一.系统环境
本文主要基于Kubernetes1.22.2和Linux操作系统Ubuntu 18.04。
服务器版本 | docker软件版本 | Kubernetes(k8s)集群版本 | CPU架构 |
---|---|---|---|
Ubuntu 18.04.5 LTS | Docker version 20.10.14 | v1.22.2 | x86_64 |
Kubernetes集群架构:k8scludes1作为master节点,k8scludes2,k8scludes3作为worker节点。
服务器 | 操作系统版本 | CPU架构 | 进程 | 功能描述 |
---|---|---|---|---|
k8scludes1/192.168.110.128 | Ubuntu 18.04.5 LTS | x86_64 | docker,kube-apiserver,etcd,kube-scheduler,kube-controller-manager,kubelet,kube-proxy,coredns,calico | k8s master节点 |
k8scludes2/192.168.110.129 | Ubuntu 18.04.5 LTS | x86_64 | docker,kubelet,kube-proxy,calico | k8s worker节点 |
k8scludes3/192.168.110.130 | Ubuntu 18.04.5 LTS | x86_64 | docker,kubelet,kube-proxy,calico | k8s worker节点 |
二.前言
Kubernetes集群的证书对于集群的安全性和稳定性至关重要。然而,随着时间的推移,这些证书会过期,导致集群服务不可用。本文将详细介绍如何使用kubeadm工具为Kubernetes集群续期证书。
给Kubernetes集群证书续期的前提是已经有一套可以正常运行的Kubernetes集群,关于Kubernetes(k8s)集群的安装部署,可以查看博客《Ubuntu 安装部署Kubernetes(k8s)集群》 安装部署Kubernetes(k8s)集群》
三.Kubernetes证书过期及续期简介
Kubernetes集群在初始化时,会自动生成一系列证书,包括API服务器证书、CA证书、Kubelet证书等。这些证书通常有1年的有效期。当证书过期后,Kubernetes集群的某些服务可能会受到影响,例如API服务器无法访问。为了解决证书过期的问题,我们可以使用kubeadm工具进行证书续期。
四.使用kubeadm为Kubernetes集群证书续期
4.1 查看k8s集群证书过期时间
现在k8s集群已经不能正常运行了,查询pod报错,可以看到报错信息为:“连接API服务器拒绝”。
root@k8scludes1:~# kubectl get pod -o wie
The connection to the server 192.168.110.128:6443 was refused - did you specify the right host or port?
master节点的/etc/kubernetes/pki/目录下存的是各个组件的证书。
root@k8scludes1:~# ls /etc/kubernetes/pki/
apiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt ca.srl front-proxy-ca.crt front-proxy-ca.srl front-proxy-client.key sa.key
apiserver-etcd-client.crt apiserver.key apiserver-kubelet-client.key ca.key etcd front-proxy-ca.key front-proxy-client.crt mytok.csv sa.pub
查看master节点的apiserver证书有效期,可以看到证书在2023年4月16号就过期了,证书已经过期一年多了。
root@k8scludes1:~# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep Not
Not Before: Apr 16 14:57:44 2022 GMT
Not After : Apr 16 14:57:44 2023 GMT
在master节点查看各个组件的证书过期时间。
root@k8scludes1:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Oct 21, 2023 14:25 UTC 9y no
apiserver Oct 21, 2023 14:25 UTC 9y ca no
apiserver-etcd-client Oct 21, 2023 14:25 UTC 9y etcd-ca no
apiserver-kubelet-client Oct 21, 2023 14:25 UTC 9y ca no
controller-manager.conf Oct 21, 2023 14:25 UTC 9y no
etcd-healthcheck-client Oct 21, 2023 14:25 UTC 9y etcd-ca no
etcd-peer Oct 21, 2023 14:25 UTC 9y etcd-ca no
etcd-server Oct 21, 2023 14:25 UTC 9y etcd-ca no
front-proxy-client Oct 21, 2023 14:25 UTC 9y front-proxy-ca no
scheduler.conf Oct 21, 2023 14:25 UTC 9y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Apr 13, 2023 14:57 UTC 7y no
etcd-ca Apr 13, 2023 14:57 UTC 7y no
front-proxy-ca Apr 13, 2023 14:57 UTC 7y no
查看master节点的kubelet证书过期时间。
root@k8scludes1:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-16-22-57-47.pem kubelet-client-current.pem kubelet.crt kubelet.key
