K8s 更新证书过期时间

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# 查看证书过期时间
$ sudo kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Feb 06, 2024 06:46 UTC <invalid> ca no
apiserver Feb 06, 2024 06:46 UTC <invalid> ca no
apiserver-etcd-client Feb 06, 2024 06:46 UTC <invalid> etcd-ca no
apiserver-kubelet-client Feb 06, 2024 06:46 UTC <invalid> ca no
controller-manager.conf Feb 06, 2024 06:46 UTC <invalid> ca no
etcd-healthcheck-client Feb 06, 2024 06:46 UTC <invalid> etcd-ca no
etcd-peer Feb 06, 2024 06:46 UTC <invalid> etcd-ca no
etcd-server Feb 06, 2024 06:46 UTC <invalid> etcd-ca no
front-proxy-client Feb 06, 2024 06:46 UTC <invalid> front-proxy-ca no
scheduler.conf Feb 06, 2024 06:46 UTC <invalid> ca no

CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Feb 03, 2033 06:46 UTC 8y no
etcd-ca Feb 03, 2033 06:46 UTC 8y no
front-proxy-ca Feb 03, 2033 06:46 UTC 8y no

# 备份证书
$ sudo cp -r /etc/kubernetes /etc/kubernetes.old
# 更新证书(node节点也要执行)
$ sudo kubeadm certs renew all
# 更新config
$ mv ~/.kube/config ~/.kube/config.old
$ cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
$ sudo chmod 644 $HOME/.kube/config
# 重启kubelet
$ sudo systemctl restart kubelet

# 再次查看证书过期时间
$ sudo kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jun 28, 2025 05:39 UTC 364d ca no
apiserver Jun 28, 2025 05:39 UTC 364d ca no
apiserver-etcd-client Jun 28, 2025 05:39 UTC 364d etcd-ca no
apiserver-kubelet-client Jun 28, 2025 05:39 UTC 364d ca no
controller-manager.conf Jun 28, 2025 05:39 UTC 364d ca no
etcd-healthcheck-client Jun 28, 2025 05:39 UTC 364d etcd-ca no
etcd-peer Jun 28, 2025 05:39 UTC 364d etcd-ca no
etcd-server Jun 28, 2025 05:39 UTC 364d etcd-ca no
front-proxy-client Jun 28, 2025 05:39 UTC 364d front-proxy-ca no
scheduler.conf Jun 28, 2025 05:39 UTC 364d ca no

CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Feb 03, 2033 06:46 UTC 8y no
etcd-ca Feb 03, 2033 06:46 UTC 8y no
front-proxy-ca Feb 03, 2033 06:46 UTC 8y no
# 查看集群状态
$ kubectl get node
NAME STATUS ROLES AGE VERSION
debian201 Ready control-plane 507d v1.25.3
debian202 Ready <none> 507d v1.25.3
debian203 Ready <none> 507d v1.25.3

参考