自建K8S集群認證過期【轉】

今天使用kubectl命令查看pod信息時，一直正常運行的k8s集群突然不能訪問了，輸入任何命令都提示以下報錯：
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2025-01-25T11:35:45+08:00 is after 2024-11-22T23:44:48Z

解決方案：

參考官方文檔： kubeadm證書管理使用命令kubeadm alpha certs來管理證書：

使用命令kubeadm alpha certs renew all更新證書，返回

[renew] Reading configuration from the cluster...

[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed

certificate for serving the Kubernetes API renewed

certificate the apiserver uses to access etcd renewed

certificate for the API server to connect to kubelet renewed

certificate embedded in the kubeconfig file for the controller manager to use renewed

certificate for liveness probes to healthcheck etcd renewed

certificate for etcd nodes to communicate with each other renewed

certificate for serving etcd renewed

certificate for the front proxy client renewed

certificate embedded in the kubeconfig file for the scheduler manager to use renewed

使用如下命令拷貝新生成的配置文件

sudo kubeadm alpha kubeconfig user --client-name=admin --org=system:masters > /tmp/admin.conf

sudo cp /tmp/admin.conf $HOME/.kube/config

sudo chown $(id -u):$(id -g) $HOME/.kube/config

重啟kubeletsystemctl restart kubelet 即可正常使用K8S集群

[root@k8smaster k8s]# kubectl get po

NAME READY STATUS RESTARTS AGE

cron-job-test-1732318920-k2g76 0/1 Completed 0 63d

cron-job-test-1732318980-kcr4x 0/1 Completed 0 63d

cron-job-test-1732319040-b88rf 0/1 Completed 0 63d

再次查看證書到期情況

[root@k8smaster k8s]# kubeadm alpha certs check-expiration

[check-expiration] Reading configuration from the cluster...

[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED

admin.conf                 Jan 25, 2026 05:55 UTC   364d                                    no

apiserver                  Jan 25, 2026 05:55 UTC   364d            ca                      no

apiserver-etcd-client      Jan 25, 2026 05:55 UTC   364d            etcd-ca                 no

apiserver-kubelet-client   Jan 25, 2026 05:55 UTC   364d            ca                      no

controller-manager.conf    Jan 25, 2026 05:55 UTC   364d                                    no

etcd-healthcheck-client    Jan 25, 2026 05:55 UTC   364d            etcd-ca                 no

etcd-peer                  Jan 25, 2026 05:55 UTC   364d            etcd-ca                 no

etcd-server                Jan 25, 2026 05:55 UTC   364d            etcd-ca                 no

front-proxy-client         Jan 25, 2026 05:55 UTC   364d            front-proxy-ca          no

scheduler.conf             Jan 25, 2026 05:55 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED

ca Nov 20, 2033 23:44 UTC 8y no

etcd-ca Nov 20, 2033 23:44 UTC 8y no

front-proxy-ca Nov 20, 2033 23:44 UTC 8y no

注意事項：

官網上給的命令是kubeadm certs check-expiration，標識的k8s版本是V1.15，直接在本地執行該命令報錯：

[root@k8smaster k8s]# kubeadm certs check-expiration

unknown command "certs" for "kubeadm"

To see the stack trace of this error execute with --v=5 or higher

查了下，我本地的k8s版本是1.19，certs命令放在了 kubeadm alpha下，需要將kubeadm certs替換為 kubeadm aplha certs執行即可

[root@k8smaster k8sh]# kubeadm version

kubeadm version: &version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.5", GitCommit:"e338cf2c6d297aa603b50ad3a301f761b4173aa6", GitTreeState:"clean", BuildDate:"2020-12-09T11:16:40Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"linux/amd64"}

[root@k8smaster k8s]# kubeadm --help

    ┌──────────────────────────────────────────────────────────┐

│ KUBEADM │

│ Easily bootstrap a secure Kubernetes cluster │

│ │

│ Please give us feedback at: │

│ https://github.com/kubernetes/kubeadm/issues │

    └──────────────────────────────────────────────────────────┘

Example usage:

Create a two-machine cluster with one control-plane node

(which controls the cluster), and one worker node

(where your workloads, like Pods and Deployments run).

    ┌──────────────────────────────────────────────────────────┐

│ On the first machine: │

    ├──────────────────────────────────────────────────────────┤

│ control-plane# kubeadm init │

    └──────────────────────────────────────────────────────────┘

    ┌──────────────────────────────────────────────────────────┐

│ On the second machine: │

    ├──────────────────────────────────────────────────────────┤

│ worker# kubeadm join <arguments-returned-from-init> │

    └──────────────────────────────────────────────────────────┘

You can then repeat the second step on as many other machines as you like.

Usage:

kubeadm [command]

Available Commands:

alpha Kubeadm experimental sub-commands

completion Output shell completion code for the specified shell (bash or zsh)

  config      Manage configuration for a kubeadm cluster persisted in a ConfigMap in the                   cluster

help Help about any command

  init        Run this command in order to set up the Kubernetes control plane

join Run this on any machine you wish to join an existing cluster

  reset       Performs a best effort revert of changes made to this host by 'kubeadm init                  ' or 'kubeadm join'

token Manage bootstrap tokens

upgrade Upgrade your cluster smoothly to a newer version with this command

version Print the version of kubeadm

Flags:

      --add-dir-header           If true, adds the file directory to the header of the lo                  g messages

  -h, --help                     help for kubeadm

--log-file string If non-empty, use this log file

      --log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is                   megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)

      --rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesyst                  em.

      --skip-headers             If true, avoid header prefixes in the log messages

--skip-log-headers If true, avoid headers when opening log files

-v, --v Level number for the log level verbosity

Use "kubeadm [command] --help" for more information about a command.

[root@k8smaster k8s]# kubectl alpha --help

These commands correspond to alpha features that are not enabled in Kubernetes

clusters by default.

Available Commands:

debug Attach a debug container to a running pod

Use "kubectl <command> --help" for more information about a given command.

[root@k8smaster k8s]# kubeadm alpha --help

Kubeadm experimental sub-commands

Usage:

kubeadm alpha [command]

Available Commands:

certs Commands related to handling kubernetes certificates

kubeconfig Kubeconfig file utilities

selfhosting Make a kubeadm cluster self-hosted

Flags:

  -h, --help   help for alpha

Global Flags:

      --add-dir-header           If true, adds the file directory to the header of the log messages

--log-file string If non-empty, use this log file

      --log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)

      --rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.

      --skip-headers             If true, avoid header prefixes in the log messages

--skip-log-headers If true, avoid headers when opening log files

-v, --v Level number for the log level verbosity

Additional help topics:

  kubeadm alpha phase Invoke subsets of kubeadm functions separately for a manual install

Use "kubeadm alpha [command] --help" for more information about a command.

自建K8S集群認證過期 - wenha - 博客園
http://www.rzrgm.cn/wenha/p/18690938

posted @ 2025-09-02 16:17 paul_hch 閱讀(8) 評論(0) 收藏舉報

刷新頁面返回頂部

hch的隨筆成功的秘訣在于恒心—迪斯雷利

成功的秘訣在于恒心——迪斯雷利

自建K8S集群認證過期【轉】

解決方案：

注意事項：

公告

hch的隨筆 成功的秘訣在于恒心—迪斯雷利

成功的秘訣在于恒心——迪斯雷利

自建K8S集群認證過期 【轉】

解決方案：

注意事項：

公告

hch的隨筆成功的秘訣在于恒心—迪斯雷利

自建K8S集群認證過期【轉】