Shulou(Shulou.com)05/31 Report--

This article will give you a detailed explanation on how to update the kubernetes expired certificate. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

The kubeadm version provides powerful certificate management capabilities in the kubernetes1.15 version, and this article applies to the following versions of kubernetes1.15 (the kubernetes version is 1.13.2 in the article).

Certificate management related documents in version 1.15:

Official documentation-using kubeadm for certificate management

[official documentation-instructions for using kubeadm alpha] 9 https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-alpha/)

Check the validity period of the certificate:

Openssl x509-in / etc/kubernetes/pki/apiserver.crt-noout-text | grep 'Not'

The ca certificate generated by ⚠️ kubeadm is valid for 10 years by default, while other certificates (such as etcd certificate and apiserver certificate) are valid for 1 year.

Update certificates and configuration

Overall thinking:

Backup: before updating the certificate, it is recommended to back up / etc/kubernetes to prevent operational errors.

Update Certificate: regenerate the certificate using kubeadm alpha certs renew. Only the * * .key file is updated, and the original crt file is required to generate the corresponding key file.

Update the configuration: use the kubeadm init phase kubeconfig all-- config ${kubeadm.yaml configuration file} or kubeadm alpha kubeconfig user command.

Different versions of ⚠️ have slightly different commands for certificate renew, depending on the installed kubeadm. Output information similar to the following through the command line kubeadm alpha certs renew-- help:

Certificate Update Policy:

Single master node: you can run kubeadm alpha certs renew all-- config kubeadm.yaml directly to complete the certificate update. Then replace the kubelet configuration

Multi-master node: it is recommended to use the original ca certificate (valid for 10 years), and each component (etcd, apiserver, etc.) is updated separately.

Multi-master node certificate update backup original configuration and certificate

All master nodes run the command: cp-r / etc/kubernetes / home/heguangfu/kubernetes

Update certificate

All master nodes complete the following command in turn:

Etcd heartbeat certificate: kubeadm alpha certs renew etcd-healthcheck-client-- config kubeadm-config.ict15.yaml

Etcd peer certificate: kubeadm alpha certs renew etcd-peer-- config kubeadm-config.ict15.yaml

Etcd server certificate: kubeadm alpha certs renew etcd-server-- config kubeadm-config.ict15.yaml

Front-proxy-client certificate: kubeadm alpha certs renew front-proxy-client-- config kubeadm-config.ict15.yaml

Apiserver-etcd-client Certificate kubeadm alpha certs renew apiserver-etcd-client-- config kubeadm-config.ict15.yaml

Apiserver-kubelet-client Certificate kubeadm alpha certs renew apiserver-kubelet-client-- config kubeadm-config.ict15.yaml

Apiserver Certificate kubeadm alpha certs renew apiserver-- config kubeadm-config.ict15.yaml

The kubeadm configuration used by different master nodes in ⚠️ varies slightly. To perform an update certificate, each master uses the kubeadm configuration file corresponding to the current master when the original cluster is created after-- config.

Update configuration

All master nodes, after updating the certificate, update the kubernetes configuration using kubeadm init phase kubeconfig all-- config ${kubeadm.yaml profile}

Verify cluster status

Clean up the previous kubectl permission information: rm-rf $HOME/.kube.

Reconfigure kubectl permission information:

Mkdir-p $HOME/.kubesudo cp-I / etc/kubernetes/admin.conf $HOME/.kube/configsudo chown $(id-u): $(id-g) $HOME/.kube/config

Verify etcd: view the docker log of a node in etcd. All etcd peer in the log are active and join the same cluster

Verify the kubernetes cluster: run kubectl cluster-info and kubectl get nodes as expected.

The services related to the kubernetes system are running normally (core is kube-apiserver,kube-controller-manager,kube-proxy, kube-flannel): kubectl get pods-n kube-system

Check the running status of pod: kubectl get pods-- all-namespaces.

Possible problems

Part of the existing bootstrap client certificate is expired: 2020-01-19 15:10:17 + 0000 UTC: confirm that all certificates are updated, and after the certificates are updated, update the kubernetes configuration

Api server log: Unable to authenticate the request due to an error: [x509: certificate has expired or is not yet valid, x509: certificate has expired or is not yet valid]. The possible reasons are: the certificate expires; the certificate is partially updated; the proxy configuration is included in the master, which causes the request to apiserver to go through the proxy and the certificate authentication fails (run unset http_proxy;unset ftp_proxy;unset socks_proxy;unset https_proxy and cancel the proxy configuration).

This is the end of this article on "how to update kubernetes expired certificates". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.