root@k8scludes1:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text |grep Not
Not Before: Apr 16 14:57:44 2022 GMT
Not After : Apr 16 14:57:46 2023 GMT
4.2 为master节点续期证书
在master节点给各个组件续签证书。
root@k8scludes1:~# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
在master节点再次查看各个组件的证书过期时间,可以看到证书续签了一年。
root@k8scludes1:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Oct 24, 2025 02:53 UTC 364d no
apiserver Oct 24, 2025 02:53 UTC 364d ca no
apiserver-etcd-client Oct 24, 2025 02:53 UTC 364d etcd-ca no
apiserver-kubelet-client Oct 24, 2025 02:53 UTC 364d ca no
controller-manager.conf Oct 24, 2025 02:53 UTC 364d no
etcd-healthcheck-client Oct 24, 2025 02:53 UTC 364d etcd-ca no
etcd-peer Oct 24, 2025 02:53 UTC 364d etcd-ca no
etcd-server Oct 24, 2025 02:53 UTC 364d etcd-ca no
front-proxy-client Oct 24, 2025 02:53 UTC 364d front-proxy-ca no
scheduler.conf Oct 24, 2025 02:53 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Apr 13, 2025 14:57 UTC 7y no
etcd-ca Apr 13, 2025 14:57 UTC 7y no
front-proxy-ca Apr 13, 2025 14:57 UTC 7y no
当前kubernetes各个组件所使用的kubecong文件都在/etc/kubernetes/里。
root@k8scludes1:~# ls /etc/kubernetes/
admin.conf admission-control-config-file audit controller-manager.conf kubelet.conf manifests pki scheduler.conf
文件后缀为conf的都是各个组件所需的kubeconfig文件,但是这些文件里使用的证书都是之前过期的证书,需要把conf文件删除并重新生成。
root@k8scludes1:~# ls /etc/kubernetes/*.conf
/etc/kubernetes/admin.conf /etc/kubernetes/controller-manager.conf /etc/kubernetes/kubelet.conf /etc/kubernetes/scheduler.conf
root@k8scludes1:~# mkdir k8sconf_bak
root@k8scludes1:~# cp /etc/kubernetes/*.conf k8sconf_bak/
root@k8scludes1:~# ls k8sconf_bak/
admin.conf controller-manager.conf kubelet.conf scheduler.conf
root@k8scludes1:~# rm -rf /etc/kubernetes/*.conf
root@k8scludes1:~# ls /etc/kubernetes/
admission-control-config-file audit manifests pki
为k8s的各个组件重新生成kubeconfig文件。
root@k8scludes1:~# kubeadm init --kubernetes-version=v1.22.2 phase kubeconfig all
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
root@k8scludes1:~# ls /etc/kubernetes/
admin.conf admission-control-config-file audit controller-manager.conf kubelet.conf manifests pki scheduler.conf
替换管理员所用的kubeconfig文件。
root@k8scludes1:~# ls ~/.kube/config
/root/.kube/config
root@k8scludes1:~# rm -rf ~/.kube/config
root@k8scludes1:~# ls ~/.kube/
cache config.old-20241023 kubens
root@k8scludes1:~# cp /etc/kubernetes/admin.conf ~/.kube/config
root@k8scludes1:~# ls ~/.kube/config
/root/.kube/config
重启kube-scheduler。
root@k8scludes1:~# docker ps | grep kube-scheduler
47ac8592cf5c b51ddc1014b0 "kube-scheduler --au…" 6 minutes ago Up 6 minutes k8s_kube-scheduler_kube-scheduler-k8scludes1_kube-system_f637e8449089a70204a39d176f936bc7_289
6e65a5b16329 registry.aliyuncs.com/google_containers/pause:3.5 "/pause" 6 minutes ago Up 6 minutes k8s_POD_kube-scheduler-k8scludes1_kube-system_f637e8449089a70204a39d176f936bc7_75
