kubeadm部署的k8s证书过期问题 k8s问题排查：the existing bootstrap client certificate in /etc/kubernetes/kubelet.conf is expired

解决问题：

估计跟移动有关，下面那个没解决问题，是因为在原有文件的基础上修改的吧？而这里直接是移走，重新生成了新的。不太清楚是不是这个原因。

$ cd /etc/kubernetes/pki/

$ mv {apiserver.crt,apiserver-etcd-client.key,apiserver-kubelet-client.crt,front-proxy-ca.crt,front-proxy-client.crt,front-proxy-client.key,front-proxy-ca.key,apiserver-kubelet-client.key,apiserver.key,apiserver-etcd-client.crt} ~/

$ kubeadm init phase certs all

$ cd /etc/kubernetes/

$ mv {admin.conf,controller-manager.conf,kubelet.conf,scheduler.conf} ~/

$ kubeadm init phase kubeconfig all

$ reboot

$ cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

没解决问题前，执行命令访问不了

[root@mcwk8s-master /etc/kubernetes]$ kubectl get nodes

The connection to the server localhost:8080 was refused - did you specify the right host or port?

[root@mcwk8s-master /etc/kubernetes]$

可以正常访问了

[root@mcwk8s-master /etc/kubernetes]$ kubectl get nodes

NAME            STATUS   ROLES                  AGE    VERSION

mcwk8s-master   Ready    control-plane,master   658d   v1.23.1

mcwk8s-node1    Ready    <none>                 658d   v1.23.1

mcwk8s-node2    Ready    <none>                 658d   v1.23.1

[root@mcwk8s-master /etc/kubernetes]$

即使过期问题解决了，并且kubectl命令执行不报错了，但是kubelet依然状态有错误信息

[root@mcwk8s-master /etc/kubernetes]$ systemctl status kubelet

● kubelet.service - kubelet: The Kubernetes Node Agent

   Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)

  Drop-In: /usr/lib/systemd/system/kubelet.service.d

           └─10-kubeadm.conf

   Active: active (running) since Fri 2023-11-10 22:12:49 CST; 10min ago

     Docs: https://kubernetes.io/docs/

 Main PID: 41564 (kubelet)

   Memory: 38.9M

   CGroup: /system.slice/kubelet.service

           └─41564 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --c...

Nov 10 22:12:51 mcwk8s-master kubelet[41564]: I1110 22:12:51.055339   41564 reconciler.go:216] "operationExecutor.VerifyControllerAttachedVolum...

Nov 10 22:12:51 mcwk8s-master kubelet[41564]: I1110 22:12:51.055369   41564 reconciler.go:216] "operationExecutor.VerifyControllerAttachedVolum...

Nov 10 22:12:51 mcwk8s-master kubelet[41564]: I1110 22:12:51.055388   41564 reconciler.go:157] "Reconciler: start to sync state"

Nov 10 22:12:52 mcwk8s-master kubelet[41564]: I1110 22:12:52.164131   41564 request.go:665] Waited for 1.005490743s due to client-side t...y/token

Nov 10 22:12:53 mcwk8s-master kubelet[41564]: E1110 22:12:53.174259   41564 kubelet.go:1711] "Failed creating a mirror pod for" err="pod...master"

Nov 10 22:12:53 mcwk8s-master kubelet[41564]: E1110 22:12:53.380123   41564 kubelet.go:1711] "Failed creating a mirror pod for" err="pod...master"

Nov 10 22:12:53 mcwk8s-master kubelet[41564]: E1110 22:12:53.580643   41564 kubelet.go:1711] "Failed creating a mirror pod for" err="pod...master"

Nov 10 22:12:53 mcwk8s-master kubelet[41564]: E1110 22:12:53.777755   41564 kubelet.go:1711] "Failed creating a mirror pod for" err="pod...master"

Nov 10 22:12:58 mcwk8s-master kubelet[41564]: I1110 22:12:58.422831   41564 prober_manager.go:255] "Failed to trigger a manual run" prob...diness"

Nov 10 22:12:59 mcwk8s-master kubelet[41564]: I1110 22:12:59.838708   41564 prober_manager.go:255] "Failed to trigger a manual run" prob...diness"

Hint: Some lines were ellipsized, use -l to show in full.

[root@mcwk8s-master /etc/kubernetes]$

没解决问题：

journalctl -u kubelet --no-pager 发现kubelet启动失败

E0728 23:35:23.526561 12500 bootstrap.go:265] part of the existing bootstrap client certificate in /etc/kubernetes/kubelet.conf is expired: 2022-10-05 03:16:49 +0000 UTC
E0728 23:35:23.526583 12500 server.go:292] "Failed to run kubelet" err="failed to run Kubelet: unable to load bootstrap kubeconfig: stat /etc/kubernetes/bootstrap-kubelet.conf: no such file or directory

从日志给出的提示说明是证书过期导致。

统一查看证书是否过期：
kubeadm certs check-expiration

过期，需要重新生成证书

备份并重新生成证书
cp -r /etc/kubernetes/pki /etc/kubernetes/pki.bak20230729
cd /etc/kubernetes/pki
kubeadm certs renew all

备份并重新生成配置文件
cp -r /etc/kubernetes /etc/kubernetes.bak
cd /etc/kubernetes
kubeadm init phase kubeconfig all

重启kubelet
systemctl restart kubelet

用更新后的admin.conf替换/root/.kube/config文件
cp /etc/kubernetes/admin.conf ~/.kube/config

这时候一定要注意是否存在.kube文件夹，有的话一定要先删除，否则永远卡在激活中状态

执行完删除命令，在执行上面的复制命令

rm -rf $HOME/.kube
cp /etc/kubernetes/admin.conf ~/.kube/config

查看kubelet启动状态
systemctl status kubelet

参考资料：kubernetes 坑人的错误！！！Unable to connect to the server: x509: certificate signed by unknown authority

原文链接：https://blog.csdn.net/paopaodog/article/details/131990391

$ cd /etc/kubernetes/pki/

$ mv {apiserver.crt,apiserver-etcd-client.key,apiserver-kubelet-client.crt,front-proxy-ca.crt,front-proxy-client.crt,front-proxy-client.key,front-proxy-ca.key,apiserver-kubelet-client.key,apiserver.key,apiserver-etcd-client.crt} ~/

$ kubeadm init phase certs all

$ cd /etc/kubernetes/

$ mv {admin.conf,controller-manager.conf,kubelet.conf,scheduler.conf} ~/

$ kubeadm init phase kubeconfig all

$ reboot

$ cp -i /etc/kubernetes/admin.conf $HOME/.kube/config