k8s证书更换

k8s版本 -------> v1.10.5

一、确定k8s版本

首先需要查看kubect以及kubeadm的版本信息。高版本的kubeadm和低版本的kubeadm的生成证书的命令体系有些不一样。

root@i-gsbmo5ke:/etc/kubernetes/pki# kubeadm  version
kubeadm version: &version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.5", GitCommit:"32ac1c9073b132b8ba18aa830f46b77dcceb0723", GitTreeState:"archive", BuildDate:"2018-06-30T06:36:14Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
root@i-gsbmo5ke:/etc/kubernetes/pki# kubectl version
Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.5", GitCommit:"32ac1c9073b132b8ba18aa830f46b77dcceb0723", GitTreeState:"clean", BuildDate:"2018-06-21T11:46:00Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.5", GitCommit:"32ac1c9073b132b8ba18aa830f46b77dcceb0723", GitTreeState:"clean", BuildDate:"2018-06-21T11:34:22Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
​

二、查看证书过期时间，并备份。

1、查看证书过期时间

root@i-gsbmo5ke:~# cd /etc/kubernetes/
root@i-gsbmo5ke:/etc/kubernetes# ls
addons                   env.sh      init_token.metad  qingcloud.conf
admin.conf               fluentbit   kubelet           scale_in.info
calico                   hostnic     kubelet.conf      scheduler.conf
controller-manager.conf  hosts       manifests
curator                  init_token  pki
root@i-gsbmo5ke:/etc/kubernetes# cd pki
root@i-gsbmo5ke:/etc/kubernetes/pki# ls
apiserver.crt                 ca.crt                  front-proxy-client.key
apiserver-etcd-client.crt     ca.key                  pki
apiserver-etcd-client.key     etcd                    sa.key
apiserver.key                 front-proxy-ca.crt      sa.pub
apiserver-kubelet-client.crt  front-proxy-ca.key
apiserver-kubelet-client.key  front-proxy-client.crt
root@i-gsbmo5ke:/etc/kubernetes/pki#  for i in `ls *.crt etcd/*.crt`
> do
> echo "$i:"
> openssl x509 -in  $i -noout -enddate
> done
apiserver.crt:
notAfter=Aug 26 09:28:52 2022 GMT
apiserver-etcd-client.crt:
notAfter=Aug 26 09:28:56 2022 GMT
apiserver-kubelet-client.crt:
notAfter=Aug 26 09:28:53 2022 GMT
ca.crt:
notAfter=Aug 24 09:28:52 2031 GMT
etcd/ca.crt:
notAfter=Aug 24 09:28:55 2031 GMT
etcd/healthcheck-client.crt:
notAfter=Aug 26 09:28:56 2022 GMT
etcd/peer.crt:
notAfter=Aug 26 09:28:55 2022 GMT
etcd/server.crt:
notAfter=Aug 26 09:28:55 2022 GMT
front-proxy-ca.crt:
notAfter=Aug 24 09:28:54 2031 GMT
front-proxy-client.crt:
notAfter=Aug 26 09:28:54 2022 GMT

如上，可以看到，一部分证书的有效期是10年，但是大部分的证书有效期都是1年，一般更换证书都是更换有效期为一年的证书，以及/etc/kubernetes中的admin.conf，kubelet.conf，scheduler.conf，controller-manager.conf 。备份时建议备份整个/etc/kubernetes目录

2、备份

备份整个/etc/kubernetes目录

root@i-gsbmo5ke:/etc/kubernetes# mkdir /opt/bak_2021_08_30 && cp -rp /etc/kubernetes/* /opt/bak_2021_08_30/
root@i-gsbmo5ke:/etc/kubernetes/pki# ls /opt/bak_2021_08_30/kubernetes/pki
apiserver.crt                 ca.crt                  front-proxy-client.key
apiserver-etcd-client.crt     ca.key                  pki
apiserver-etcd-client.key     etcd                    sa.key
apiserver.key                 front-proxy-ca.crt      sa.pub
apiserver-kubelet-client.crt  front-proxy-ca.key
apiserver-kubelet-client.key  front-proxy-client.crt
root@i-gsbmo5ke:/etc/kubernetes/pki# ls /opt/bak_2021_08_30/kubernetes/pki/etcd/
ca.crt  healthcheck-client.crt  peer.crt  server.crt
ca.key  healthcheck-client.key  peer.key  server.key

