Kubernetes:已过期的证书
我们的Kubernetes 1.6集群在2017年4月13日构建时生成了证书 2017年12月13日,我们的集群升级到1.8版,并生成了新的证书[显然,证书集不完整] 2018年4月13日,我们开始在Kubernetes api服务器仪表板中看到以下消息:Kubernetes:已过期的证书,kubernetes,x509certificate,kubernetes-apiserver,Kubernetes,X509certificate,Kubernetes Apiserver,我们的Kubernetes 1.6集群在2017年4月13日构建时生成了证书 2017年12月13日,我们的集群升级到1.8版,并生成了新的证书[显然,证书集不完整] 2018年4月13日,我们开始在Kubernetes api服务器仪表板中看到以下消息: [authentication.go:64]由于错误而无法对请求进行身份验证:[x509:证书已过期或无效,x509:证书已过期或无效] 尝试将/etc/kubernetes/kubelet.conf中的客户端证书和客户端密钥指向12月13日
[authentication.go:64]由于错误而无法对请求进行身份验证:[x509:证书已过期或无效,x509:证书已过期或无效]/etc/kubernetes/kubelet.confapiserver-kubelet-client.crtapiserver-kubelet-client.crt/etc/kubernetes/kubelet.confapiserver.crtapiserver.crt/etc/kubernetes/kubelet.conf/var/log/syslogApr 17 17:50:08 kuber01 kubelet[2422]:W0417 17:50:08.181326 2422服务器。go:381]无效kubeconfig:无效配置:[无法读取客户端证书/tmp/this/cert/does/not/exist.crt for system:node:node01由于打开/tmp/this/cert/does/not/exist.crt:没有这样的文件或目录,无法读取客户端密钥/tmp/this/key/does/not/exist.key for system:node:node01由于打开/tmp/this/key/does/not/exist.key:没有这样的文件或目录]kubeadm alpha phase certs apiserverKubernetes相对较新,设置此项的先生不可咨询…感谢您的帮助。我认为您需要重新生成apiserver证书
/etc/Kubernetes/pki/apiserver.crtopenssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '
Not Before: Dec 20 14:32:00 2017 GMT
Not After : Dec 20 14:32:00 2018 GMT
要检查所有证书的过期日期:
find /etc/kubernetes/pki/ -type f -name "*.crt" -print|egrep -v 'ca.crt$'|xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep After'
mv /etc/kubernetes/pki/apiserver.key /etc/kubernetes/pki/apiserver.key.old
mv /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.crt.old
mv /etc/kubernetes/pki/apiserver-kubelet-client.crt /etc/kubernetes/pki/apiserver-kubelet-client.crt.old
mv /etc/kubernetes/pki/apiserver-kubelet-client.key /etc/kubernetes/pki/apiserver-kubelet-client.key.old
mv /etc/kubernetes/pki/front-proxy-client.crt /etc/kubernetes/pki/front-proxy-client.crt.old
mv /etc/kubernetes/pki/front-proxy-client.key /etc/kubernetes/pki/front-proxy-client.key.old
kubeadm alpha phase certs apiserver --config /root/kubeadm-kubetest.yaml
kubeadm alpha phase certs apiserver-kubelet-client
kubeadm alpha phase certs front-proxy-client
mv /etc/kubernetes/pki/apiserver-etcd-client.crt /etc/kubernetes/pki/apiserver-etcd-client.crt.old
mv /etc/kubernetes/pki/apiserver-etcd-client.key /etc/kubernetes/pki/apiserver-etcd-client.key.old
kubeadm alpha phase certs apiserver-etcd-client
mv /etc/kubernetes/pki/etcd/server.crt /etc/kubernetes/pki/etcd/server.crt.old
mv /etc/kubernetes/pki/etcd/server.key /etc/kubernetes/pki/etcd/server.key.old
kubeadm alpha phase certs etcd-server --config /root/kubeadm-kubetest.yaml