root@k8scludes1:~# docker ps | awk '/kube-scheduler /{print $1}'
47ac8592cf5c
root@k8scludes1:~# docker rm -f $(docker ps | awk '/kube-scheduler /{print $1}')
47ac8592cf5c
root@k8scludes1:~# kubectl get pods -n kube-system | grep scheduler
kube-scheduler-k8scludes1 1/1 Running 289 (2y120d ago) 2y191d
查看master节点的kubelet当前使用的证书,kubelet-client-current.pem软链接到了kubelet-client-2024-10-24-11-08-14.pem,说明现在kubelet使用的是最新的证书。
root@k8scludes1:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-16-22-57-47.pem kubelet-client-2024-10-24-11-05-29.pem kubelet-client-2024-10-24-11-08-14.pem kubelet-client-current.pem kubelet.crt kubelet.key
root@k8scludes1:~# ls /var/lib/kubelet/pki/kubelet-client-current.pem -l
lrwxrwxrwx 1 root root 59 Oct 24 11:08 /var/lib/kubelet/pki/kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2024-10-24-11-08-14.pem
如果kubelet-client-current.pem软链接到kubelet-client-2022-04-16-22-57-47.pem,说明kubelet使用的是旧的证书,重启kebelet即可。
root@k8scludes1:~# systemctl restart kubelet
root@k8scludes1:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-16-22-57-47.pem kubelet-client-2024-10-24-11-05-29.pem kubelet-client-2024-10-24-11-08-14.pem kubelet-client-current.pem kubelet.crt kubelet.key
root@k8scludes1:~# ls -l /var/lib/kubelet/pki/kubelet-client-current.pem
lrwxrwxrwx 1 root root 59 Oct 24 11:08 /var/lib/kubelet/pki/kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2024-10-24-11-08-14.pem
在master节点上查看证书签名请求(简称为CSR),如果CONDITION显示的是Approved,Issued,说明证书签名请求CSR已经被批准,则不需要执行kubectl certificate approve csr-htp29
,如果CONDITION显示的是Pending,则需要手动批准证书签名请求CSR,语法为:kubectl certificate approve CSR名
。
root@k8scludes1:~# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
csr-htp29 12m kubernetes.io/kube-apiserver-client-kubelet system:node:k8scludes1 <none> Approved,Issued
#批准证书签名请求CSR
root@k8scludes1:~# kubectl certificate approve csr-htp29
certificatesigningrequest.certificates.k8s.io/csr-rn8xc approved
在master节点查看kubelet的证书过期时间,到2025年才过期了。
root@k8scludes1:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text |grep Not
Not Before: Oct 24 03:03:14 2024 GMT
Not After : Oct 24 03:03:14 2025 GMT
查看k8s集群状态,可以发现k8scludes1节点已经正常了,但是两个worker节点还是不正常,原因是两个worker节点的证书还是旧的,需要替换为最新的证书。
root@k8scludes1:~# kubectl get node
NAME STATUS ROLES AGE VERSION
k8scludes1 Ready control-plane,master 2y191d v1.22.2
k8scludes2 NotReady <none> 2y191d v1.22.2
k8scludes3 NotReady <none> 2y191d v1.22.2
4.3 为worker节点替换最新的证书
k8scludes2节点的kubelet使用的还是旧的证书。
root@k8scludes2:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-17-01-59-26.pem kubelet-client-current.pem kubelet.crt kubelet.key
root@k8scludes2:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text |grep Not
Not Before: Apr 16 17:54:26 2022 GMT
Not After : Apr 16 17:54:26 2023 GMT
在master节点生成k8scludes2节点所需的kubelet.conf文件,把kubelet.conf文件放在/tmp/目录。
