k8s证书过期

k8s证书过期

[root@k8s-master102 ~]# kubectl get pod -A
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-07-25T15:14:00+08:00 is after 2023-07-24T16:25:58Z

解决方案

1. 备份 kubernetes配置

cp -r /etc/kubernetes  /etc/kubernetes_bak

2. 检测证书过期

kubeadm certs check-expiration

3. 更新证书

kubeadm certs renew all

4. 重启kube-apiserver、kube-controller-manage、kube-scheduler

# 重启 kubelet
systemctl restart kubelet

# 重启kube-apiserver、kube-controller-manage、kube-scheduler
docker ps |grep kube-apiserver|grep -v pause|awk '{print $1}'|xargs -i docker restart {}
docker ps |grep kube-controller-manage|grep -v pause|awk '{print $1}'|xargs -i docker restart {}
docker ps |grep kube-scheduler|grep -v pause|awk '{print $1}'|xargs -i docker restart {}

5. 更新用户配置

# 备份
cp -rp $HOME/.kube/config $HOME/.kube/config.bak
# 并生成新的配置文件
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

此步骤可能会出现报错error: You must be logged in to the server (Unauthorized)，请参考注意事项

注意事项

1. 第3步更新证书以后需要重新启动

# 重启 kubelet
systemctl restart kubelet

# 重启kube-apiserver、kube-controller-manage、kube-scheduler
# 如果是docker作为容器的话，可执行如下命令。其余容器方法类似
docker ps |grep kube-apiserver|grep -v pause|awk '{print $1}'|xargs -i docker restart {}
docker ps |grep kube-controller-manage|grep -v pause|awk '{print $1}'|xargs -i docker restart {}
docker ps |grep kube-scheduler|grep -v pause|awk '{print $1}'|xargs -i docker restart {}

2. 第4步不生效，始终报错error: You must be logged in to the server (Unauthorized)

解决方案：

# 删除 cache
$HOME/.kube/cache
# 重新生成
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config