Kubeadm搭建的K8S集群怎么更新证书

kubeadm搭建集群怎么更新证书

master节点查看证书有效期

#  kubeadm certs check-expiration
[check-expiration] Reading configuration from the "kubeadm-config" ConfigMap in namespace "kube-system"...
[check-expiration] Use 'kubeadm init phase upload-config --config your-config-file' to re-upload it.CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jan 27, 2027 07:24 UTC   363d            ca                      no      
apiserver                  Jan 28, 2027 03:10 UTC   363d            ca                      no      
apiserver-etcd-client      Jan 27, 2027 07:24 UTC   363d            etcd-ca                 no      
apiserver-kubelet-client   Jan 27, 2027 07:24 UTC   363d            ca                      no      
controller-manager.conf    Jan 27, 2027 07:24 UTC   363d            ca                      no      
etcd-healthcheck-client    Jan 27, 2027 07:24 UTC   363d            etcd-ca                 no      
etcd-peer                  Jan 27, 2027 07:24 UTC   363d            etcd-ca                 no      
etcd-server                Jan 27, 2027 07:24 UTC   363d            etcd-ca                 no      
front-proxy-client         Jan 27, 2027 07:24 UTC   363d            front-proxy-ca          no      
scheduler.conf             Jan 27, 2027 07:24 UTC   363d            ca                      no      
super-admin.conf           Jan 27, 2027 07:24 UTC   363d            ca                      no      CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jan 25, 2036 07:24 UTC   9y              no      
etcd-ca                 Jan 25, 2036 07:24 UTC   9y              no      
front-proxy-ca          Jan 25, 2036 07:24 UTC   9y              no      
root@Ubuntu22K8SMaster003151:~# 

更新证书

# kubeadm certs renew all
[renew] Reading configuration from the "kubeadm-config" ConfigMap in namespace "kube-system"...
[renew] Use 'kubeadm init phase upload-config --config your-config-file' to re-upload it.certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
certificate embedded in the kubeconfig file for the super-admin renewedDone renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

更新kubeconfig配置文件

sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

如果 kube-proxy 等组件也需要新证书，可以

sudo kubeadm init phase kubeconfig all

更新完证书后，需要让 API Server、Controller Manager、Scheduler 等加载新证书，可以直接重启 kubelet，kubelet 会重新启动这些静态 Pod：