root@k8scludes1:~# kubeadm init --kubernetes-version=v1.22.2 phase kubeconfig kubelet --node-name k8scludes2 --kubeconfig-dir /tmp/
[kubeconfig] Writing "kubelet.conf" kubeconfig file
root@k8scludes1:~# ls /tmp/
kubelet.conf systemd-private-3e6f81ffe01748ec8909700ec12195cb-systemd-resolved.service-kzxcft systemd-private-3e6f81ffe01748ec8909700ec12195cb-systemd-timesyncd.service-Uop8xG vmware-root_751-4290559920
复制文件到k8scludes2节点的/etc/kubernetes/目录下。
root@k8scludes1:~# scp /tmp/kubelet.conf 192.168.110.129:/etc/kubernetes/
root@192.168.110.129's password:
kubelet.conf 100% 5671 1.4MB/s 00:00
k8scludes2节点重启kubelet。
root@k8scludes2:~# systemctl restart kubelet
再次查看k8scludes2节点的kubelet证书,现在已经是最新的证书了。
root@k8scludes2:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-17-01-59-26.pem kubelet-client-2024-10-24-11-29-31.pem kubelet-client-2024-10-24-11-29-40.pem kubelet-client-current.pem kubelet.crt kubelet.key
root@k8scludes2:~# ls -l /var/lib/kubelet/pki/kubelet-client-current.pem
lrwxrwxrwx 1 root root 59 Oct 24 11:29 /var/lib/kubelet/pki/kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2024-10-24-11-29-40.pem
root@k8scludes2:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text |grep Not
Not Before: Oct 24 03:24:40 2024 GMT
Not After : Oct 24 03:24:40 2025 GMT
k8scludes3节点也是类似的操作。
在master节点生成k8scludes3节点所需的kubelet.conf文件,把kubelet.conf文件放在/tmp/目录。
root@k8scludes1:~# rm -rf /tmp/* ; ls /tmp/
root@k8scludes1:~# kubeadm init --kubernetes-version=v1.22.2 phase kubeconfig kubelet --node-name k8scludes3 --kubeconfig-dir /tmp/
[kubeconfig] Writing "kubelet.conf" kubeconfig file
复制kubelet.conf到k8scludes3节点的/etc/kubernetes/目录下
root@k8scludes1:~# scp /tmp/kubelet.conf 192.168.110.130:/etc/kubernetes/
root@192.168.110.130's password:
kubelet.conf 100% 5671 2.6MB/s 00:00
重启k8scludes3节点的kubelet,现在kubelet使用的是最新的证书了。
root@k8scludes3:~# systemctl restart kubelet
root@k8scludes3:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-17-01-59-29.pem kubelet-client-2024-10-24-11-34-49.pem kubelet-client-2024-10-24-11-34-57.pem kubelet-client-current.pem kubelet.crt kubelet.key
root@k8scludes3:~# ls -l /var/lib/kubelet/pki/kubelet-client-current.pem
lrwxrwxrwx 1 root root 59 Oct 24 11:34 /var/lib/kubelet/pki/kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2024-10-24-11-34-57.pem
root@k8scludes3:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text |grep Not
Not Before: Oct 24 03:29:57 2024 GMT
Not After : Oct 24 03:29:57 2025 GMT
查看k8s集群状态,现在集群恢复正常了。
root@k8scludes1:~# kubectl get node
NAME STATUS ROLES AGE VERSION
k8scludes1 Ready control-plane,master 2y191d v1.22.2
k8scludes2 Ready <none> 2y191d v1.22.2
k8scludes3 Ready <none> 2y191d v1.22.2
五.总结
本文介绍了如何使用kubeadm工具为Kubernetes集群续期证书。通过定期检查和续期证书,可以确保Kubernetes集群的安全性和稳定性。
- 在进行证书续期时,请确保有足够的磁盘空间来存储新的证书文件;
- 如果你的集群配置了自动化工具或脚本来管理Kubernetes集群,确保这些工具和脚本也更新为处理新的证书;
- 在生产环境中,建议设置证书到期提醒,以便提前进行维护工作。