K8S 证书过期,报错:Unable to connect to the server: x509: certificate has expired or is not yet valid 解决方法
K8S 证书过期,报错:Unable to connect to the server: x509: certificate has expired or is not yet valid 解决方法
·
1、查看证书有效期
kubeadm certs check-expiration
# 看到 invalid 全是过期的
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Sep 14, 2022 14:01 UTC <invalid> no
apiserver Sep 14, 2022 14:01 UTC <invalid> ca no
apiserver-etcd-client Sep 14, 2022 14:01 UTC <invalid> etcd-ca no
apiserver-kubelet-client Sep 14, 2022 14:01 UTC <invalid> ca no
controller-manager.conf Sep 14, 2022 14:01 UTC <invalid> no
etcd-healthcheck-client Sep 14, 2022 14:01 UTC <invalid> etcd-ca no
etcd-peer Sep 14, 2022 14:01 UTC <invalid> etcd-ca no
etcd-server Sep 14, 2022 14:01 UTC <invalid> etcd-ca no
front-proxy-client Sep 14, 2022 14:01 UTC <invalid> front-proxy-ca no
scheduler.conf Sep 14, 2022 14:01 UTC <invalid> no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Sep 12, 2031 14:01 UTC 8y no
etcd-ca Sep 12, 2031 14:01 UTC 8y no
front-proxy-ca Sep 12, 2031 14:01 UTC 8y no
# 或者用 openssl 方法,查看也是过期的
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep 'Not'
Not Before: Sep 14 14:01:12 2021 GMT
Not After : Sep 14 14:01:12 2022 GMT
2、 证书备份
cp -rp /etc/kubernetes /etc/kubernetes.bak
3、重新生成证书,使用该命令不用提前删除过期证书
kubeadm alpha certs renew all
4、再查看证书有效期
# 显示已经到2023年
x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep 'Not'
Not Before: Sep 14 14:01:12 2021 GMT
Not After : Sep 15 01:53:20 2023 GMT
5、更新用户证书凭证
cp /etc/kubernetes/admin.conf ~/.kube/config
6、重启 kubelet
systemctl restart kubelet
7、重启apiserver,scheduler,controller-manager 容器
docker ps | grep apiserver
docker ps | grep scheduler
docker ps | grep controller-manager
docker restart containerID
8、检测状态,成功
systemctl status kubelet
# 成功
● kubelet.service - kubelet: The Kubernetes Node Agent
Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/kubelet.service.d
└─10-kubeadm.conf
Active: active (running) since Thu 2022-09-15 09:56:24 CST; 2min 6s ago
Docs: https://kubernetes.io/docs/
Main PID: 10193 (kubelet)
Tasks: 15
Memory: 42.5M
CGroup: /system.slice/kubelet.service
└─10193 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --network-plugin=cni --pod-infra-container-image=registry.aliyu...
更多推荐
已为社区贡献16条内容
所有评论(0)