mv /etc/kubernetes/pki/etcd/healthcheck-client.crt /etc/kubernetes/pki/etcd/healthcheck-client.crt.old
mv /etc/kubernetes/pki/etcd/healthcheck-client.key /etc/kubernetes/pki/etcd/healthcheck-client.key.old
kubeadm alpha phase certs etcd-healthcheck-client --config /root/kubeadm-kubetest.yaml
mv /etc/kubernetes/pki/etcd/peer.crt /etc/kubernetes/pki/etcd/peer.crt.old
mv /etc/kubernetes/pki/etcd/peer.key /etc/kubernetes/pki/etcd/peer.key.old
kubeadm alpha phase certs etcd-peer --config /root/kubeadm-kubetest.yaml
*) Backup old configuration files
mv /etc/kubernetes/admin.conf /etc/kubernetes/admin.conf.old
mv /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.old
mv /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.old
mv /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.old
kubeadm alpha phase kubeconfig all --config /root/kubeadm-kubetest.yaml
mv $HOME/.kube/config .$HOMEkube/config.old
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
chmod 777 $HOME/.kube/config
export KUBECONFIG=.kube/config
记得更新你的CI/CD作业kubeconfig文件。如果你正在使用helm命令,也要测试它。Kubernetes集群中的每个节点都包含一个配置文件,用于运行kubelet。
/etc/Kubernetes/kubelet.conf/etc/kubernetes/ca.key/etc/kubernetes/kubelet.confkubelet.confkubectl.confadmin.confcontroller manager.confscheduler.conf/etc/kubernetes/pki/ca.key专业提示:使用
--apiserver advision address$ sudo docker ps -a | grep apiserver
af99f816c7ec gcr.io/google_containers/kube-apiserver@sha256:53b987e5a2932bdaff88497081b488e3b56af5b6a14891895b08703129477d85 "/bin/sh -c '/usr/loc" 15 months ago Up 19 hours k8s_kube-apiserver_kube-apiserver-ip-xxxxxc_0
40f3a18050c3 gcr.io/google_containers/pause-amd64:3.0 "/pause" 15 months ago Up 15 months k8s_POD_kube-apiserver-ip-xxxc_0
$ sudo docker restart af99f816c7ec
af99f816c7ec
$
本主题也将在以下章节中讨论:
-
- 1.15后kubeadm升级将自动为您更新证书
- 此外,1.15还添加了一个命令来检查kubeadm中的证书过期
Kubernetes v1.15提供了“使用kubeadm进行证书管理”的文档:
- 检查证书到期时间:
- 自动证书续订:
- kubeadm在控制平面升级期间更新所有证书
- 手动证书更新:
- 您可以随时使用
命令手动续订证书kubeadm alpha certs renew - 此命令使用存储在/etc/kubernetes/pki中的CA(或前端代理CA)证书和密钥执行续订
- 您可以随时使用
对于Kubernetes v1.14我发现此过程最有帮助:
- 备份并重新生成所有证书:
- 复制新的admin.conf:
如果已更新证书或证书已自动更新,则必须在所有主节点上重新启动kube apiserver 去大师赛寻找
docker ps | grep-i kube apise
kubeadm alpha certs check-expiration
$ cd /etc/kubernetes/pki/
$ mv {apiserver.crt,apiserver-etcd-client.key,apiserver-kubelet-client.crt,front-proxy-ca.crt,front-proxy-client.crt,front-proxy-client.key,front-proxy-ca.key,apiserver-kubelet-client.key,apiserver.key,apiserver-etcd-client.crt} ~/
$ kubeadm init phase certs all --apiserver-advertise-address <IP>
$ cd /etc/kubernetes/
$ mv {admin.conf,controller-manager.conf,kubelet.conf,scheduler.conf} ~/
$ kubeadm init phase kubeconfig all
$ reboot
$ cp -i /etc/kubernetes/admin.conf $HOME/.kube/config