[root@k8s-master ~]# kubectl get pods
Unable to connect to the server: x509: certificate has expired or is not yet valid
查看证书的生效日期(发现已经过期)
[root@k8s-master1 ~]# echo | openssl s_client -showcerts -servername gnupg.org -connect localhost:6443 2>/dev/null | openssl x509 -inform pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6728265650595807888 (0x5d5f99f61a39c290)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: Jun 14 01:10:20 2022 GMT
Not After : Jun 14 06:55:56 2023 GMT
Subject: CN = kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b6:d7:40:53:d3:8d:b4:d3:50:96:86:eb:bd:7e:
87:46:0a:f0:73:92:91:52:b7:02:d8:f5:63:6e:ad:
ad:73:b8:16:75:f2:7c:96:86:b1:7f:c0:2b:78:d9:
81:b7:83:4f:64:ef:03:5e:df:62:ee:30:6d:09:0b:
fc:49:3f:8c:da:fe:d6:33:50:02:09:e1:65:1b:f1:
1f:99:2d:ea:ca:49:e0:07:76:87:93:df:8e:69:b7:
a5:62:55:2b:5f:bd:59:16:a8:bc:d2:b0:58:d7:f3:
7c:8a:2f:36:7b:0e:8e:6c:7b:7f:4c:be:28:61:c4:
3f:95:89:3b:1f:e6:63:ae:b3:c9:b6:ff:06:28:ec:
0b:89:fb:1d:80:35:ca:00:7b:fd:14:df:48:fb:06:
0d:1e:0f:f1:f4:a5:a7:7e:6d:a3:03:79:42:9f:c0:
86:c4:da:eb:36:6b:e8:c3:17:d7:b6:2d:4f:68:30:
c1:f3:fc:ed:c4:43:80:6e:9c:48:93:e7:82:53:71:
70:56:5b:79:3c:c1:84:1f:c9:86:39:c1:96:08:b5:
65:1d:06:15:60:0e:ad:f6:54:92:5f:70:96:36:f2:
a1:65:3c:5c:a1:6c:f8:27:bc:3f:09:c9:d3:d8:6a:
9b:6e:e5:f9:b5:c6:b6:1c:e9:37:9a:20:69:b3:a2:
a2:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:67:EF:FB:66:0A:1B:7E:C0:5E:EE:E8:CA:A9:95:A5:57:44:E1:87:6E
X509v3 Subject Alternative Name:
DNS:k8s-etcd, DNS:k8s-etcd2, DNS:k8s-etcd3, DNS:k8s-etcd4, DNS:k8s-lb1, DNS:k8s-lb2, DNS:k8s-master1, DNS:k8s-master2, DNS:k8s-master3, DNS:k8s-node1, DNS:k8s-node3, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.168.101.17, IP Address:192.168.101.29, IP Address:192.168.101.18, IP Address:192.168.101.4, IP Address:192.168.101.5, IP Address:192.168.101.8, IP Address:192.168.101.13, IP Address:192.168.101.15, IP Address:192.168.101.19, IP Address:192.168.101.2, IP Address:192.168.101.25, IP Address:192.168.101.21, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
39:9f:54:7d:4e:ee:25:83:2a:4c:e8:71:9d:a7:ed:42:ff:21:
c0:69:7e:ef:f2:7d:b9:c9:5f:65:07:2e:e4:02:d3:b1:f6:cb:
61:e7:6f:21:0d:99:9f:a1:37:51:a2:1d:77:27:2b:ed:d6:2c:
f2:b0:2f:c5:93:e5:0e:bf:0c:d7:2b:fd:1c:bd:a7:8a:aa:67:
9c:56:2f:ea:3e:7b:80:f0:50:69:8f:af:66:03:f2:b6:22:f8:
5f:f6:32:42:15:78:74:04:1a:54:b1:41:44:72:a0:ae:ae:40:
c1:cc:db:26:75:b4:6b:e9:2f:d5:ae:1b:15:b8:0d:c4:3e:29:
59:bc:8d:5e:f7:a5:97:2c:fe:81:89:6d:03:9f:42:5e:66:84:
6b:ab:48:fa:c9:9c:e4:b8:f6:23:90:3e:7c:10:e3:58:b3:90:
d3:54:d2:bf:25:f8:86:df:c6:34:e2:e0:30:4f:db:e9:c0:57:
46:c7:63:77:51:dc:3b:e8:c9:cc:d1:8d:a5:c5:57:f9:ee:6f:
eb:ad:96:41:c4:84:5b:ae:1c:44:1d:21:2c:a1:0a:25:49:67:
fb:17:7a:c8:62:5e:c5:55:85:f4:06:43:dd:62:40:01:b1:82:
19:2c:01:0b:1a:0a:eb:16:80:98:0d:ca:ea:a2:99:91:42:d7:
77:48:9f:d2
重新申请证书
[root@k8s-master1 ~]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
查看申请后证书状态
[root@k8s-master1 ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jul 02, 2024 02:48 UTC 364d ca no
apiserver Jul 02, 2024 02:48 UTC 364d ca no
apiserver-etcd-client Jul 02, 2024 02:48 UTC 364d etcd-ca no
apiserver-kubelet-client Jul 02, 2024 02:48 UTC 364d ca no
controller-manager.conf Jul 02, 2024 02:48 UTC 364d ca no
etcd-healthcheck-client Jul 02, 2024 02:48 UTC 364d etcd-ca no
etcd-peer Jul 02, 2024 02:48 UTC 364d etcd-ca no
etcd-server Jul 02, 2024 02:48 UTC 364d etcd-ca no
front-proxy-client Jul 02, 2024 02:48 UTC 364d front-proxy-ca no
scheduler.conf Jul 02, 2024 02:48 UTC 364d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jun 11, 2032 01:10 UTC 8y no
etcd-ca Jun 11, 2032 01:10 UTC 8y no
front-proxy-ca Jun 11, 2032 01:10 UTC 8y no
复制证书到账号目录
root@k8s-master1 ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
cp: overwrite '/root/.kube/config'? y
[root@k8s-master1 ~]#
[root@k8s-master1 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master1 Ready control-plane 384d v1.24.1
k8s-master2 Ready control-plane 384d v1.24.1
k8s-master3 Ready control-plane 383d v1.24.1
k8s-node1 Ready <none> 384d v1.24.1
k8s-node3 Ready <none> 384d v1.24.1
k8s-node4 Ready <none> 383d v1.24.1
k8s-node6 Ready <none> 335d v1.24.3
node2 Ready <none> 335d v1.24.3
所有master节点重复重新申请证书操作 覆盖即可