level verbosity

Use "kubeadm certs renew [command] --help" for more information about a command.

生成某个证书

升级哪个证书,就生成哪个组件的证书,保险,就生成所有证书

# kubeadm certs renew apiserver-kubelet-client
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate for the API server to connect to kubelet renewed

生成所有证书

# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

查看配置已经更新

# ll /etc/kubernetes/
total 32
-rwxrwxrwx 1 root root 5640 Jun 13 15:26 admin.conf
-rw------- 1 root root 5668 Jun 13 15:26 controller-manager.conf
-rw------- 1 root root 2004 Mar 26 16:52 kubelet.conf
drwxr-xr-x 2 root root  113 May 29 17:12 manifests
drwxr-x--- 3 root root 4096 Mar 26 16:52 pki
-rw------- 1 root root 5620 Jun 13 15:26 scheduler.conf

生成新配置

查看帮助

# kubeadm init phase kubeconfig -h
This command is not meant to be run on its own. See list of available subcommands.

Usage:
  kubeadm init phase kubeconfig [flags]
  kubeadm init phase kubeconfig [command]

Available Commands:
  admin              Generate a kubeconfig file for the admin to use and for kubeadm itself
  all                Generate all kubeconfig files
  controller-manager Generate a kubeconfig file for the controller manager to use
  kubelet            Generate a kubeconfig file for the kubelet to use *only* for cluster bootstrapping purposes
  scheduler          Generate a kubeconfig file for the scheduler to use

Flags:
  -h, --help   help for kubeconfig

Global Flags:
      --add-dir-header           If true, adds the file directory to the header of the log messages
      --log-file string          If non-empty, use this log file
      --log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
      --one-output               If true, only write logs to their native severity level (vs also writing to each lower severity level)
      --rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.
      --skip-headers             If true, avoid header prefixes in the log messages
      --skip-log-headers         If true, avoid headers when opening log files
  -v, --v Level                  number for the log level verbosity

Use "kubeadm init phase kubeconfig [command] --help" for more information about a command.

生成某个配置

失败是正常,版本垮裤较大,而且也只更新证书有效期

# kubeadm init phase kubeconfig admin
I0613 15:31:07.518079   30859 version.go:255] remote version is much newer: v1.30.2; falling back to: stable-1.23
W0613 15:31:17.521449   30859 version.go:103] could not fetch a Kubernetes version from the internet: unable to get URL "https://dl.k8s.io/release/stable-1.23.txt": Get "https://cdn.dl.k8s.io/release/stable-1.23.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
W0613 15:31:17.521573   30859 version.go:104] falling back to the local client version: v1.23.4

生成所有配置

# kubeadm init phase kubeconfig all
W0613 15:45:39.731181    7842 version.go:103] could not fetch a Kubernetes version from the internet: unable to get URL "https://dl.k8s.io/release/stable-1.txt": Get "https://cdn.dl.k8s.io/release/stable-1.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
W0613 15:45:39.731479    7842 version.go:104] falling back to the local client version: v1.23.4
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/admin.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/scheduler.conf"

重启kubelet

# systemctl status kubelet.service  | grep Active
   Active: active (running) since Tue 2024-03-26 16:52:52 CST; 2 months 18 days ago

# systemctl restart kubelet.service 

# systemctl status kubelet.service  | grep Active
   Active: active (running) since Thu 2024-06-13 15:47:19 CST; 3s ago

更新admin.conf文件

# cp /etc/kubernetes/admin.conf  ~/.kube/config 
cp: overwrite ‘/root/.kube/config’? y

2.检查证书有效期

# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jun 13, 2025 07:26 UTC   364d            ca                      no      
apiserver                  Jun 13, 2025 07:26 UTC   364d            ca                      no      
apiserver-etcd-client      Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Jun 13, 2025 07:26 UTC   364d            ca                      no      
controller-manager.conf    Jun 13, 2025 07:26 UTC   364d            ca                      no      
etcd-healthcheck-client    Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
etcd-peer                  Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
etcd-server                Jun 13, 2025 07:26 UTC   364d            etcd-ca                 no      
front-proxy-client         Jun 13, 2025 07:26 UTC   364d            front-proxy-ca          no      
scheduler.conf             Jun 13, 2025 07:26 UTC   364d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 24, 2034 08:52 UTC   9y              no      
etcd-ca                 Mar 24, 2034 08:52 UTC   9y              no      
front-proxy-ca          Mar 24, 2034 08:52 UTC   9y              no   

