k8s集群证书过期，重新生成证书

Kubernetes集群证书过期后，使用kubeadm重新颁发证书

默认情况下部署kubernetes集群的证书一年内便过期，如果不及时升级证书导致证书过期，Kubernetes控制节点便会不可用，所以需要升级Kubernetes集群版本或者及时更新Kubernetes证书，避免因证书过期导致集群不可用问题

1、查看证书过期时间

$ kubeadm alpha certs check-expiration

2、备份现有证书

备份原有证书

$ cp -r /etc/kubernetes/ /data/k8s/

备份etcd证书

$ cp -r /var/lib/etcd /data/k8s/

3、更新证书

获取集群信息，如果获取到的信息和当前集群不一致，则需要修改

$ kubeadm config view > cluster.yaml

$ kubeadm config view
Command "view" is deprecated, This command is deprecated and will be removed in a future release, please use 'kubectl get cm -o yaml -n kube-system kubeadm-config' to get the kubeadm config directly.
apiServer:
  extraArgs:
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.19.2
networking:
  dnsDomain: cluster.local
  podSubnet: 10.244.0.0/16
  serviceSubnet: 10.96.0.0/12
scheduler: {}

通过提取的信息更新证书和配置文件。注意：如果是多个master节点，需要同步证书到其他master节点上，或者每个master节点都执行上面步骤。

$ kubeadm alpha certs renew all --config=cluster.yaml

$ kubeadm alpha certs renew all --config=cluster.yaml
W0705 14:44:06.009866   41023 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

再次查看过期时间

$ kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 05, 2023 06:44 UTC   364d                                    no
apiserver                  Jul 05, 2023 06:44 UTC   364d            ca                      no
apiserver-etcd-client      Jul 05, 2023 06:44 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Jul 05, 2023 06:44 UTC   364d            ca                      no
controller-manager.conf    Jul 05, 2023 06:44 UTC   364d                                    no
etcd-healthcheck-client    Jul 05, 2023 06:44 UTC   364d            etcd-ca                 no
etcd-peer                  Jul 05, 2023 06:44 UTC   364d            etcd-ca                 no
etcd-server                Jul 05, 2023 06:44 UTC   364d            etcd-ca                 no
front-proxy-client         Jul 05, 2023 06:44 UTC   364d            front-proxy-ca          no
scheduler.conf             Jul 05, 2023 06:44 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jun 29, 2031 08:03 UTC   8y              no
etcd-ca                 Jun 29, 2031 08:03 UTC   8y              no
front-proxy-ca          Jun 29, 2031 08:03 UTC   8y              no

修改config文件

$ cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ chown $(id -u):$(id -g) $HOME/.kube/config

4、重启kube-system下的apiserver，controller，scheduler的Po

$ systemctl restart kubelet.service