1、查看证书有效期

kubeadm certs check-expiration

# 看到 invalid 全是过期的
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Sep 14, 2022 14:01 UTC   <invalid>                               no      
apiserver                  Sep 14, 2022 14:01 UTC   <invalid>       ca                      no      
apiserver-etcd-client      Sep 14, 2022 14:01 UTC   <invalid>       etcd-ca                 no      
apiserver-kubelet-client   Sep 14, 2022 14:01 UTC   <invalid>       ca                      no      
controller-manager.conf    Sep 14, 2022 14:01 UTC   <invalid>                               no      
etcd-healthcheck-client    Sep 14, 2022 14:01 UTC   <invalid>       etcd-ca                 no      
etcd-peer                  Sep 14, 2022 14:01 UTC   <invalid>       etcd-ca                 no      
etcd-server                Sep 14, 2022 14:01 UTC   <invalid>       etcd-ca                 no      
front-proxy-client         Sep 14, 2022 14:01 UTC   <invalid>       front-proxy-ca          no      
scheduler.conf             Sep 14, 2022 14:01 UTC   <invalid>                               no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Sep 12, 2031 14:01 UTC   8y              no      
etcd-ca                 Sep 12, 2031 14:01 UTC   8y              no      
front-proxy-ca          Sep 12, 2031 14:01 UTC   8y              no


# 或者用 openssl 方法,查看也是过期的
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep 'Not'
            Not Before: Sep 14 14:01:12 2021 GMT
            Not After : Sep 14 14:01:12 2022 GMT

2、 证书备份

cp -rp /etc/kubernetes /etc/kubernetes.bak

3、重新生成证书,使用该命令不用提前删除过期证书

kubeadm alpha certs renew all

4、再查看证书有效期

# 显示已经到2023年
x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep 'Not'
            Not Before: Sep 14 14:01:12 2021 GMT
            Not After : Sep 15 01:53:20 2023 GMT

5、更新用户证书凭证

cp /etc/kubernetes/admin.conf ~/.kube/config

6、重启 kubelet

systemctl restart kubelet

7、重启apiserver,scheduler,controller-manager 容器

docker ps | grep apiserver
docker ps | grep scheduler
docker ps | grep controller-manager

docker restart containerID

8、检测状态,成功

systemctl status kubelet


# 成功
● kubelet.service - kubelet: The Kubernetes Node Agent
   Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/kubelet.service.d
           └─10-kubeadm.conf
   Active: active (running) since Thu 2022-09-15 09:56:24 CST; 2min 6s ago
     Docs: https://kubernetes.io/docs/
 Main PID: 10193 (kubelet)
    Tasks: 15
   Memory: 42.5M
   CGroup: /system.slice/kubelet.service
           └─10193 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --network-plugin=cni --pod-infra-container-image=registry.aliyu...
# kubernetes # java # 容器
Logo
华为开发者空间

华为开发者空间,是为全球开发者打造的专属开发空间,汇聚了华为优质开发资源及工具,致力于让每一位开发者拥有一台云主机,基于华为根生态开发、创新。

更多推荐

cover

虚拟机安装Debian 12.5.0及其常用软件(2024.7)

avatar 华为开发者空间

利用1099服务漏洞————java_rmi_server

本文章是小白up主的自我笔记,希望对正在 学习的你有所帮助在BT5上利用漏洞机端口1099服务漏洞进行攻击查看根目录下的文件今天我们来利用1099的服务漏洞来进行攻击首先我么要用到的虚拟机有:BT5,和linux的漏洞机其实一般这些利用模块的攻击模块都是在msfconsole模式下进行的,他们的流程都是差不多的我们先进行1099的端口服务的扫描,看一下1099具体的服务名称nma...

avatar 华为开发者空间

Ubuntu下安装GCC编译器

在虚拟机Ubuntu里面安装gcc编译器,首先快捷键alt+ctr+t调出来中端,然后输入sudoapt-getinstallbuild-essential命令,即可进行安装。

avatar 华为开发者空间