Home Sign Up Sign In
Advertisement
lostsquirrelX

[教训] kubeadm 创建 k8s 集群证书过期,环境部分挂掉

  •   
  •   lostsquirrelX · Jul 10, 2020 · 3036 views
    This topic created in 2157 days ago, the information mentioned may be changed or developed.

    kubeadm 创建 k8s 集群证书过期

    • k8s 版本 v1.14.3
    • os ubuntu 16.04

    1. 更新证书

      kubeadm alpha certs renew all

    2. 更新 kubeadm (因为 apt 源的因素,本文更新到 v1.17.3 最低可用版本未验证)

      apt update
apt install kubeadm

    3. 更新配置文件中的证书

      kubeadm alpha certs renew admin.conf
kubeadm alpha certs renew controller-manager.conf
kubeadm alpha certs renew scheduler.conf

    4. 查看证书有效期, 确保全部更新

      kubeadm alpha certs check-expiration

    5. 生成临时 token (需要 api-server 正常运行)

      注意: 在完成之前步骤中,经过不少尝试配置,因此可能会存在遗漏的配置

      kubeadm token create $(kubeadm token generate)

    6. 更新所有节点 bootstrap-kubelet.conf, 删除失效的 kubelet.conf, 并重启节点上的 kubelet

      将前一步生成的 token 替换 bootstrap-kubelet.conf 中的 token 多节点建议用自动化工具(编者使用 ansible)

      - name: update kubelet bootstrap token
  replace:
    path: /var/lib/kubelet/kubeadm-flags.env
    regexp: 'old.token'
    replace: 'new.token'

- name: remove the old  kubelet.conf
  file:
    path: /etc/kubernetes/kubelet.conf
    state: absent

- name: reload service kubelet, in all cases
  systemd:
    name: kubelet
    state: restarted

    7. 更新 kubectl 配置

      cp /etc/kubernetes/admin.conf ~/.kube/config

    8. 验证集群是否恢复正常

  • kubeadm
  • token
  • certs
  • kubelet
    2 replies    2020-07-10 23:37:49 +08:00
    kennylam777
        1
    kennylam777  
       Jul 10, 2020
    都用上了 Ansible, 不如考慮 kubespray?
    1daydayde
        2
    1daydayde  
       Jul 10, 2020 via iPhone
    记得 kubeadm 可以更新集群的证书啊
    About   ·   Help   ·   Advertise   ·   Blog   ·   API   ·   FAQ   ·   Solana   ·   2955 Online   Highest 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 37ms · UTC 12:54 · PVG 20:54 · LAX 05:54 · JFK 08:54
    ♥ Do have faith in what you're doing.