In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/01 Report--
This article mainly introduces "how to deal with the expiration of kubernetes certificate". In the daily operation, I believe many people have doubts about how to deal with the expiration of kubernetes certificate. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubt of "how to deal with the expiration of kubernetes certificate". Next, please follow the editor to study!
1. Expiration information # kubectl get podUnable to connect to the server: x509: certificate has expired or is not yet valid II, deal with etcd certificate 2.1, view expiration information # cd/ etc/etcd/ssl/# openssl x509-in etcd.pem-noout-text | grep 'Not' Not Before: Jul 5 07:57:00 2018 GMT Not After: Jul 5 07:57:00 2019 GMT2.2, modify expiration period
The default is 8760h, that is, one year.
# vim ca-config.json {"signing": {"expiry": "8760h"}, "profiles": {"kubernetes-Soulmate": {"usages": ["signing", "key encipherment", "server auth", "client auth"], "expiry": "8760h"}
Revised to 10 years
{"signing": {"default": {"expiry": "87600h"}, "profiles": {"kubernetes-Soulmate": {"usages": ["signing", "key encipherment", "server auth", "client auth"] "expiry": "87600h"}} 2.3, Back up and generate a new etcd certificate # mv / etc/etcd/ssl / etc/etcd/ssl_bak# mkdir-p / etc/etcd/ssl# cfssl gencert-ca=ca.pem\-ca-key=ca-key.pem\-config=ca-config.json\-profile=kubernetes-Soulmate etcd-csr.json | cfssljson-bare etcd2019/07/24 15:54:51 [INFO] generate received request2019/07/24 15:54:51 [INFO] received CSR2019/07/24 15:54:51 [INFO Generating key: rsa-20482019/07/24 15:54:51 [INFO] encoded CSR2019/07/24 15:54:51 [INFO] signed certificate with serial number 129040491859111596768279827567523262696402192019 This certificate lacks a 24 15:54:51 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable forwebsites. For more information see the Baseline Requirements for the Issuance and Managementof Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);specifically, section 10.2.3 ("Information Requirements"). # cp etcd.pem etcd-key.pem ca.pem / etc/etcd/ssl/
Restart the service
# systemctl restart etcd
Copy to another etcd node
# scp-r / etc/etcd/ssl/*.pem k8s2:/etc/etcd/ssl/# scp-r / etc/etcd/ssl/*.pem k8s3:/etc/etcd/ssl/2.4, view the current limitation # openssl x509-in etcd.pem-noout-text | grep 'Not' Not Before: Jul 24 07:50:00 2019 GMT Not After: Jul 21 07:50:00 2029 GMT III, processing k8s certificate 3.1, View expiration information # openssl x509-in / etc/kubernetes/pki/apiserver.crt-noout-text | grep 'Not' Not Before: Jul 6 03:26:53 2018 GMT Not After: Jul 6 03:26:53 2019 GMT3.2, Back up the certificate and configuration file # cd / etc/kubernetes# mkdir pki_bak# mkdir conf_bak# mv pki/apiserver* pki_bak/# mv pki/front-proxy-client.* pki_bak/# mv admin.conf kubelet.conf controller-manager.conf scheduler.conf conf_bak/3.3, Generate a new certificate # cat config.yaml apiVersion: kubeadm.k8s.io/v1alpha1 kind: MasterConfiguration kubernetesVersion: 1.10.4 etcd: endpoints:-https://172.16.40.111:2379-https://172.16.40.112:2379-https://172.16.40.121:2379 caFile: / etc/etcd/ssl/ca.pem certFile: / etc/etcd/ssl/etcd.pem keyFile: / etc/ Etcd/ssl/etcd-key.pem dataDir: / var/lib/etcd networking: podSubnet: 192.168.0.0 api: advertiseAddress: "172.16.40.10" controlPlaneEndpoint: "172.16.40.10" token: "b99a00.a144ef80536d4345" tokenTTL: "0s" apiServerCertSANs:-k8s1-k8s2-k8s3-172.16.40.111-172.16.40.112-172. 16.40.121-172.16.40.10 featureGates: CoreDNS: true# kubeadm alpha phase certs all-- config=config.yaml [certificates] Using the existing ca certificate and key. [certificates] Generated apiserver certificate and key. [certificates] apiserver serving cert is signed for DNS names [k8s1 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local 172.16.40.10 k8s1 k8s2 k8s3] and IPs [10.96.0.1 172.16.40.10 172.16.40.111 172 .16.40.112 172.16.40.121 172.16.40.14 172.16.40.10] [certificates] Generated apiserver-kubelet-client certificate and key. [certificates] Using the existing sa key. [certificates] Using the existing front-proxy-ca certificate and key. [certificates] Generated front-proxy-client certificate and key. [certificates] Valid certificates and keys now existin "/ etc/kubernetes/pki" 3.4, Generate a new configuration file # kubeadm alpha phase kubeconfig all-- config=config.yaml [kubeconfig] Wrote KubeConfig file to disk: "/ etc/kubernetes/admin.conf" [kubeconfig] Wrote KubeConfig file to disk: "/ etc/kubernetes/kubelet.conf" [kubeconfig] Wrote KubeConfig file to disk: "/ etc/kubernetes/controller-manager.conf" [kubeconfig] Wrote KubeConfig file to disk: "/ etc/kubernetes/scheduler.conf" 3.5, Copy environment variables # cp-I / etc/kubernetes/admin.conf $HOME/.kube/config# chown $(id-u): $(id-g) $HOME/.kube/config3.6, copy certificates and environment variables to other nodes # scp-r / etc/kubernetes/pki k8s2:/etc/kubernetes/# scp-r / etc/kubernetes/pki k8s3:/etc/kubernetes/# scp $HOME/.kube/config k8s2:$HOME/.kube/config# scp $HOME/.kube/config k8s3:$HOME/.kube/config to here The study on "how to deal with the expiration of kubernetes certificates" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.