自建K8S集群认证过期

马哥Linux运维 2025-02-07 642

描述

今天使用kubectl命令查看pod信息时，一直正常运行的k8s集群突然不能访问了，输入任何命令都提示以下报错：
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2025-01-25T1145+08:00 is after 2024-11-22T2348Z

解决方案：

参考官方文档： kubeadm证书管理使用命令kubeadm alpha certs来管理证书：

使用命令kubeadm alpha certs renew all更新证书，返回

	[renew] Reading configuration from the cluster...
	[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

	certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
	certificate for serving the Kubernetes API renewed
	certificate the apiserver uses to access etcd renewed
	certificate for the API server to connect to kubelet renewed
	certificate embedded in the kubeconfig file for the controller manager to use renewed
	certificate for liveness probes to healthcheck etcd renewed
	certificate for etcd nodes to communicate with each other renewed
	certificate for serving etcd renewed
	certificate for the front proxy client renewed
	certificate embedded in the kubeconfig file for the scheduler manager to use renewed

使用如下命令拷贝新生成的配置文件

	sudo kubeadm alpha kubeconfig user --client-name=admin --org=system:masters > /tmp/admin.conf
	sudo cp /tmp/admin.conf $HOME/.kube/config
	sudo chown $(id -u):$(id -g) $HOME/.kube/config

重启kubeletsystemctl restart kubelet 即可正常使用K8S集群

	[root@k8smaster k8s]# kubectl get po
	NAME READY STATUS RESTARTS AGE
	cron-job-test-1732318920-k2g76 0/1 Completed 0 63d
	cron-job-test-1732318980-kcr4x 0/1 Completed 0 63d
	cron-job-test-1732319040-b88rf 0/1 Completed 0 63d

再次查看证书到期情况

	[root@k8smaster k8s]# kubeadm alpha certs check-expiration
	[check-expiration] Reading configuration from the cluster...
	[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

	CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
	admin.conf Jan 25, 2026 05:55 UTC 364d no
	apiserver Jan 25, 2026 05:55 UTC 364d ca no
	apiserver-etcd-client Jan 25, 2026 05:55 UTC 364d etcd-ca no
	apiserver-kubelet-client Jan 25, 2026 05:55 UTC 364d ca no
	controller-manager.conf Jan 25, 2026 05:55 UTC 364d no
	etcd-healthcheck-client Jan 25, 2026 05:55 UTC 364d etcd-ca no
	etcd-peer Jan 25, 2026 05:55 UTC 364d etcd-ca no
	etcd-server Jan 25, 2026 05:55 UTC 364d etcd-ca no
	front-proxy-client Jan 25, 2026 05:55 UTC 364d front-proxy-ca no
	scheduler.conf Jan 25, 2026 05:55 UTC 364d no

	CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
	ca Nov 20, 2033 23:44 UTC 8y no
	etcd-ca Nov 20, 2033 23:44 UTC 8y no
	front-proxy-ca Nov 20, 2033 23:44 UTC 8y no

注意事项：

官网上给的命令是kubeadm certs check-expiration，标识的k8s版本是V1.15，直接在本地执行该命令报错：

	[root@k8smaster k8s]# kubeadm certs check-expiration
	unknown command "certs" for "kubeadm"
	To see the stack trace of this error execute with --v=5 or higher

查了下，我本地的k8s版本是1.19，certs命令放在了 kubeadm alpha下，需要将kubeadm certs替换为 kubeadm aplha certs执行即可

	[root@k8smaster k8sh]# kubeadm version
	kubeadm version: &version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.5", GitCommit:"e338cf2c6d297aa603b50ad3a301f761b4173aa6", GitTreeState:"clean", BuildDate:"2020-12-09T1140Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"linux/amd64"}

	[root@k8smaster k8s]# kubeadm --help


	┌──────────────────────────────────────────────────────────┐
	│ KUBEADM │
	│ Easily bootstrap a secure Kubernetes cluster │
	│ │
	│ Please give us feedback at: │
	│ https://github.com/kubernetes/kubeadm/issues │
	└──────────────────────────────────────────────────────────┘
	Example usage:
	Create a two-machine cluster with one control-plane node
	(which controls the cluster), and one worker node
	(where your workloads, like Pods and Deployments run).
	┌──────────────────────────────────────────────────────────┐
	│ On the first machine: │
	├──────────────────────────────────────────────────────────┤
	│ control-plane# kubeadm init │
	└──────────────────────────────────────────────────────────┘
	┌──────────────────────────────────────────────────────────┐
	│ On the second machine: │
	├──────────────────────────────────────────────────────────┤
	│ worker# kubeadm join │
	└──────────────────────────────────────────────────────────┘
	You can then repeat the second step on as many other machines as you like.
	Usage:
	kubeadm [command]
	Available Commands:
	alpha Kubeadm experimental sub-commands
	completion Output shell completion code for the specified shell (bash or zsh)
	config Manage configuration for a kubeadm cluster persisted in a ConfigMap in the cluster
	help Help about any command
	init Run this command in order to set up the Kubernetes control plane
	join Run this on any machine you wish to join an existing cluster
	reset Performs a best effort revert of changes made to this host by 'kubeadm init ' or 'kubeadm join'
	token Manage bootstrap tokens
	upgrade Upgrade your cluster smoothly to a newer version with this command
	version Print the version of kubeadm
	Flags:
	--add-dir-header If true, adds the file directory to the header of the lo g messages
	-h, --help help for kubeadm
	--log-file string If non-empty, use this log file
	--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
	--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesyst em.
	--skip-headers If true, avoid header prefixes in the log messages
	--skip-log-headers If true, avoid headers when opening log files
	-v, --v Level number for the log level verbosity
	Use "kubeadm [command] --help" for more information about a command.
	[root@k8smaster k8s]# kubectl alpha --help
	These commands correspond to alpha features that are not enabled in Kubernetes
	clusters by default.
	Available Commands:
	debug Attach a debug container to a running pod
	Use "kubectl --help" for more information about a given command.
	[root@k8smaster k8s]# kubeadm alpha --help
	Kubeadm experimental sub-commands
	Usage:
	kubeadm alpha [command]
	Available Commands:
	certs Commands related to handling kubernetes certificates
	kubeconfig Kubeconfig file utilities
	selfhosting Make a kubeadm cluster self-hosted
	Flags:
	-h, --help help for alpha
	Global Flags:
	--add-dir-header If true, adds the file directory to the header of the log messages
	--log-file string If non-empty, use this log file
	--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
	--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
	--skip-headers If true, avoid header prefixes in the log messages
	--skip-log-headers If true, avoid headers when opening log files
	-v, --v Level number for the log level verbosity
	Additional help topics:
	kubeadm alpha phase Invoke subsets of kubeadm functions separately for a manual install

	Use "kubeadm alpha [command] --help" for more information about a command.

链接：https://www.cnblogs.com/wenha/p/18690938

打开APP阅读更多精彩内容