K8s 更新证书过期时间

K8s 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# 查看证书过期时间
$ sudo kubeadm certs check-expiration
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Feb 06, 2024 06:46 UTC   <invalid>       ca                      no
apiserver                  Feb 06, 2024 06:46 UTC   <invalid>       ca                      no
apiserver-etcd-client      Feb 06, 2024 06:46 UTC   <invalid>       etcd-ca                 no
apiserver-kubelet-client   Feb 06, 2024 06:46 UTC   <invalid>       ca                      no
controller-manager.conf    Feb 06, 2024 06:46 UTC   <invalid>       ca                      no
etcd-healthcheck-client    Feb 06, 2024 06:46 UTC   <invalid>       etcd-ca                 no
etcd-peer                  Feb 06, 2024 06:46 UTC   <invalid>       etcd-ca                 no
etcd-server                Feb 06, 2024 06:46 UTC   <invalid>       etcd-ca                 no
front-proxy-client         Feb 06, 2024 06:46 UTC   <invalid>       front-proxy-ca          no
scheduler.conf             Feb 06, 2024 06:46 UTC   <invalid>       ca                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Feb 03, 2033 06:46 UTC   8y              no
etcd-ca                 Feb 03, 2033 06:46 UTC   8y              no
front-proxy-ca          Feb 03, 2033 06:46 UTC   8y              no

# 备份证书
$ sudo cp -r /etc/kubernetes /etc/kubernetes.old
# 更新证书(node节点也要执行)
$ sudo kubeadm certs renew all
# 更新config
$ mv ~/.kube/config ~/.kube/config.old
$ cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
$ sudo chmod 644 $HOME/.kube/config
# 重启kubelet
$ sudo systemctl restart kubelet

# 再次查看证书过期时间
$ sudo kubeadm certs check-expiration
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jun 28, 2025 05:39 UTC   364d            ca                      no
apiserver                  Jun 28, 2025 05:39 UTC   364d            ca                      no
apiserver-etcd-client      Jun 28, 2025 05:39 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Jun 28, 2025 05:39 UTC   364d            ca                      no
controller-manager.conf    Jun 28, 2025 05:39 UTC   364d            ca                      no
etcd-healthcheck-client    Jun 28, 2025 05:39 UTC   364d            etcd-ca                 no
etcd-peer                  Jun 28, 2025 05:39 UTC   364d            etcd-ca                 no
etcd-server                Jun 28, 2025 05:39 UTC   364d            etcd-ca                 no
front-proxy-client         Jun 28, 2025 05:39 UTC   364d            front-proxy-ca          no
scheduler.conf             Jun 28, 2025 05:39 UTC   364d            ca                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Feb 03, 2033 06:46 UTC   8y              no
etcd-ca                 Feb 03, 2033 06:46 UTC   8y              no
front-proxy-ca          Feb 03, 2033 06:46 UTC   8y              no
# 查看集群状态
$ kubectl get node
NAME        STATUS   ROLES           AGE    VERSION
debian201   Ready    control-plane   507d   v1.25.3
debian202   Ready    <none>          507d   v1.25.3
debian203   Ready    <none>          507d   v1.25.3

参考