查看各证书时间

# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text
            Not Before: Mar 26 08:52:10 2024 GMT
            Not After : Jun 13 07:26:54 2025 GMT
# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt -noout -text
            Not Before: Mar 26 08:52:11 2024 GMT
            Not After : Jun 13 07:26:55 2025 GMT
# openssl x509 -in /etc/kubernetes/pki/apiserver-kubelet-client.crt -noout -text
            Not Before: Mar 26 08:52:10 2024 GMT
            Not After : Jun 13 07:26:55 2025 GMT
# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text
            Not Before: Mar 26 08:52:10 2024 GMT
            Not After : Mar 24 08:52:10 2034 GMT
# openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt -noout -text
            Not Before: Mar 26 08:52:10 2024 GMT
            Not After : Mar 24 08:52:10 2034 GMT
# openssl x509 -in /etc/kubernetes/pki/front-proxy-client.crt -noout -text
            Not Before: Mar 26 08:52:10 2024 GMT
            Not After : Jun 13 07:26:57 2025 GMT

查看k8s环境

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/705217.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

【电子信息工程专业课】学习记录

数字信号处理 离散时间信号与系统 周期延拓 一个连续时间信号经过理想采样后,其频谱将沿着频率轴以采样频率Ωs 2π / T 为间隔而重复。 混频 各周期的延拓分量产生频谱交替的现象 奈奎斯特采样定理 fs > 2fh Z变换 收敛域:使任意给定序列x(n)的Z变…

钓鱼小助手 —— 借助文心智能体平台打造钓鱼佬神器

前言 🚀前方高能 🚀钓鱼小助手上线了 有没有喜欢钓鱼的程序猿呀,福利来了,特意整了一个钓鱼的小助手,以后钓鱼小技巧都可以咨询了。 走过路过,不要错过,快快体验吧~ 🚀&#x1…

abap 多线程运行demo

SAP 提供多种多线程的方法去优化程序的执行效率 1.分别执行多个job 2.Call function STARTING NEW TASK 3.直接使用SAP 提供的SPTA 框架函数:SPTA_PARA_PROCESS_START_2 本次,我们着重来介绍一下三种方法中函数的使用方法 获取空闲线程数&#xff1a…

Calibre版图验证工具调用_笔记

Siemens EDA Calibre版图验证工具调用 采用Cadence Virtuoso Layout Editor直接调用Siemens EDA Calibre工具需要进行文件设置, 在用户的根目录下,找到.cdsinit文件, 在文件的结尾处添加以下语句即可,其中,calibre.skl…

随手记:uniapp图片展示,剩余的堆叠

UI效果图&#xff1a; 实现思路&#xff1a; 循环图片数组&#xff0c;只展示几张宽度就为几张图片边距的宽度&#xff0c;剩下的图片直接堆叠展示 点击预览的时候传入当前的下标&#xff0c;如果是点击堆叠的话&#xff0c;下标从堆叠数量开始计算 <template><…

某国资集团数据治理落地,点燃高质量发展“数字引擎”

​某国有资产经营控股集团为快速提升集团的内控管理能力和业务经营能力&#xff0c;以数字化促进企业转型的信息化建设势在必行。集团携手亿信华辰开启数据治理项目&#xff0c;在数据方面成功解决“哪里来、怎么盘、怎么管、怎么用”的问题&#xff0c;不断推动企业数字化转型…

【开发环境】PX4无人机实物使用视觉或运动捕捉系统进行位置估计

PX4无人机实物使用视觉或运动捕捉系统进行位置估计 PX4中关于外部位置信息的MAVLink话题参考坐标系EKF2调整配置参数调整EKF2_EV_DELAY参数 与ROS共同使用将OptiTrack MoCap系统提供的姿态数据导入ROSMotive MoCap软件的步骤将姿态数据导入ROS重新映射姿态数据 将姿态数据转发到…

GIS开发到底能应用在哪些行业 ?

GIS应用的领域到底有多广&#xff1f;恐怕很多GIS从业者都想不到。 尤其是近些年&#xff0c;互联网GIS的普及与发展&#xff0c;GIS技术的应用领域越来越多&#xff0c;涉及的范围也越来越广。很多我们以为跟GIS不相关的行业&#xff0c;都在悄悄用GIS技术。 从大类上分析&a…

【SkyWalking】启用apm-trace-ignore-plugin追踪忽略插件

背景 使用Agent采集追踪数据的时候&#xff0c;想排除某些路径&#xff0c;比如健康检查等&#xff0c;这样可以减少上报的数据&#xff0c;也可以去除一些不必要的干扰数据。 加载插件 在agent/optional-plugins目录中有个apm-trace-ignore-plugin-${version}.jar插件&…

flask南京市旅游景点信息可视化的设计与实现-计算机毕业设计源码02941

摘 要 信息化社会内需要与之针对性的信息获取途径&#xff0c;但是途径的扩展基本上为人们所努力的方向&#xff0c;由于站在的角度存在偏差&#xff0c;人们经常能够获得不同类型信息&#xff0c;这也是技术最为难以攻克的课题。针对南京市旅游景点信息可视化等问题&#xff0…

TDengine Open Day 成功举办:洞察技术革新与职场策略!