三、重新生成证书以及配置文件

在高版本的kubeadm中是不用提前移除原本的证书文件。但是在低版本kubeadm中，重新生成证书需要提前移除原本的证书文件，不然会报如下错误。

root@i-gsbmo5ke:/etc/kubernetes/pki# kubeadm alpha phase certs all
[certificates] Using the existing ca certificate and key.
[certificates] Using the existing apiserver certificate and key.
[certificates] Using the existing apiserver-kubelet-client certificate and key.
[certificates] Using the existing sa key.
[certificates] Using the existing front-proxy-ca certificate and key.
[certificates] Using the existing front-proxy-client certificate and key.
[certificates] Using the existing etcd/ca certificate and key.
[certificates] Using the existing etcd/server certificate and key.
[certificates] Using the existing etcd/peer certificate and key.
[certificates] Using the existing etcd/healthcheck-client certificate and key.
[certificates] Using the existing apiserver-etcd-client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
root@i-gsbmo5ke:/etc/kubernetes/pki# 

1、移除原本证书

注意：此处是需要移除原本的有效期一年的证书，有效期为十年的证书不需要移除。

root@i-gsbmo5ke:/etc/kubernetes/pki# mv /etc/kubernetes/pki/apiserver* /tmp
root@i-gsbmo5ke:/etc/kubernetes/pki# mv /etc/kubernetes/pki/front-proxy-client.* /tmp
root@i-gsbmo5ke:/etc/kubernetes/pki# mv /etc/kubernetes/pki/etcd/healthcheck-client.* /tmp
root@i-gsbmo5ke:/etc/kubernetes/pki# mv /etc/kubernetes/pki/etcd/server.* /tmp
root@i-gsbmo5ke:/etc/kubernetes/pki# mv /etc/kubernetes/pki/etcd/peer.* /tmp
root@i-gsbmo5ke:/etc/kubernetes/pki# ls
ca.crt  etcd                front-proxy-ca.key  sa.key
ca.key  front-proxy-ca.crt  pki                 sa.pub

2、生成新证书

root@i-gsbmo5ke:/etc/kubernetes/pki# kubeadm alpha phase certs all
[certificates] Using the existing ca certificate and key.
[certificates] Generated apiserver certificate and key.
[certificates] apiserver serving cert is signed for DNS names [i-gsbmo5ke kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 172.22.22.9]
[certificates] Generated apiserver-kubelet-client certificate and key.
[certificates] Using the existing sa key.
[certificates] Using the existing front-proxy-ca certificate and key.
[certificates] Generated front-proxy-client certificate and key.
[certificates] Using the existing etcd/ca certificate and key.
[certificates] Generated etcd/server certificate and key.
[certificates] etcd/server serving cert is signed for DNS names [localhost] and IPs [127.0.0.1]
[certificates] Generated etcd/peer certificate and key.
[certificates] etcd/peer serving cert is signed for DNS names [i-gsbmo5ke] and IPs [172.22.22.9]
[certificates] Generated etcd/healthcheck-client certificate and key.
[certificates] Generated apiserver-etcd-client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
root@i-gsbmo5ke:/etc/kubernetes/pki# ls
apiserver.crt                 ca.crt                  front-proxy-client.key
apiserver-etcd-client.crt     ca.key                  pki
apiserver-etcd-client.key     etcd                    sa.key
apiserver.key                 front-proxy-ca.crt      sa.pub
apiserver-kubelet-client.crt  front-proxy-ca.key
apiserver-kubelet-client.key  front-proxy-client.crt

