kubernetes证书过期怎么处理
这篇文章主要介绍“kubernetes证书过期怎么处理”,在日常操作中,相信很多人在kubernetes证书过期怎么处理问题上存在疑惑,小编查阅了各式资料,整理出简单好用的操作方法,希望对大家解答”kubernetes证书过期怎么处理”的疑惑有所帮助!接下来,请跟着小编一起来学习吧!
创新互联自2013年创立以来,先为长顺等服务建站,长顺等地企业,进行企业商务咨询服务。为长顺企业网站制作PC+手机+微官网三网同步一站式服务解决您的所有建站问题。
一、过期信息
# kubectl get pod Unable to connect to the server: x509: certificate has expired or is not yet valid
二、处理etcd证书
2.1、查看过期信息
# cd /etc/etcd/ssl/ # openssl x509 -in etcd.pem -noout -text |grep ' Not ' Not Before: Jul 5 07:57:00 2018 GMT Not After : Jul 5 07:57:00 2019 GMT
2.2、修改过期时效
默认为8760h也就是一年
# vim ca-config.json { "signing": { "default": { "expiry": "8760h" }, "profiles": { "kubernetes-Soulmate": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "8760h" } } } }
修改为10年
{ "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes-Soulmate": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } }
2.3、备份并生成新的etcd证书
# mv /etc/etcd/ssl /etc/etcd/ssl_bak # mkdir -p /etc/etcd/ssl
# cfssl gencert -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=kubernetes-Soulmate etcd-csr.json | cfssljson -bare etcd 2019/07/24 15:54:51 [INFO] generate received request 2019/07/24 15:54:51 [INFO] received CSR 2019/07/24 15:54:51 [INFO] generating key: rsa-2048 2019/07/24 15:54:51 [INFO] encoded CSR 2019/07/24 15:54:51 [INFO] signed certificate with serial number 129040491859111596768279827567523252619269640219 2019/07/24 15:54:51 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). # cp etcd.pem etcd-key.pem ca.pem /etc/etcd/ssl/
重启服务
# systemctl restart etcd
拷贝至其它etcd节点
# scp -r /etc/etcd/ssl/*.pem k8s2:/etc/etcd/ssl/ # scp -r /etc/etcd/ssl/*.pem k8s3:/etc/etcd/ssl/
2.4、查看现在的时效
# openssl x509 -in etcd.pem -noout -text |grep ' Not ' Not Before: Jul 24 07:50:00 2019 GMT Not After : Jul 21 07:50:00 2029 GMT
三、处理k8s证书
3.1、查看过期信息
# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not ' Not Before: Jul 6 03:26:53 2018 GMT Not After : Jul 6 03:26:53 2019 GMT
3.2、备份证书以及配置文件
# cd /etc/kubernetes # mkdir pki_bak # mkdir conf_bak # mv pki/apiserver* pki_bak/ # mv pki/front-proxy-client.* pki_bak/ # mv admin.conf kubelet.conf controller-manager.conf scheduler.conf conf_bak/
3.3、生成新的证书
# cat config.yaml apiVersion: kubeadm.k8s.io/v1alpha1 kind: MasterConfiguration kubernetesVersion: 1.10.4 etcd: endpoints: - https://172.16.40.111:2379 - https://172.16.40.112:2379 - https://172.16.40.121:2379 caFile: /etc/etcd/ssl/ca.pem certFile: /etc/etcd/ssl/etcd.pem keyFile: /etc/etcd/ssl/etcd-key.pem dataDir: /var/lib/etcd networking: podSubnet: 192.168.0.0/16 api: advertiseAddress: "172.16.40.10" controlPlaneEndpoint: "172.16.40.10" token: "b99a00.a144ef80536d4345" tokenTTL: "0s" apiServerCertSANs: - k8s1 - k8s2 - k8s3 - 172.16.40.111 - 172.16.40.112 - 172.16.40.121 - 172.16.40.10 featureGates: CoreDNS: true # kubeadm alpha phase certs all --config=config.yaml [certificates] Using the existing ca certificate and key. [certificates] Generated apiserver certificate and key. [certificates] apiserver serving cert is signed for DNS names [k8s1 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local 172.16.40.10 k8s1 k8s2 k8s3] and IPs [10.96.0.1 172.16.40.10 172.16.40.111 172.16.40.112 172.16.40.121 172.16.40.14 172.16.40.10] [certificates] Generated apiserver-kubelet-client certificate and key. [certificates] Using the existing sa key. [certificates] Using the existing front-proxy-ca certificate and key. [certificates] Generated front-proxy-client certificate and key. [certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
3.4、生成新的配置文件
# kubeadm alpha phase kubeconfig all --config=config.yaml [kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/admin.conf" [kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf" [kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/controller-manager.conf" [kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/scheduler.conf"
3.5、拷贝环境变量
# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config # chown $(id -u):$(id -g) $HOME/.kube/config
3.6、拷贝证书及环境变量到其它节点
# scp -r /etc/kubernetes/pki k8s2:/etc/kubernetes/ # scp -r /etc/kubernetes/pki k8s3:/etc/kubernetes/ # scp $HOME/.kube/config k8s2:$HOME/.kube/config # scp $HOME/.kube/config k8s3:$HOME/.kube/config
到此,关于“kubernetes证书过期怎么处理”的学习就结束了,希望能够解决大家的疑惑。理论与实践的搭配能更好的帮助大家学习,快去试试吧!若想继续学习更多相关知识,请继续关注创新互联网站,小编会继续努力为大家带来更多实用的文章!
当前题目:kubernetes证书过期怎么处理
文章分享:http://lswzjz.com/article/pdciig.html