随着时序数据库技术的迅速流行和广泛应用&#xff0c;行业对相关人才的需求急剧增长。为应对这一挑战&#xff0c;TDengine 特别举办了 “TDengine Open Day”技术沙龙&#xff0c;旨在为广大技术爱好者、学者及未来职场新星提供一个深入了解时序数据库及其应用的平台&#xff…

【Python】中的X[:,0]、X[0,:]、X[:,:,0]、X[:,:,1]、X[:,m:n]、X[:,:,m:n]和X[: : -1]

Python中 x[m,n]是通过numpy库引用数组或矩阵中的某一段数据集的一种写法,m代表第m维,n代表m维中取第几段特征数据。 通常用法: x[:,n]或者x[n,:] X[:,0]表示对一个二维数组,取该二维数组第一维中的所有数据,第二维中取第0个数据。 X[0,:]使用类比前者。 举例说明: x[:,0…

抖音a_bogus爬虫逆向补环境

抖音a_bogus爬虫逆向补环境 写在前面 https://github.com/ShilongLee/Crawler 这是我为了学习爬虫而搭建的爬虫服务器项目&#xff0c;目标是作为一个高性能的可靠爬虫服务器为广大爬虫爱好者和安全工程师提供平台进行学习爬虫&#xff0c;了解爬虫&#xff0c;应对爬虫。现已…

vue 之 vuex

目录 vuex 是什么 Vuex管理哪些状态呢&#xff1f; Vuex 页面刷新数据丢失怎么解决 1. 使用浏览器的本地存储 2. 使用 Vuex 持久化插件 3. 使用后端存储 注意事项 Vuex 为什么要分模块并且加命名空间 vuex 是什么 vuex 是专门为 vue 提供的全局状态管理系统&#xff0c…

Protected and unprotected Meilisearch projects(/health)

Elasticsearch 做为老牌搜索引擎&#xff0c;功能基本满足&#xff0c;但复杂&#xff0c;重量级&#xff0c;适合大数据量。 MeiliSearch 设计目标针对数据在 500GB 左右的搜索需求&#xff0c;极快&#xff0c;单文件&#xff0c;超轻量。 所以&#xff0c;对于中小型项目来说…

案例 | JIMUMETA元宇宙体验馆,助力品牌打开营销新思路!

视创云展作为行业领先的3D数字化场景营销平台&#xff0c;专注于帮助企业迅速构建集多样化营销活动于一体的元宇宙空间。 通过整合虚拟展厅、数字人互动、音视频通话以及弹幕聊天等创新功能&#xff0c;我们为企业打造极具沉浸感的体验环境&#xff0c;并提供高效的线上营销手段…

element 树组件 tree 横向纵向滚动条

Html <el-cardshadow"hover"class"solo flex-2"style"height: calc(100vh - 1.6rem); border: 1px solid #ebeef5"><div slot"header" class"clearfix"><span>问题分类</span></div><div …

坑记(MySQL之delete操作)

背景知识 我们知道MySQL有两种删除操作&#xff1a;delete和truncate。 二者之间是否一样&#xff0c;且看以下内容&#xff1a; 操作名称操作简介deleteDML中的一种&#xff0c;操作对象是记录&#xff0c;即table中的一行&#xff0c;可恢复&#xff0c;速度慢truncateDDL中…

java自动化之java基础03-09java基础之数组

数组 1、定义 数组是一种用于存储固定大小的同类型数据的数据结构 1&#xff09;固定大小 2&#xff09;同类型数据的存储 2、声明数组 1&#xff09;数据类型[] 变量名称&#xff1b; 例如&#xff1a;int[] numsArry; 2&#xff09;数据类型 变量名称[]; 例如&#xf…

MYSQL、ORACLE、PostgreSQL数据库对象层次及权限管理对比

文章目录 前言一、PostgreSQL二、MySQL三、Oracle 前言 本文为出于自己扩展、比较、图形化的思维路径自行总结归纳&#xff0c;可能有些细节不太准确&#xff0c;欢迎指正。 MySQL、Oracle、PostgreSQL关系型数据库都有管理员用户、用户、权限管理、表函数索引等数据库对象&am…