3、移除原本配置文件，并生成配置文件

root@i-gsbmo5ke:/etc/kubernetes# ls *.conf
root@i-gsbmo5ke:/etc/kubernetes# mv admin.conf kubelet.conf  scheduler.conf controller-manager.conf /tmp
root@i-gsbmo5ke:/etc/kubernetes# ls *.conf
qingcloud.conf
root@i-gsbmo5ke:/etc/kubernetes# kubeadm alpha phase kubeconfig all
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/scheduler.conf"
root@i-gsbmo5ke:/etc/kubernetes# ll *.conf
-rw------- 1 root root 5447 Aug 30 12:58 admin.conf
-rw------- 1 root root 5487 Aug 30 12:58 controller-manager.conf
-rw------- 1 root root 5475 Aug 30 12:58 kubelet.conf
-rw-r--r-- 1 root root   97 Aug 30 11:22 qingcloud.conf
-rw------- 1 root root 5435 Aug 30 12:58 scheduler.conf

四、重启k8s相关组件，以及kubelet

1、重启相关组件

root@i-gsbmo5ke:/etc/kubernetes# docker ps -af name=k8s_kube-apiserver* -q | xargs --no-run-if-empty docker rm -f
fffb6807e462
root@i-gsbmo5ke:/etc/kubernetes# docker ps -af name=k8s_kube-scheduler* -q | xargs --no-run-if-empty docker rm -f
ee72e7ab0a14
2591dc3ede91
root@i-gsbmo5ke:/etc/kubernetes# docker ps -af name=k8s_kube-controller-manager* -q | xargs --no-run-if-empty docker rm -f
56fae9d6da13
bda75292af3a

2、重启kubelet

root@i-gsbmo5ke:/etc/kubernetes# systemctl restart kubelet
root@i-gsbmo5ke:/etc/kubernetes# systemctl status  kubelet
● kubelet.service - Kubernetes Kubelet Server
   Loaded: loaded (/etc/systemd/system/kubelet.service; disabled; vendor preset:
   Active: active (running) since Mon 2021-08-30 13:05:38 UTC; 7s ago
     Docs: https://github.com/GoogleCloudPlatform/kubernetes
 Main PID: 27721 (kubelet)
    Tasks: 15
   Memory: 35.5M
      CPU: 1.607s
   CGroup: /system.slice/kubelet.service
           └─27721 /usr/bin/kubelet --logtostderr=true --v=0 --allow-privileged=
root@i-gsbmo5ke:/etc/kubernetes# 

五、确认

1、证书时间确认

root@i-gsbmo5ke:~# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '  #其余证书类似
            Not Before: Aug 26 09:28:52 2021 GMT
            Not After : Aug 30 12:53:30 2022 GMT

2、集群确认

root@i-gsbmo5ke:/etc/kubernetes# kubectl get ns
NAME                         STATUS    AGE
default                      Active    4d
kube-public                  Active    4d
kube-system                  Active    4d
kubesphere-controls-system   Active    4d
kubesphere-system            Active    4d
openpitrix-system            Active    4d
test1                        Active    5h
root@i-gsbmo5ke:/etc/kubernetes# kubectl get node
NAME         STATUS    ROLES     AGE       VERSION
i-79a2j7m1   Ready     <none>    4d        v1.10.5
i-awrw5377   Ready     <none>    4d        v1.10.5
i-dwouaajs   Ready     <none>    4d        v1.10.5
i-gsbmo5ke   Ready     master    4d        v1.10.5
i-x9lrathe   Ready     <none>    4d        v1.10.5
root@i-gsbmo5ke:/etc/kubernetes# kubectl get pod -n test1
NAME                     READY     STATUS    RESTARTS   AGE
nginx-6c7dc6f575-6qjsv   1/1       Running   0          5h